Platform SSO for macOS: A Deep Dive into Configuration & Troubleshooting

The wait is over! After months of anticipation, Platform Single Sign-On (SSO) for macOS with Microsoft Entra ID is finally here and ready to transform your Mac login experience.

Ready to Unleash the Power of Platform SSO for macOS?

Now that the initial excitement has cooled down a bit, let's get down to the practical aspects. I've split the guide into three sections: Configuration, Verification & Troubleshooting.

This blog post will serve as your guide to configure & troubleshoot Platform SSO for macOS with Microsoft Entra ID. I'll guide you through the necessary steps to understand, configure, identify and resolve common issues that may arise during the setup and use of Single Sign-On. We'll explore how to effectively diagnose problems and implement solutions, ensuring a smooth and secure user experience.

Part I - Demystifying Platform Single Sign-On for macOS

Let's ditch the technical jargon for a moment and understand Platform SSO in simpler terms. Imagine it as a master key for your Mac login experience.

Traditionally, accessing work resources on a Mac meant juggling multiple passwords for different apps and services.Platform SSO eliminates this hassle! It builds upon your existing Microsoft Entra ID infrastructure, allowing users to sign in to their Macs using the same familiar credentials.

Platform SSO offers a variety of authentication methods to suit your organization's security needs and user preferences.Here's a breakdown of the available options:

• Password and encrypted password: This method leverages your existing login credentials. The IdP keeps your local account password in sync, ensuring updates made at the login window or screensaver are reflected.
• Federated Authentication (Password with WS-Trust): For organizations using federated identity providers,Platform SSO can utilize your existing credentials across different security domains. This eliminates the need for separate logins for various work applications.
• Passwordless Security with Secure Enclave Key: This innovative method takes security a step further. It utilizes a secure enclave-backed key stored on the user's Mac to authenticate with the IdP. This eliminates the need for passwords altogether, offering enhanced protection against phishing attacks.
• Smart Card Authentication: For organizations requiring the highest level of security, Platform SSO supports Smart Card authentication. Users can leverage their existing Smart Cards to authenticate with the IdP, adding an extra layer of security to the login process.

Platform SSO not only just simplifies logins for macOS users, but its benefits extend even further! Here's how Platform SSO enhances user management and access control:

• On-Demand User Account Creation: Imagine a new employee starting their first day. Traditionally, setting up a local user account would require IT intervention. Platform SSO eliminates this hassle. It can automatically create new local user accounts on the fly using the user's IdP credentials. This streamlines the onboarding process for new hires.
• Synchronized Group Memberships: Managing user access to resources often involves group memberships.Platform SSO seamlessly integrates IdP group memberships with macOS groups. This ensures users automatically inherit the appropriate permissions based on their group affiliations within the IdP system.
• Granular Access Control: Platform SSO empowers IT admins with granular control over user access. You can leverage network accounts for authorization, allowing for precise control over which users can access specific resources. Additionally, groups can also be used to authorize network accounts, providing another layer of flexibility in managing access permissions.

In essence, Platform SSO streamlines the login process for users, enhances security for organizations, and eliminates the need for complex directory configurations. It's a win-win for everyone!

The Registration Dance: A Step-by-Step Look

This section dives deeper into the technical workings of Platform SSO. Platform SSO relies on a well-defined sequence to register devices and users with the IdP. Here's a breakdown of the steps involved:

• SSO Extension Takes the Lead: The "Microsoft Enterprise SSO plug-in for Apple devices" provides single sign-on (SSO) for Microsoft Entra accounts on macOS across all applications. This extension acts as the intermediary, facilitating communication between the device, the user, and the IdP.

Device Registration First: 

The initial step involves registering the device itself with the IdP. The extension achieves this by utilizing the beginDeviceRegistrationUsingLoginManager:options:completion: method.

• Extension Responsibilities: During device registration, the extension shoulders several tasks:
  • Registering the device with the Entra ID.
  • Providing Platform SSO with the necessary login configuration details.
  • Signaling the completion of the process using the completion handler.

