macOS Platform SSO with Microsoft Entra ID: Troubleshooting Registration, Smart Card, and Conditional Access Errors (2026)
A 2026 troubleshooting playbook for macOS Platform SSO with Microsoft Entra ID. Fix registration loops, smart card key errors, and Conditional Access blocks with diagnostic commands tier-1 staff can run.
macOS Platform SSO (PSSO) with Microsoft Entra ID is an Apple framework that lets a Mac register itself with Entra ID and exchange the local login for a hardware-bound, Secure Enclave-protected primary refresh token, so users get true single sign-on across native and web apps without third-party agents. When it works, it's the closest thing macOS has ever had to Hybrid Azure AD Join. When it doesn't, you usually have a Company Portal registration loop, a smart-card key that never made it into the Secure Enclave, or a Conditional Access policy quietly blocking the registration call. So, this guide walks through the 2026 fix path I use on the helpdesk for every common failure mode.
Platform SSO requires macOS 13.5 or newer, the latest Company Portal, an Intune (or supported MDM) configuration profile, and an Entra ID tenant with Platform credential support enabled.
The three authentication methods (Password, Secure Enclave passkey, and Smart Card) each have distinct prerequisites. Secure Enclave is the default for new deployments in 2026.
Most "Platform SSO not registering" tickets trace to one of four root causes: missing Apple Push Notification trust, broken Company Portal cache, Conditional Access blocking device registration, or a stale device record in Entra ID.
Use app-sso platform -s and the Console.app subsystem filter com.apple.AppSSO to confirm registration state before touching anything else.
FileVault, Touch ID, and Login Window integration each unlock different PSSO capabilities. None of them are on by default, and all of them need the right configuration profile keys.
If you support Entra Joined Windows devices, treat Platform SSO as the macOS equivalent of Microsoft Entra Join, not as Workplace Join or device registration, which is a separate, weaker state.
What is macOS Platform SSO and how does it work?
Platform SSO is an Apple-defined extension to the existing macOS Single Sign-On Extension framework (the same framework Kerberos SSO and the Microsoft Enterprise SSO plug-in use). Instead of brokering a single application's token like the old Enterprise SSO did, Platform SSO registers the entire Mac with your identity provider at the OS level, then mints a Primary Refresh Token (PRT) that is bound to a key stored inside the Mac's Secure Enclave. That key can never leave the chip, which is what gives you the "phishing-resistant" claim auditors love.
The flow looks like this. An MDM (Intune in most of my deployments) pushes a Platform SSO configuration profile that points at a specific Extension Identifier. For Entra ID, that's the Microsoft Enterprise SSO plug-in bundled inside Company Portal. The next time the user signs in to macOS, the Login Window shows a PSSO registration card, the user authenticates against Entra ID once, the Mac generates a key pair in the Secure Enclave, Entra ID stores the public key against a device object, and from then on the Mac proves possession of that key on every token request. Honestly, coming from the Windows side where Hybrid Azure AD Join was a wrestling match with certutil for a decade, this is genuinely elegant. Apple got the cryptography right.
Where it gets messy is the chain of dependencies. APNs has to reach the Mac, the Company Portal app has to be at the right version, the MDM has to deliver the profile before the user signs in, and your Conditional Access policies have to allow the registration call. Break any link in that chain and you get a generic "Sign in to your work account" prompt that never goes away.
Platform SSO prerequisites for 2026 deployments
Apple raised the floor in macOS 14 and again in macOS 15 Sequoia, and the 2026 Microsoft guidance now treats macOS 13.5 as the absolute minimum. Anything older, and the PSSO keys simply don't enrol. Here's the matrix I check before opening a ticket.
Requirement
Password method
Secure Enclave (passkey)
Smart Card
Minimum macOS
13.0
13.5 (14.0 recommended)
14.0
Company Portal version
5.2406.0+
5.2406.0+
5.2410.0+
Entra ID licence
Entra ID Free
Entra ID P1 recommended
Entra ID P1 required for CBA
Authentication strength
MFA via Authenticator
Phishing-resistant
Phishing-resistant + hardware
FileVault unlock
No
Optional
No
Login Window integration
Yes (password sync)
Yes (key-based)
Yes (card insert)
Touch ID support
Local only
Yes (PRT release)
No
On the network side, the Mac needs outbound HTTPS to login.microsoftonline.com, device.login.microsoftonline.com, enterpriseregistration.windows.net, and the standard Apple push hosts on TCP 5223 and 443. If your security team blocks enterpriseregistration.windows.net because the hostname says "windows" and the device is a Mac (and yes, I've seen this twice this year), registration will fail silently and your only clue is an NSURLErrorDomain Code=-1003 entry in the AppSSO log. Open the firewall.
How do I enable Platform SSO on macOS?
I'll show the Intune flow because that's what 90% of mixed shops use, but the same payload works from Jamf and Kandji. Just paste it into a custom configuration profile.
