Platform SSO (PSSO)

With Relution, macOS devices can be configured so that users sign in with their Microsoft Entra ID account directly at the login window (Platform Single Sign-On). On the first sign-in, a local user account is created that is linked to the Entra ID identity.

Prerequisites

  • macOS 13 (Ventura) or later for Extensible SSO, macOS 15 (Sequoia) or later for most Platform SSO parameters, macOS 26 (Tahoe) for Setup Assistant registration and authenticated guest mode. Microsoft recommends at least macOS 14 (Sonoma).
  • A Mac with Apple Silicon if the recommended Secure Enclave Key method is used (see Choosing the authentication method). On Intel Macs, only the Password method is available.
  • A Microsoft Entra ID tenant
  • The Microsoft Entra ID connection must be set up in Relution: Connect Relution with Entra ID →.
  • Permission to register devices in Microsoft Entra ID for the users
  • Microsoft Company Portal for Mac must be available as an app and installed before users are targeted for PSSO. For registration during the Setup Assistant (macOS 26+), version 5.2604.0 (April 2026) is required. It is best to always download the latest version — it meets both requirements.
  • Network access to the Microsoft/Apple sign-in URLs (see Step 3). These URLs must be reachable and excluded from any TLS inspection, otherwise registration fails.

Preparation in Microsoft Entra ID

Before rolling out the configuration in Relution, check the following in the Microsoft Entra admin center:

  • Device settings: Under Identity → Devices → Device settings, “Users may join devices to Microsoft Entra ID” must be set to All (or to the relevant target group).
  • Multi-factor authentication: If classic per-user MFA is enabled on the account, PSSO registration can fail. Use Conditional Access for the MFA requirement instead.
  • Password complexity: For the Password method, the complexity requirements of the local account and Entra ID must match so that synchronization works.

Step 1: Upload the Company Portal app

  1. Download the latest version of Microsoft Company Portal for Mac (.pkg) from Microsoft → and then upload it as a native app under Apps → Native Apps in Relution.
  2. Make sure the app is released/assigned to the target group/organization.

The Company Portal app contains the SSO extension com.microsoft.CompanyPortalMac.ssoextension, which is required for Platform SSO. It must be at least version 5.2404.0 (for Setup Assistant registration on macOS 26+: 5.2604.0).

Note on version numbers: Company Portal reports two version strings. The “About this app” version follows the scheme 5.YYMM.x (e.g. 5.2604.0 = April 2026), while the build number visible in the package or via pkgutil looks different — e.g. 4.83.26040910, where 260409 is the build date (2026-04-09). Both refer to the same release; a build from 2026 easily meets the PSSO requirement.

Step 2: Assign the device group and configurations

  1. Create a device group for the Mac devices on which PSSO is to be rolled out.
  2. Assign two configurations to this device group:
    • Extensible Single Sign On (configuration from Step 3)
    • App Compliance, to ensure that the Company Portal app is installed on the device before PSSO becomes active

Without the Company Portal app installed, the SSO extension cannot register — the app compliance check prevents the PSSO configuration from running into nothing.

Choosing the authentication method

The authentication method determines how users sign in to the device and to apps. It is the most important decision during setup and is set in Step 3 under “Platform SSO”.

MethodPasswordlessLocal passwordMin. macOSSuitable for
Secure Enclave Key (recommended)Yes, phishing-resistantremains unchanged13 / 14Personalized devices, Apple Silicon only
PasswordNosynchronized with Entra ID13 / 14Intel Macs, shared/lab devices
Smart CardYes (via CBA)remains unchanged14+Organizations with physical smart cards

Recommendation: For personalized company Macs (Apple Silicon), use the Secure Enclave Key method — it is passwordless, hardware-bound, and meets phishing-resistant MFA. For Intel devices or shared devices, fall back to Password.

Important: Smart Card is not supported during the Setup Assistant.