Silent Registration for Convenience: If a registration token exists within the Device Management configuration profile,Platform SSO attempts a silent registration. This means users wouldn't need to intervene. The extension can leverage this token for device authentication with the IdP, eliminating the need for user prompts. However, if a silent registration fails,the system presents a user interface for manual registration.

User Interface Intervention: In scenarios where a user interface is necessary during registration, the extension utilizes the presentRegistrationViewControllerWithCompletion: method on the login manager.

Key Management: The extension can access signing and encryption keys using the ASAuthorizationProviderExtensionKeyTypeCurrentDeviceSigning and ASAuthorizationProviderExtensionKeyTypeCurrentDeviceEncryption key types, regardless of whether shared keys are employed.

Registration Outcomes: Once the process is complete, the extension must inform Platform SSO of the outcome using an ASAuthorizationProviderExtensionRegistrationResult object.

• Successful Registration: A successful registration outcome (ASAuthorizationProviderExtensionRegistrationResultSuccess) allows Platform SSO to proceed with user registration.

• Registration Failure: If registration encounters an issue (ASAuthorizationProviderExtensionRegistrationResultFailed), Platform SSO will automatically attempt to register the user again after a short interval. 

Users can also manually trigger a registration attempt through the Settings menu.

• Permanent Registration Failure: A permanent failure outcome (ASAuthorizationProviderExtensionRegistrationResultFailedNoRetry) instructs Platform SSO to halt further registration attempts until the configuration or extension itself changes.

Important Note: During device registration, SSO extensions operate at a system or role level, independent of specific users.

Next Steps: The following section will explore the user registration process facilitated by Platform SSO. We'll delve into how SSO extensions interact with the IdP to register users and enable them to leverage Platform SSO immediately.

Registering Users for Seamless Logins 

Following a successful device registration, the SSO extension initiates the user registration process using the beginUserRegistrationUsingLoginManager:userName:authenticationMethod:options:completion: method.

If your environment utilizes shared device keys, user registration only occurs for subsequent users on the device. For users created during login, the system may prompt them to initiate registration upon reaching the desktop. User-specific login configurations can be adjusted using the login manager's saveUserLoginConfiguration:error: method.

Once user registration is complete, the extension signals this to the completion handler. The system then prompts the user to authenticate using the newly established configuration, allowing them to leverage Platform SSO immediately.

If you are utilising password authentication, the system interacts with the key service to provision a new key and bind it to the user account. This strengthens security by offering an additional layer of protection.

The Secure Enclave: The Guardian of Your Login Credentials

Imagine a vault within your Mac... This vault, known as the Secure Enclave, is a dedicated secure coprocessor chip built into Apple devices. It acts as a secure haven for sensitive information, including passwords, encryption keys, and biometric data used for Touch ID.

Here's what makes the Secure Enclave special:

Microsoft highly recommends this method for its enhanced security. It leverages hardware-bound cryptographic keys stored within the Secure Enclave, a secure chip on Mac devices. This method eliminates the need for Microsoft Entra user accounts to authenticate with apps and websites, offering robust protection against phishing attacks. Secure Enclave boasts several advantages:

• Passwordless Convenience: It meets multi-factor authentication (MFA) requirements without requiring traditional passwords. Think of it as the macOS equivalent of Windows Hello for Business, offering similar functionalities like Conditional Access.
• Local Account Stays Put: The local account username and password remain unchanged due to Apple's FileVault disk encryption which relies on the local password for unlocking.
• Reboot and Touch ID: After a device reboot, users might need to enter the local account password initially. However, subsequent unlocks can leverage Touch ID for a smoother experience.
• Hardware-Backed Security: Upon unlocking, the device acquires a hardware-backed Primary Refresh Token (PRT) for device-wide SSO. This token can even function as a passkey within web browsers using WebAuthN APIs. Additionally, its setup can be initiated using an authentication app for MFA or a Microsoft Temporary Access Pass (TAP). This method also enables the creation and use of Microsoft Entra ID passkeys.

When using Platform SSO, your login credentials and any generated authentication tokens are stored within the Secure Enclave. This adds an extra layer of security compared to traditional login methods that might store this information on the main disk of your Mac.

