Enable Microsoft Enterprise SSO plug-in for Apple Devices through Intune — iphase.dk

iphase.dk Michael Mardahl, MVP

Enable Microsoft Enterprise SSO plug-in for Apple Devices through Intune

>> Overview

Microsoft Enterprise Single Sign-On has been limited on Apple iOS/macOS devices until now. The new SSO plug-in for the Microsoft Authenticator App changes everything.

The Microsoft Enterprise SSO plug-in for Apple devices provides single sign-on (SSO) for Azure Active Directory accounts across all applications that support Apple's Enterprise Single Sign-On feature.

UPDATE: This now works in preview for macOS; target macOS instead of iOS/iPadOS.

UPDATE: If your Teams client starts acting strange, try removing your device from being targeted by this policy and reboot the phone.

>> Requirements

* iOS 13 minimum OS version

* Latest version of Microsoft Authenticator with your identity configured

* Device enrolled with Intune or another MDM

* SSO feature enabled through a device feature policy

>> How to enable the SSO extension

>> Step 1: Creating a device feature profile

Navigate to the MEM portal at https://endpoint.microsoft.com.

1. Click DEVICES > IOS/IPADOS

2. Click CONFIGURATION PROFILES > + CREATE PROFILE

3. Select Platform IOS/IPADOS and Profile DEVICE FEATURES

>> Step 2: Configuring the SSO App extension feature

Configure the SINGLE SIGN-ON APP EXTENSION (not "Single Sign On"):

1. Select SSO app extension type: REDIRECT

2. Extension ID: COM.MICROSOFT.AZUREAUTHENTICATOR.SSOEXTENSION

3. Add the following URLs:

- https://login.microsoftonline.com

- https://login.microsoft.com

- https://sts.windows.net

- https://login.partner.microsoftonline.cn

- https://login.chinacloudapi.cn

- https://login.microsoftonline.de

- https://login.microsoftonline.us

- https://login.usgovcloudapi.net

- https://login-us.microsoftonline.com

4. Additional configuration keys:

- BROWSER_SSO_INTERACTION_ENABLED - Type: Integer, Value: 1

- DISABLE_EXPLICIT_APP_PROMPT - Type: Integer, Value: 1

>> Step 3: Assign the policy

>> Testing the Single Sign-On experience

Test using the Office 365 portal (http://portal.office.com) in Safari for iOS. Clear cached credentials first using Apple's guide.

>> Read more

* Microsoft Docs: Apple SSO Plugin (https://docs.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin)

* iOS device feature settings (https://docs.microsoft.com/en-us/mem/intune/configuration/ios-device-features-settings#single-sign-on-app-extension)

* macOS device feature settings (https://docs.microsoft.com/en-us/mem/intune/configuration/macos-device-features-settings#single-sign-on-app-extension)

For macOS, use Extension ID COM.MICROSOFT.COMPANYPORTALMAC.SSOEXTENSION with Team ID UBF8T346G9.

77 lines

C:\IPHASE\POSTS\IDENTITY\ENABLE~1.TXT

1 Help 3 Home 5 About 7 Posts 8 Contact 10 LinkdIn