By default, on macOS, you always have a local account. There’s no option to natively sign-in to Microsoft Entra ID like on Windows. There’s not even any option to natively sign-in to Apple ID. The account is always local with a local password, just linked to your Apple ID.
This behavior should change with the release of Platform SSO, where the Microsoft Entra ID account logs directly into macOS, the equivalent of Microsoft Entra Join. No local account needed.
Configure Microsoft Enterprise SSO plug-in for macOS
On macOS, however, there is a full SSO to Microsoft Entra ID thanks to the Microsoft Enterprise SSO plug-in. And it works great in Safari, too, for example, when you open a site integrated with Microsoft Entra ID and Safari immediately logs you in automatically with your corporate account and asks no questions at all.
Microsoft Enterrprise SSO plug-in for macOS can be configured via Microsoft Intune. Go to Devices – macOS – Configuration profiles and create a new configuration profile. The profile type will be Templates – Device features.
Expand the Single sign-on app extension pane and select Microsoft Entra ID in the SSO app extension type dropdown menu. The scroll down to the Additional configuration part and add three settings.
| Key | Type | Value |
|---|---|---|
| AppPrefixAllowList | String | com.microsoft.,com.apple. |
| browser_sso_interaction_enabled | Integer | 1 |
| disable_explicit_app_prompt | Integer | 1 |
You can then open the Company Portal app on your Mac and verify that Microsoft Enterprise SSO is configured and enabled for the account.