Configure PSSO with Microsoft Intune 

Now that you understand the magic of Platform SSO, let's get down to business! This section will guide you through configuring Platform SSO for your macOS devices using Microsoft Intune.

Prerequisites

• Devices must be macOS 13.0 and newer devices.

• Microsoft Intune Company Portal app version 5.2404.0 and newer.
• Supported web browsers:
  • Microsoft Edge
  • Google ChromePlatform
  • Safari

Your Authentication Method Options:

• Secure Enclave (the Champion)
• Password (Familiar Yet Improved)
• Smart Card (High Security)

Choosing the right authentication method depends on your organization's security needs and user preferences.

Create the Platform SSO policy in Intune:

To configure the Platform SSO policy, use the following steps to create an Intune settings catalog policy.

• Sign in to the Microsoft Intune admin center.
• Select Devices > Configuration > Create > New policy.
• Enter the following properties:
  • Platform: Select macOS.
  • Profile type: Select Settings catalog.
• Select Create.
• In Basics, enter a descriptive name for the policy.
• In Configuration settings, select Add settings. In the settings picker, expand Authentication, and select Extensible Single Sign On (SSO):

• Configure the profile for at the below keys: (these are minimum required settings for PSSO to work)
  • Authentication Method (Deprecated) (only if you are deploying profile to macOS 13.x devices)
  • Extension Identifier
• Authentication Method (macOS 14+)
• Use Shared Device Keys
• Registration Token
• Account Display Name
• Screen Locked Behavior
• Team Identifier
• Type
• URLs
• Once configured, the profile should look like this:

• Select the user groups that will receive your profile.

Platform SSO in Action: A Demo with Password Authentication

This section provides a demonstration of Platform SSO using password authentication. PSSO flow:

1. Login with Microsoft Entra ID: With Platform SSO configured for password authentication, the user simply enters their Microsoft Entra ID credentials at the login screen.
2. SSO Magic: Behind the scenes, Platform SSO leverages those credentials to silently authenticate with the IdP (Microsoft Entra) and retrieve an SSO token.
3. Seamless Application Access: Once logged in, the user can access any work applications or websites that support Platform SSO without needing to enter separate login credentials. The SSO token grants them seamless access.

Platform SSO in Action: A Demo with Secure Enclave

Building upon the previous demonstration, let's explore how Platform SSO with Secure Enclave authentication elevates security even further.

• Login with Touch ID: In this scenario, the user might not even need to enter a password!  They can simply use their fingerprint to unlock the device.
• Secure Enclave in Action: Behind the scenes, the Secure Enclave chip within the Mac securely stores the user's cryptographic keys. These keys are used for authentication without ever revealing the actual password to the system.
• Silent Authentication & SSO Token: Platform SSO silently authenticates the user with the IdP (Microsoft Entra) leveraging the keys stored in the Secure Enclave and retrieves an SSO token.
• Seamless Application Access: As before, the user enjoys seamless access to work applications and websites that support Platform SSO, without needing to enter separate login credentials.

Part II - Verifying PSSO for macOS

Now that you've grasped the inner workings of Platform SSO and its configuration process, let's explore how to verify successful implementation and address any potential issues that might arise on macOS devices.

Here's how to ensure your macOS devices are enjoying the benefits of Platform SSO:

• Login with Microsoft Entra ID: Observe if users can log in to their Mac devices directly using their Microsoft Entra ID credentials, eliminating the need for separate local account passwords.
• Seamless Application Access: Verify if users can access work applications and websites that support Platform SSO without entering additional login credentials. Once logged in, they should have immediate access upon launching these applications.
• Touch ID Functionality (Optional): If Secure Enclave authentication is enabled, test if users can leverage Touch ID for device unlocking, further streamlining the login process.

