You need to have Apple MDM push certificates setup and also have per user MFA disabled, use a CA policy instead and it will work. Even if the MFA per user is off in Entra you need to disable it in the legacy menu for each user
Excellent and timely tutorial! Our MSP is currently setting this up for our Macs in our hybrid computing environment. I've shared the video with them because your tutorial is so detailed and clear. Thanks!
I love this! It is almost perfect :). But what about the scenario as followed: macbook comes straight from apple and is uploaded to ABM. End user opens the macbook, boots it up and it says it is remote managed. Fills in the M365 account and due to sso policy it will create a standard account. Perfect. But, when local admin is needed for a task, what then? Because no local admin account has been created yet. It can be fixed if there is a bash script that creates a local admin account via intune, but I have not found such yet. Any idea?
Hi Jonathan, thanks this and other guides.... I've seen guides for this and for linking ABM to Intune but all seem to be for new devices or having to reset existing ones. Are there any options for deploying Platform SSO to macbooks that we already have enrolled to Intune? At the moment we use NoMAD to sync account creds with onprem AD but looking to move to Entra fully. Cheers!
Great setup video but when you restart the Mac it still wants the local Mac password. How do you have biometrics without the local on a restart or the 365 password?
I had similar problems with biometrics when trying this. Password seems to work better, which is a bit counter-intuitive. My test users were way too confused with the biometrics and whether to use local password or not, so I haven't been deploying it that way sadly.
If I do it exactly like you in your video - set the Platform SSO policy to "password" and not "secureenclave", I can sign into the Mac with my M365 credentials, exactly like you. But: when I change this to "secureenclave" like you would recommend with production environments, what is the exact advantage? I can't sign in with my M365 credentials, I have to use the local credentials - is that the way it should work? I can't use TouchID after restart/sign out, so I don't see the point. What am I missing here? (non-DEP device btw)
Hi - so when you set to Secure Enclave you should be able to sign into the Mac with your biometrics and then be authenticated to your Microsoft 365 apps, is that what happens?
@@bearded365guy the auth within the M365 apps works. But I can’t sign in with the fingerprint. Always have to use the local password. But after a restart/sign out touchID was never supported on Mac!?
@@spartacus1979at The docs page on microsoft says the local admin password is still needed on restart to unlock file vault if you have that configured on.
Thanks for the tutorial. Although everything seems to work I can only login using my local admin password. So I can login as another user in My 365 organization but when I want to login with my own account only the local admin password is accepted (not my actual M365 password). Any idea what could be wrong?
Great content Jonathan, I assume if the Mac is offline and a password is changed on M365 the Mac continues to authenticate using the old PW until it reconnects to the internet? Also when a password is changed on M365 how long does it take to push to a Mac? Final one I promise… if biometrics is used can you fall back to a password if biometrics fails or stops working?
@@JonathanLawton Hi - Yes, if the Mac was offline then the old password would continue to be used. The password change it usually pretty quick. With the biometrics, the local username and password are kept as-is, not changed. So yes, a fallback.
@@bearded365guy Hello, it doesn't change for me immediately, this doesn't synchronize. I have changed the password on m365 and it does not sync on the local mac. I have the same configuration as in the video. "password" method
Hi Jonathan, Does it also writes the Mac to the "Authentication methods" in EntraID when using the "password" option instead of "SecureEnclave"? SecureEnclave will register the Mac as an authentication method :)
In case you are talking about macOS devices added to your AD. Although you do not see that often anymore. You have your mobile account created by AD and from that account the above solution then creates a second account. Because above policy creates a account locally, but with SSO as authentication. And your AD also creates a account, but not locally but mobile on your mac. Therefore, it is separate. So you have to make a choice. But I suggest, test the policy yourself and see. Play with the settings functionalities more to get some questions answered.
Yes I tried playing around...still isn't it a risk involved here if we have to disable 2FA LIKE AUTHENTICATOR AND SMS for org. wide for Mac users then...?... Platform sso should have worked with 2fa ....
Hey Jonathan, I followed the instructions in the video, I downloaded company portal signed in, I get to the screen for download for the profile.. I click on download profile and I get a popup that says couldn't add your device Contact your IT admin for assistance with this issue. AccountNotOnboarded are there any prerequisite for this to work, I have gone straight into the config as per the video. MacOS Version is Sequoia 15.1 Anyone else having a similar issue?
Hi Everyone, back of my last message 22mins ago, I just realised I didn't have MDM Push Certificate configured under enrollment. I would recommend you configure that first if not already, however, Jonathan video is fantastic and is well explained, works for us, just waiting for the login screen policy to sync and then hopefully it will display the details to suggest you need to sign in with your O356 Account. Thanks Jonathan, your content is the best I have come across for configuring O365, you should add Buymeacoffee, you well deserve one from your followers :)
This has worked well for me... mostly! However, I get some accounts where you can't register and the Entra ID box just 'shakes' and it doesn't register or sync. Has anybody else had this happen?