Registration during the Setup Assistant (macOS 26+): If PSSO is registered already during the Setup Assistant (Enable Registration During Setup Assistant = ON), then “Enable Create First User During Setup Assistant” must also be ONregardless of the selected method. Otherwise no local account is created during setup and registration fails (verified in practice):

  • Secure Enclave Key method: sign-in ends up in a login loop.
  • Password method: the message “Sign-in not possible – Registration failed” appears.

With the toggle set to ON, the first local account is created via PSSO and sign-in completes in both cases.

Step 3: Configuring the “Extensible Single Sign On” policy

In a macOS policy, add the Extensible Single Sign On configuration.

“General” section

ParameterValue
Extension Identifiercom.microsoft.CompanyPortalMac.ssoextension
Denied Bundle Identifiersleave empty (default)
Allow Device Identifiers in AttestationOFF
Extension Data → AppPrefixAllowListcom.microsoft.,com.apple.
Extension Data → browser_sso_interaction_enabled1
Extension Data → disable_explicit_app_prompt1
Realmleave empty
Registration Tokenleave empty (not required for Entra ID – see note)
Screen Locked BehaviorDo Not Handle
Team IdentifierUBF8T346G9 (Microsoft Team ID)
TypeRedirect
URLshttps://login.microsoftonline.com
https://login.microsoft.com
https://sts.windows.net

Registration Token: For Microsoft Entra ID, no registration token is needed in the Extensible SSO payload; leave the field empty. (The field is intended for other IdP/Kerberos scenarios.)

URLs / TLS: The three sign-in URLs must be reachable on the network and excluded from TLS inspection.

“Platform SSO” section

ParameterValueNote
Account Display Nameleave emptyoptional
Authentication MethodSecure Enclave KeyRecommended; for Intel/shared devices: Password
Login Policynot setmacOS 15+
Unlock Policynot setmacOS 15+
FileVault Policynot setmacOS 15+
Offline Grace Period0macOS 15+
Authentication Grace Period0macOS 15+
Non-Platform SSO Accountsnot setmacOS 15+
Login Frequency64800 (seconds, equals 18 hrs)Re-auth interval
Use Shared Device KeysONRequired for JIT account creation – see section “Shared Device Keys and account creation”
├─ Enable AuthorizationON
└─ Enable Create User at LoginONJust-in-time provisioning of the local account
Additional Groupsnot setoptional
Administrator Groupsnot setoptional
Authorization Groupsnot setoptional
New User Authorization ModeStandard
User Authorization ModeStandard
Allow Device Identifiers in AttestationOFFmacOS 15.4+
Enable Create First User During Setup AssistantONmacOS 26+ — required when registering during the Setup Assistant (otherwise registration fails)
Authentication Methods for New Usersnot setmacOS 26+
Sync Profile PictureOFFmacOS 26+
Enable Quick Login for Authenticated Guest ModeOFFmacOS 26+
Enable Registration During Setup AssistantONmacOS 26+
Short Namecom.apple.PlatformSSO.AccountShortNamePlaceholder for the local short name
Full NamenamePlaceholder for the full name

The fields marked macOS 26+ only take effect on devices running macOS Tahoe 26 or later and require that registration already occurs during the Setup Assistant.

Relution: “Extensible Single Sign On” configuration (example with the “Password” method)

The screenshot shows the Password method as an example. For Secure Enclave Key (recommended, see table) the configuration is identical — only the “Authentication Method” field differs.

Further configuration

  • Make sure the device group additionally includes the App Compliance for Company Portal (see Step 2), so the extension is already available at the time of registration.
  • For automated deployment (DEP/ADE), it is advisable to assign the policy already in the DEP profile, so registration can take effect during the Setup Assistant (macOS 26+).

Shared Device Keys and account creation

“Use Shared Device Keys” must be ON, because in this flow the local accounts are provisioned via just-in-time provisioning (the Enable Authorization and Enable Create User at Login toggles). Without shared device keys, user-bound keys would be needed — but those cannot be generated while the user account does not yet exist (chicken-and-egg problem). Registration then fails (verified in practice).