Further you can also perform below checks to verify PSSO configuration:

• Verify registration by running the following command in the terminal: app-sso platform –s

• Verify both User & Device Registration:

• Password synced with Identity Provider

• Directory Services

• SSO token stored in Keychain

Part III - Troubleshooting PSSO for macOS

Even with careful planning, occasional hiccups can occur. Here are some common troubleshooting steps you can take for Platform SSO on macOS devices:

Check Device Enrollment & MDM Communication:

• Verify that the macOS devices are properly enrolled in Microsoft Intune
• Ensure the latest version of Company Portal app is deployed and running on the devices.
• Confirm that there are no connectivity issues between the devices and Microsoft Intune.

Review Platform SSO Policy Configuration:

• Double-check the Platform SSO policy settings within Microsoft Intune for any errors or inconsistencies.
• Ensure the chosen authentication method (Secure Enclave, Password, or Smart Card) aligns with your organization's security requirements and user preferences.

Leverage Diagnostic Tools:

• Utilize the Microsoft Company Portal app on the affected device. Navigate to Help > Send diagnostic report and follow the on-screen instructions. This will capture relevant logs that can be shared with Microsoft support for further analysis.
• Consult the official Microsoft documentation for detailed troubleshooting steps specific to your configuration and encountered issues.

Advanced Troubleshooting:

Platform SSO leverages the macOS system logs to record events related to user registration, AppSSO Agent confirmation and new user creation. These logs can provide valuable clues when diagnosing issues.

Here's how to access and capture the relevant logs:

1. Open Terminal: Launch the Terminal application, which is typically located within the Utilities folder within Applications.
2. Execute the Command: Type the following command in the Terminal window and press Enter:

Once the command finishes executing, navigate to your Documents folder and open the "ssologs.txt" file using a text editor. Carefully examine the contents of the file, paying close attention to timestamps, error messages, and any warnings.

These detailed logs reveal user registrations, plugin activity, and even login screen details. Analyze timestamps, errors,and successes to pinpoint configuration issues. Failed registrations, communication breakdowns, or UI glitches become exposed, allowing you to take targeted actions and ensure a smooth SSO experience for your users.

• SSOE Logs​

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension beginAuthorizationWithRequestParameters:completion:] requestIdentifier: CAFC9D06-55FB74648 on <private>


Mac SSO Extension: (AppSSO) [com.apple.AppSSO:SORemoteExtensionContext] -[SORemoteExtensionContext beginAuthorizationWithRequestParameters:completion:] requestIdentifier = CAF4A-B9E55FB74648, {
    AuthenticationMethod = 0;
    AuthorizationOptions =     {
        "broker_key" = "hPGpd9IqD3njwT1dDXQ0n6LfHdrrKNGTEM8nh7OYJ_Y";
        "client_app_name" = "Company Portal";
        "client_app_version" = "5.2404.0";
        "client_version" = "1.2.22";
        "msg_protocol_ver" = 4;
        noUserInterface = 1;
    };
    CFNetworkInterception = NO;
    CallerManaged = NO;
    CallerTeamIdentifier = UBF8T346G9;
    EnableUserInteraction = NO;
    Identifier = "CAFC9E55FB74648";
    ImpersonationBundleIdentifier = "(null)";
    LocalizedCallerDisplayName = "Company Portal";
    Realm = "(null)";
    RequestedOperation = "get_device_info";
    ResponseCode = 0;
    URL = "https://login.microsoftonline.com/common";
    UseInternalExtensions = NO;
} on <private>