Is this feature not working with 2FA?...Bcause as soon as i tried disabling 2FA it allows me to register and login token and complete platform sso registration....please hlp me on this
use a conditional access policy to enforce MFA then disable Per user MFA. That was my issue and seems to be the problem most people have. Even if you have the CA for MFA enabled and the CA for per user off you need to go into the legacy portal to turn it off for the account you are connecting.
@@Jordan-k7l Hey still didn't get any idea how it is supposed to work... Can u elaborate on easy words and steps or any link to page of this idea 💡 u got from...?
Hi Jonathan, I am running MacOS Sequoia 15.0 and the registration popup does not show up, so I cannot continue with the process of company portal. Any idea how to solve this?
@@BojidarIliev Go to Systems Settings > Users & Groups > click on the user information mark > Under "Platform Single Sign-On" > and then "Registration" you can see the status of your SSO account. YOu can click on repair i guess.
Strangely enough I have this same issue. I am doing some more troubleshooting but can't seem to figure out why the registration pop-up does not come up. I have upgraded from Sonoma to Sequoia as well
I have Microsoft 365 Business Standard and installed on my Mac Studio, all apps works excellent except Outlook app which doesn't not open at all. Do not know what happened to this app. I tried to reinstall and update apps unfortunately until now does not open the outlook app
Mac is a no-no, but when the organization hired a graphic designer and they use Mac, all hell leash from the ITs, Game Changer, we are now back to gods; this graphic designer is no longer special, and now ITs are in control. whoah + (3 x ha)
Office LTSC 2024 is now available at Hypest Key microsoft partner, but unlike Office 365, it doesn't include cloud storage
Major game changer! Thank you for demo this! Been waiting for this very long time! Keep making M365+MacOS videos :)
Great now we revisit our hardware procurement specification , this just makes sense for me to get a Mac instead of a Surface laptop.
You need to have Apple MDM push certificates setup and also have per user MFA disabled, use a CA policy instead and it will work.
Even if the MFA per user is off in Entra you need to disable it in the legacy menu for each user
Excellent and timely tutorial! Our MSP is currently setting this up for our Macs in our hybrid computing environment. I've shared the video with them because your tutorial is so detailed and clear. Thanks!
This is great
Enjoyed this video! Definitely Setting this up in our organization! Hats off to you and your videos!
I love this! It is almost perfect :). But what about the scenario as followed: macbook comes straight from apple and is uploaded to ABM. End user opens the macbook, boots it up and it says it is remote managed. Fills in the M365 account and due to sso policy it will create a standard account. Perfect. But, when local admin is needed for a task, what then? Because no local admin account has been created yet. It can be fixed if there is a bash script that creates a local admin account via intune, but I have not found such yet. Any idea?
Hi Jonathan, thanks this and other guides.... I've seen guides for this and for linking ABM to Intune but all seem to be for new devices or having to reset existing ones.
Are there any options for deploying Platform SSO to macbooks that we already have enrolled to Intune? At the moment we use NoMAD to sync account creds with onprem AD but looking to move to Entra fully.
Cheers!
@@NickS-vn3xt Hi, you can still do it this way…. But you would need to push out company portal app.
Great setup video but when you restart the Mac it still wants the local Mac password. How do you have biometrics without the local on a restart or the 365 password?
I had similar problems with biometrics when trying this. Password seems to work better, which is a bit counter-intuitive. My test users were way too confused with the biometrics and whether to use local password or not, so I haven't been deploying it that way sadly.
If I do it exactly like you in your video - set the Platform SSO policy to "password" and not "secureenclave", I can sign into the Mac with my M365 credentials, exactly like you. But: when I change this to "secureenclave" like you would recommend with production environments, what is the exact advantage? I can't sign in with my M365 credentials, I have to use the local credentials - is that the way it should work? I can't use TouchID after restart/sign out, so I don't see the point. What am I missing here? (non-DEP device btw)
Hi - so when you set to Secure Enclave you should be able to sign into the Mac with your biometrics and then be authenticated to your Microsoft 365 apps, is that what happens?
@@bearded365guy the auth within the M365 apps works. But I can’t sign in with the fingerprint. Always have to use the local password. But after a restart/sign out touchID was never supported on Mac!?
@@spartacus1979at The docs page on microsoft says the local admin password is still needed on restart to unlock file vault if you have that configured on.
Hi Jonathan, awesome content, I got this question for you, how is this better or differente from Managed AppleID Federated authentication?
Thanks for the tutorial. Although everything seems to work I can only login using my local admin password. So I can login as another user in My 365 organization but when I want to login with my own account only the local admin password is accepted (not my actual M365 password). Any idea what could be wrong?
Great content Jonathan, I assume if the Mac is offline and a password is changed on M365 the Mac continues to authenticate using the old PW until it reconnects to the internet?
Also when a password is changed on M365 how long does it take to push to a Mac?
Final one I promise… if biometrics is used can you fall back to a password if biometrics fails or stops working?
@@JonathanLawton Hi - Yes, if the Mac was offline then the old password would continue to be used. The password change it usually pretty quick. With the biometrics, the local username and password are kept as-is, not changed. So yes, a fallback.