If “Use Shared Device Keys” stays OFF while “Enable Create User at Login” is ON, registration cannot be completed.

Choosing the method by device type:

  • Personalized device (recommended): Secure Enclave Key method — passwordless, hardware-bound, Touch ID.
  • Shared / multi-user device (e.g. classroom, shift work): Password method, since changing users get by without pre-configured passwordless credentials. Register such devices without user affinity; Conditional Access is not supported on shared Macs.

Login Items / Background Task Management for Microsoft AutoUpdate

As of macOS Ventura, background processes such as Microsoft AutoUpdate (MAU) are blocked by default, or the user receives a “Background item added” notification and has to confirm it manually. Without this approval, MAU cannot update automatically in the background — this also affects Company Portal, since its updates run through MAU.

Therefore, additionally add the Login Items configuration and, via Add, enter the following path (path only, without a team identifier):

PathHide
/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.appNo

Without this approval, users repeatedly get system notifications about new background items, and MAU may not reliably update the SSO-relevant components automatically.

Registration by end users

Once the configuration has arrived on the device and the Company Portal app is installed, the initial registration proceeds as follows:

  1. A “Registration Required” notification appears on the device. Alternatively, it can be triggered from System Settings.

  2. Right after the first sign-in, the “Single Sign-On for Mac” dialog opens with the “Register account” item. Click Continue (registration appears equally for the Password and Secure Enclave Key methods).

    macOS: “Single Sign-On for Mac” dialog with “Register account”

  3. Users sign in with their Microsoft Entra ID account and confirm MFA if required (e.g. via Microsoft Authenticator).

  4. The local user account is linked to the Entra ID identity. From now on, single sign-on applies for apps and browsers that use Entra ID.

Allowing passkey autofill for Company Portal

After the first sign-in, a prompt “Allow Company Portal to autofill to use your passkey” appears. For passkey sign-in to work (Platform Credential, especially with the Secure Enclave Key method), users must enable autofill for Company Portal once:

  1. Click Open System Settings (or open System Settings manually).
  2. Navigate to General → AutoFill & Passwords.
  3. Under AutoFill from, enable the toggle for Company Portal.

macOS: “Allow Company Portal to autofill to use your passkey” – enable the Company Portal toggle under “AutoFill from”

Without this approval, Company Portal cannot offer the passkey for sign-in; passwordless sign-in then fails or the prompt reappears repeatedly.

With the Secure Enclave Key method, the local password remains unchanged; after a reboot, the local password is first required to unlock FileVault, after which Touch ID can be used.

Verification

You can check whether registration was successful as follows:

  • On the device (Terminal): app-sso platform -s shows the registration status of the Platform SSO extension.
  • In Microsoft Entra: Under Devices, the device appears as registered/joined.
  • Company Portal: The device status is shown as compliant/registered.

Possible errors

  • Registration prompt does not appear → check whether Company Portal (version 5.2404.0+) is installed and the app compliance policy has already been evaluated.
  • Sign-in fails → check the Team Identifier, Extension Identifier, and URLs for typos; make sure the URLs are excluded from TLS inspection.
  • Registration aborts at MFA → disable classic per-user MFA on the account and use Conditional Access instead.
  • “Secure Enclave” not available → affects Intel Macs; use the Password method there.
  • Login loop or “Sign-in not possible – Registration failed” → when registering during the Setup Assistant (macOS 26+), “Enable Create First User During Setup Assistant” must be ON — regardless of the method. If the toggle is OFF, no local account is created: with Secure Enclave a login loop occurs, with Password the “Registration failed” message.
  • Registration fails despite enabled account creation → “Use Shared Device Keys” must also be ON. With JIT account creation (“Enable Create User at Login”) active, user-bound keys otherwise cannot be generated (chicken-and-egg problem).

For further known issues and diagnostics, see Microsoft’s documentation “macOS Platform single sign-on known issues and troubleshooting”.