AppSSOAgent: [com.apple.AppSSO:SOAgent] -[SOAgent _doPerformAuthorizationWithRequestParameters:profile:completion:] {
    AuthenticationMethod = 0;
    AuthorizationOptions =     {
        "broker_key" = "hPGpd9IqD3njwT1dDXQ0n6LfHdrrKNGTEM8nh7OYJ_Y";
        "client_app_name" = "Company Portal";
        "client_app_version" = "5.2404.0";
        "client_version" = "1.2.22";
        "correlation_id" = "61-8FDB52CD331A";
        "msg_protocol_ver" = 4;
        noUserInterface = 1;
    };
    CFNetworkInterception = NO;
    CallerManaged = NO;
    CallerTeamIdentifier = UBF8T346G9;
    EnableUserInteraction = NO;
    Identifier = "76A1756B-1138E2C224443CA";
    ImpersonationBundleIdentifier = "(null)";
    LocalizedCallerDisplayName = "Company Portal";
    Realm = "(null)";
    RequestedOperation = "get_device_info";
    ResponseCode = 0;
    URL = "https://login.microsoftonline.com/common";
    UseInternalExtensions = NO;
} on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtensionManager] -[SOExtensionManager loadedExtensionWithBundleIdentifer:] com.microsoft.CompanyPortalMac.ssoextension => <SOExtension:0x600001ef5450, bundleID=com.microsoft.CompanyPortalMac.ssoextension, path=/Applications/Company Portal.app/Contents/PlugIns/Mac SSO Extension.appex, associatedDomains=(
    "login.microsoft.com",
    "login-us.microsoftonline.com",
    "login.chinacloudapi.cn",
    "login.partner.microsoftonline.cn",
    "sts.windows.net",
    "login.microsoftonline.com",
    "login.microsoftonline.us"
)> in (
    "<SOExtension:0x600001ef5450, bundleID=com.microsoft.CompanyPortalMac.ssoextension, path=/Applications/Company Portal.app/Contents/PlugIns/Mac SSO Extension.appex, associatedDomains=(\n    \"login.microsoft.com\",\n    \"login-us.microsoftonline.com\",\n    \"login.chinacloudapi.cn\",\n    \"login.partner.microsoftonline.cn\",\n    \"sts.windows.net\",\n    \"login.microsoftonline.com\",\n    \"login.microsoftonline.us\"\n)>",
   



Company Portal: (AppSSO) [com.apple.AppSSO:SOAuthorization] -[SOAuthorization _finishAuthorizationWithCredential] credentialCore = <private>, error = (null), requestParametersCore = {
    AuthorizationOptions =     {
        "broker_key" = "hPGpd9IqrKNGTEM8nh7OYJ_Y";
        "client_app_name" = "Company Portal";
        "client_app_version" = "5.2404.0";
        "client_version" = "1.2.22";
        "correlation_id" = "7F0F-FAE40B22A328";
        "msg_protocol_ver" = 4;
        noUserInterface = 1;
    };
    CFNetworkInterception = NO;
    CallerManaged = NO;
    CallerTeamIdentifier = "(null)";
    EnableUserInteraction = NO;
    Identifier = "CAFC9D069E55FB74648";
    ImpersonationBundleIdentifier = "(null)";
    LocalizedCallerDisplayName = "(null)";
    Realm = "(null)";
    RequestedOperation = "get_device_info";
    ResponseCode = 0;
    URL = "https://login.microsoftonline.com/common";
    UseInternalExtensions = NO;
}, delegate = <ASAuthorizationController: 0x600003782700> on <private>


AppSSOAgent: [com.apple.AppSSO:SOAgent] -[SOAgent finishAuthorization:completion:] extension = <SOExtension:0x600001ef5450, bundleID=com.microsoft.CompanyPortalMac.ssoextension, path=/Applications/Company Portal.app/Contents/PlugIns/Mac SSO Extension.appex, associatedDomains=(
    "login.microsoft.com",
    "login-us.microsoftonline.com",
    "login.chinacloudapi.cn",
    "login.partner.microsoftonline.cn",
    "sts.windows.net",
    "login.microsoftonline.com",
    "login.microsoftonline.us"
)>, queue = com.microsoft.CompanyPortalMac.ssoextension on <private>


Company Portal: (AppSSOCore) [com.apple.AppSSO:SOClient] finishAuthorizationWithCompletion: success = 1, error = (null)

• User Registration​

AppSSOAgent: (PlatformSSO) [com.apple.AppSSO:POExtension] -[POExtension beginUserRegistrationUsingUserName:authenticationMethod:options:extensionData:completion:] authenticationMethod = 1, options = 5 on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension requestAuthorizationViewControllerWithCompletion:]  on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension _setupSessionIfNecessaryWithCompletion:]  on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension incrementRequestCount] count now 1 on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] Using existing session for extension <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension beginUserRegistrationUsingUserName:authenticationMethod:options:extensionData:completion:]  on <private>


