What is Platform SSO for Mac, and how does it work with Microsoft Intune and Entra ID?
Platform SSO lets a Mac sign in with the user's Microsoft Entra ID account and reach work resources without repeated passwords. It is part of the Microsoft Enterprise SSO plug-in, deployed through Intune, and can use the Mac's Secure Enclave and Touch ID for passwordless, phishing-resistant sign-in, similar to Windows Hello for Business.
How it works
The Enterprise SSO plug-in acts as the broker for Microsoft Entra ID authentication and Conditional Access. You configure Platform SSO through the Intune settings catalog and choose one of three authentication methods: Secure Enclave (a passwordless passkey unlocked with Touch ID), the user's Microsoft Entra password with password sync, or a smart card. It needs macOS 13 or newer, with macOS 14 Sonoma or later recommended, and the Microsoft Intune Company Portal app, which carries the plug-in.
What changed in 2026
Platform SSO registration can now run during Setup Assistant on devices enrolled through Apple Business Manager. The user signs in with their Microsoft Entra account during setup and arrives at the desktop already registered, with single sign-on active and Conditional Access satisfied, rather than having to act on a notification afterwards. Newer macOS releases simplify this further with automatic registration.
On-premises sign-on too
Where a business still has on-premises Active Directory, Platform SSO can provide Kerberos single sign-on to those resources through Apple's Kerberos SSO extension, in the same policy.
Why it matters
Passwords are the most common attack vector. Platform SSO moves Macs toward passwordless, phishing-resistant sign-in, advances a Zero Trust posture through the Secure Enclave, removes the need for separate security keys, and cuts repeated sign-in prompts and the help desk tickets that come with them.
How Blue Arc helps
We deploy Platform SSO through Intune, choose the right authentication method for your environment, align it with your enrolment flow, and avoid the common pitfalls that cause silent failures. See our Apple device management overview, managed services, or get in touch.
For the authoritative, current detail, see Microsoft's Configure Platform SSO for macOS and macOS Platform SSO overview.
Frequently asked questions
Is Platform SSO passwordless?
It can be. Using the Mac's Secure Enclave and Touch ID, Platform SSO supports passwordless, phishing-resistant sign-in with Microsoft Entra ID, similar to Windows Hello for Business. Password and smart card options are also available.
What macOS version do I need for Platform SSO?
macOS 13 or newer is supported, with macOS 14 Sonoma or later recommended, plus the Microsoft Intune Company Portal app. Registration during Setup Assistant needs a newer Company Portal version.
Does Platform SSO work with Conditional Access?
Yes. The Microsoft Enterprise SSO plug-in brokers Entra ID authentication and Conditional Access, so a registered Mac can satisfy Conditional Access policies.
Last reviewed: 1 July 2026. Platform SSO and Intune change frequently; check the Microsoft links above for the latest.