@@bearded365guy Hello, it doesn't change for me immediately, this doesn't synchronize. I have changed the password on m365 and it does not sync on the local mac. I have the same configuration as in the video. "password" method
Thank you, Johnathan.
Is passwordless authentication supported? I mean number matching, Yubikey or something like that instead of the password.
Secure Enclave is passwordless.
Hi Jonathan,
Does it also writes the Mac to the "Authentication methods" in EntraID when using the "password" option instead of "SecureEnclave"? SecureEnclave will register the Mac as an authentication method :)
How does this work with Entra/Azure AD hybrid environments?
@@andrewenglish3810 It’s only supported in Entra Join environments, not hybrid.
In case you are talking about macOS devices added to your AD. Although you do not see that often anymore. You have your mobile account created by AD and from that account the above solution then creates a second account. Because above policy creates a account locally, but with SSO as authentication. And your AD also creates a account, but not locally but mobile on your mac. Therefore, it is separate. So you have to make a choice. But I suggest, test the policy yourself and see. Play with the settings functionalities more to get some questions answered.
Yes I tried playing around...still isn't it a risk involved here if we have to disable 2FA LIKE AUTHENTICATOR AND SMS for org. wide for Mac users then...?...
Platform sso should have worked with 2fa ....
3810
3810
Hi Jonathan, Why Microsoft Entra keeps popping up every time I restart my MacOS machine?
Does thus also works for ios devices ipads iphone?
@@Egimatic No it doesn’t. Just macOS.
Is this in any was possible for Windows, and without using Azure?!
No, you need Entra and Intune.
Anyone tried this with Manage Engine Endpoint Central as their MDM rather than Intune?
@@gscouser I haven’t used Manage Engine MDM
Do you still have the option to log in as an admin locally, for example, in case of no internet connection or other issues?
@@Richard-kl8wr I do recommend having a local admin account on the device too.
@@bearded365guyI am curious how this works if you are not connected to a network. What happens when you try and login?
Thanks for this! What about the deprecation?
Hey Jonathan, I followed the instructions in the video, I downloaded company portal signed in, I get to the screen for download for the profile.. I click on download profile and I get a popup that says couldn't add your device Contact your IT admin for assistance with this issue. AccountNotOnboarded are there any prerequisite for this to work, I have gone straight into the config as per the video. MacOS Version is Sequoia 15.1
Anyone else having a similar issue?
Hi Everyone, back of my last message 22mins ago, I just realised I didn't have MDM Push Certificate configured under enrollment. I would recommend you configure that first if not already, however, Jonathan video is fantastic and is well explained, works for us, just waiting for the login screen policy to sync and then hopefully it will display the details to suggest you need to sign in with your O356 Account.
Thanks Jonathan, your content is the best I have come across for configuring O365, you should add Buymeacoffee, you well deserve one from your followers :)
4:26 -- Which is the "Authentication Method" deprecated?
I found out later this is neede for Mac OS 13 only. If you have no clients on 13 then no need to check that box.
This has worked well for me... mostly! However, I get some accounts where you can't register and the Entra ID box just 'shakes' and it doesn't register or sync. Has anybody else had this happen?
Is this feature not working with 2FA?...Bcause as soon as i tried disabling 2FA it allows me to register and login token and complete platform sso registration....please hlp me on this
use a conditional access policy to enforce MFA then disable Per user MFA. That was my issue and seems to be the problem most people have. Even if you have the CA for MFA enabled and the CA for per user off you need to go into the legacy portal to turn it off for the account you are connecting.
@@Jordan-k7l Hey still didn't get any idea how it is supposed to work...
Can u elaborate on easy words and steps or any link to page of this idea 💡 u got from...?
Hi Jonathan, I am running MacOS Sequoia 15.0 and the registration popup does not show up, so I cannot continue with the process of company portal. Any idea how to solve this?
Did you install the company portal and download the profile?
@@bearded365guyyes I did. And I am stuck on the next step - there is no popup to register the device.
@@BojidarIliev Go to Systems Settings > Users & Groups > click on the user information mark > Under "Platform Single Sign-On" > and then "Registration" you can see the status of your SSO account. YOu can click on repair i guess.
Strangely enough I have this same issue. I am doing some more troubleshooting but can't seem to figure out why the registration pop-up does not come up. I have upgraded from Sonoma to Sequoia as well
@@BojidarIliev How strange. I haven’t seen that behaviour. And it’s strange that you’re both using Sequoia.
I have Microsoft 365 Business Standard and installed on my Mac Studio, all apps works excellent except Outlook app which doesn't not open at all. Do not know what happened to this app. I tried to reinstall and update apps unfortunately until now does not open the outlook app
@@abdurahmanMohamedYarow Can you try Premium?
giving microsoft full control of mac is just scary
Mac is a no-no, but when the organization hired a graphic designer and they use Mac, all hell leash from the ITs, Game Changer, we are now back to gods; this graphic designer is no longer special, and now ITs are in control. whoah + (3 x ha)
Thank you @Jonathan Eduards, It is working.