AppSSODaemon: (PlatformSSO) [com.apple.AppSSO:PODaemonProcess] -[PODaemonProcess userConfigurationForIdentifier:completion:] identifier = 9B507260-FE86-4788E2769 on <private>

AppSSODaemon: (PlatformSSO) [com.apple.AppSSO:PODaemonProcess] -[PODaemonProcess saveUserConfiguration:forIdentifier:completion:] identifier = 9B50726027-7EAB788E2769 on <private>


AppSSOAgent: (PlatformSSO) [com.apple.AppSSO:POConfigurationVersion] -[POConfigurationVersion increaseVersionWithMessage:] config version increased from 0x0000018D66BE3565 to 0x0000018D66BE3571 (userConfiguration updated) on <private>

AppSSOAgent: (PlatformSSO) [com.apple.AppSSO:POKeychainHelper] -[POKeychainHelper addTokens:metaData:toKeychainForService:username:system:] service com.microsoft.CompanyPortalMac.ssoextension on <private>

AppSSODaemon: (PlatformSSO) [com.apple.AppSSO:PODaemonProcess] -[PODaemonProcess userConfigurationForIdentifier:completion:] identifier = 9B507260-FE8AB788E2769 on <private>


AppSSOAgent: (PlatformSSO) [com.apple.AppSSO:POAgentAuthenticationProcess] -[POAgentAuthenticationProcess notifyKerberosDelegateTGTDidComplete]  on 

AppSSOAgent: (PlatformSSO) [com.apple.AppSSO:POAgentAuthenticationProcess] -[POAgentAuthenticationProcess finishRegistrationWithStatus:message:] success = 1 on <private>

AppSSOAgent: (PlatformSSO) [com.apple.AppSSO:POExtension] -[POExtension registrationDidCompleteWithCompletion:]  on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension requestAuthorizationViewControllerWithCompletion:]  on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension _setupSessionIfNecessaryWithCompletion:]  on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension incrementRequestCount] count now 1 on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] Using existing session for extension <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension registrationDidCompleteWithCompletion:]  on <private>

Mac SSO Extension: (AppSSO) [com.apple.AppSSO:SORemoteExtensionContext] -[SORemoteExtensionContext registrationDidCompleteWithCompletion:]  on <private>

• Device Registration

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtension] -[SOExtension beginDeviceRegistrationUsingOptions:extensionData:completion:]  on <private>

Mac SSO Extension: (AppSSO) [com.apple.AppSSO:SORemoteExtensionContext] -[SORemoteExtensionContext beginDeviceRegistrationUsingOptions:extensionData:completion:] options = 5 on <private>

AppSSOAgent: (PlatformSSO) [com.apple.AppSSO:POExtension] -[POExtension presentAuthorizationViewControllerWithHints:completion:]  on <private>

AppSSOAgent: (AppSSOUI) [com.apple.AppSSO:SOUIAuthorizationViewController] -[SOUIAuthorizationViewController initWithExtensionViewController:hints:] extensionViewController = <SORemoteExtensionViewController: 0x600000ff0fc0> on <private>

AppSSOAgent: (AppSSOUI) [com.apple.AppSSO:SOUIAuthorizationViewController] -[SOUIAuthorizationViewController loadView]  on <private>


AppSSOAgent: (AppSSOUI) [com.apple.AppSSO:SOUIAuthorizationViewController] <SORemoteExtensionViewController: 0x600000ff0fc0> - size: (w=809.000000, h=650.000000)


AppSSOAgent: (AppSSOUI) [com.apple.AppSSO:SOUIAuthorizationViewController] -[SOUIAuthorizationViewController viewDidLoad]  on <private>

AppSSOAgent: (PlatformSSOUI) [com.apple.AppSSO:POAgentWindowController] -[POAgentWindowController initWithWindow:]  on <private>

AppSSOAgent: (AppSSOUI) [com.apple.AppSSO:SOUIAuthorizationViewController] -[SOUIAuthorizationViewController viewWillAppear]  on <private>

