With Platform Single Sign-on (Platform SSO), developers can build SSO extensions that extend to the macOS login window, allowing users to synchronise local account credentials with an identity provider (IdP) and here we sync it with Microsoft Entra ID (AAD). The local account password is automatically kept in sync, so the cloud password and local passwords match. Users can also unlock their Mac with Touch ID and Apple Watch
Platform SSO requires the following:
macOS 13 or later
A mobile device management (MDM), here we use Microsoft Intune, solution that supports the Extensible Single Sign-on payload which includes support for Platform SSO
Support from the IdP, here Microsoft Entra ID, for the Platform SSO authentication protocol
One of two supported authentication methods:
Authentication with a Secure Enclave-backed key: With this method, a user who logs in to their Mac can use a Secure Enclave-backed key to authenticate with the IdP without a password. The Secure Enclave key is set up with the IdP during the user registration process.
Password authentication: With this method, a user authenticates with a local password or an IdP password.
In this video I use Secure Enclave, but the same steps by just changing the selection works for Password Auth as well.
More Read - support.apple.com/en-in/guide/deployment/dep7bbb05313/web
Configure Intune, refer - learn.microsoft.com/en-us/mem/intune/configuration/platform-sso-macos
Intune Config Info: learn.microsoft.com/en-us/mem/intune/configuration/platform-sso-macos#step-2---create-the-platform-sso-policy-in-intune
-Praveen