AppSSOAgent: (AppSSOUI) [com.apple.AppSSO:SOUIAuthorizationViewController] -[SOUIAuthorizationViewController viewDidAppear]  on <private>

Mac SSO Extension: (AppSSOCore) [com.apple.AppSSO:SOConfigurationClient] -[SOConfigurationClient init]  on <private>

Mac SSO Extension: (AppSSOCore) [com.apple.AppSSO:SOServiceConnection] <SOServiceConnection: 0x12b155f40>: new XPC connection

Mac SSO Extension: (AppSSOCore) [com.apple.AppSSO:SOConfigurationVersion] -[SOConfigurationVersion checkVersion] config version changed from from 0x0000000000000000 to 0x0000018D66B94507 on <private>

Mac SSO Extension: (AppSSOCore) [com.apple.AppSSO:SOConfigurationClient] -[SOConfigurationClient _reloadConfig]  on <private>

Mac SSO Extension: (AppSSOCore) [com.apple.AppSSO:SOClient] -[SOClient configurationWithCompletion:]  on <private>

AppSSOAgent: [com.apple.AppSSO:SOAgent] -[SOAgent initWithXPCConnection:] <SOAgent: 0x6000013ed380> on <private>

Mac SSO Extension: (AppSSOCore) [com.apple.AppSSO:SOClient] configurationWithCompletion: success = YES, error = (null)

Mac SSO Extension: (AppSSOCore) [com.apple.AppSSO:SOClient] -[SOClient getAuthorizationHintsWithURL:responseCode:completion:] url: <mask.hash: '3WXy1dp5TlBJfSe8ZoJkFw=='>, responseCode: 0 on <private>

AppSSOAgent: (AppSSO) [com.apple.AppSSO:SOExtensionManager] -[SOExtensionManager loadedExtensionWithBundleIdentifer:] com.microsoft.CompanyPortalMac.ssoextension => <SOExtension:0x600001ef5450, bundleID=com.microsoft.CompanyPortalMac.ssoextension, path=/Applications/Company Portal.app/Contents/PlugIns/Mac SSO Extension.appex, associatedDomains=(null)> in (
    "<SOExtension:0x600001ef5450, bundleID=com.microsoft.CompanyPortalMac.ssoextension, path=/Applications/Company Portal.app/Contents/PlugIns/Mac SSO Extension.appex, associatedDomains=(null)>",
    "<SOExtension:0x600001ef6490, bundleID=com.apple.AuthKitUI.AKAppSSOExtension, path=/System/Library/PrivateFrameworks/AuthKitUI.framework/PlugIns/AKAppSSOExtension_macOS.appex, associatedDomains=(null)>",
    "<SOExtension:0x600001ef67b0, bundleID=com.apple.AppSSOKerberos.KerberosExtension, path=/System/Library/PrivateFrameworks/AppSSOKerberos.framework/PlugIns/KerberosExtension.appex, associatedDomains=(null)>"
) on <private>


Mac SSO Extension: (AppSSOCore) [com.apple.AppSSO:SOClient] SOClient authorization hints: {localizedExtensionBundleDisplayName = "Mac SSO Extension";

Mac SSO Extension: (AppSSO) [com.apple.AppSSO:SOAuthorization] hints: {localizedExtensionBundleDisplayName = "Mac SSO Extension"}, error: (null)


AppSSODaemon: (PlatformSSO) [com.apple.AppSSO:PODaemonProcess] -[PODaemonProcess deviceConfigurationForIdentifer:completion:] identifer = 9B507260-FE86788E2769 on <private>202

Conclusion

In this comprehensive blog post, we've explored the world of Platform SSO for macOS. We've delved into its technical aspects, unpacked its user and security benefits, and even equipped you with the knowledge to configure and troubleshoot it on your macOS devices.

With Platform SSO, you can empower your users with a streamlined login experience while simultaneously strengthening your organization's security posture. Consider exploring the official Microsoft documentation to delve deeper into configuration specifics and unleash the full potential of Platform SSO within your macOS environment.

I hope this blog post has been informative and empowers you to make informed decisions regarding Platform SSO for your organization. If you have any questions or require further assistance, feel free to leave a comment below!