In Intune, go to Devices > macOS > Configuration > Create > Templates > Single sign-on app extension. Choose SSO app extension type: Microsoft Entra ID, then scroll to the Platform SSO section. The four settings that matter:
Authentication method: Secure Enclave key for new deployments. Pick Password only if you still have on-prem Active Directory password sync requirements.
Use Shared Device Keys: Enabled. This is the 2026 default, and it lets multiple users on the same Mac share a registration without re-enrolling.
Enable authorization: Yes, required to map Entra ID groups to local admin rights.
User Authorization: Set the Entra group whose members should become local admins. Everyone else gets a standard account.
For Jamf admins, the equivalent payload key is PlatformSSO inside the com.apple.extensiblesso profile, with AuthenticationMethod set to UserSecureEnclaveKey. The full schema lives in Apple's Extensible Single Sign-On payload reference. Do not edit it by hand without checking that doc first, because Apple has changed the key names twice since the original 2023 release.
Once the profile lands, the user sees a notification in the menu bar prompting them to register. They click it, sign in with their Entra ID credentials, complete MFA, and (assuming everything else is wired correctly) get a green check mark. Easy. The problem is "assuming everything else is wired correctly," which brings us to the next section.
Why is Platform SSO not registering?
The single most common ticket I get is "I clicked Register, I signed in, and nothing happened." Four root causes account for nearly every instance. Work through them in order, cheap checks first.
1. The Mac never received the configuration profile
Open System Settings > Privacy & Security > Profiles and confirm a profile with a payload titled "Single Sign-On Extensions" is present and shows the Microsoft Enterprise SSO bundle identifier (com.microsoft.CompanyPortalMac.ssoextension). If it isn't there, your MDM hasn't delivered it. That's an enrolment problem, not a PSSO problem. Force a device sync using our Intune device enrollment troubleshooting guide and re-check.
2. Company Portal is out of date or not installed
Run this in Terminal. Comments are inline so tier-1 staff can follow along:
# Confirm Company Portal is installed and check the version string
mdls -name kMDItemVersion "/Applications/Company Portal.app"
# If missing or older than 5.2406, push the latest VPP/PKG and try again
defaults read "/Applications/Company Portal.app/Contents/Info.plist" CFBundleShortVersionString
If you don't have Company Portal at version 5.2406 or newer, the PSSO extension won't even register with the OS. I've seen Macs hand-imaged from a 2024 image fail PSSO purely because their bundled Company Portal predates the API change Apple shipped in macOS 14.4.
3. APNs is blocked or the Mac's APNs token has expired
The registration handshake uses Apple Push Notification service to wake the SSO extension. If TCP 5223 is closed to *.push.apple.com, the extension never fires. Test it:
# Force a connection check to APNs and print the connection status
sudo log show --predicate 'subsystem == "com.apple.apsd"' --info --last 10m | grep -i connected
You want to see "connected to courier" entries within the last 10 minutes. If you don't, your network team has work to do.
4. There's a stale Entra ID device record
If the Mac was previously enrolled, deleted from Intune, then re-enrolled, Entra ID may still hold the old device object and refuse to register a duplicate. In the Entra admin centre go to Devices > All devices, filter by the hostname, and delete any stale record. Then on the Mac:
# Wipe the local SSO extension state and force a re-registration prompt
sudo app-sso platform -d
sudo killall -KILL CompanyPortalMacAgent
# Sign out and sign back in. The registration card should reappear at Login Window
Troubleshooting Platform SSO smart card and Secure Enclave errors
The Secure Enclave method is what you want for nearly every deployment, but it has a sharper edge than the password method: if the key generation fails, the user gets a vague "Sign in failed" with no actionable detail. The error you actually need lives in the unified log. Run this and read carefully:
# Stream live AppSSO events while the user attempts registration
log stream --predicate 'subsystem == "com.apple.AppSSO"' --info --debug
# Or pull the last 30 minutes for offline analysis
log show --predicate 'subsystem == "com.apple.AppSSO"' --info --debug --last 30m > /tmp/appsso.log
Three error patterns I see weekly:
kSecCSStaticCodeChanged or SecTrust errors: usually means the Company Portal binary has been re-signed or modified, common after Munki redeploys or aggressive EDR. Reinstall Company Portal from the Microsoft-signed pkg.
NSURLErrorDomain Code=-1009: the Mac thinks it's offline. Check that the user isn't on a captive-portal Wi-Fi with the splash page still pending. PSSO registration cannot get past a captive portal.
Error Domain=com.apple.AppSSO.AuthorizationError Code=-1000: the IdP rejected the registration. Almost always Conditional Access. Skip to the next section.
For smart card deployments (the third PSSO method, used mostly in regulated industries), the gotcha is that macOS does not currently support Entra ID Certificate-Based Authentication (CBA) issuance through PSSO directly. You need a working PIV pairing first (via sc_auth pair), and then the smart card authenticates the PSSO flow. If you're chasing this in Federal or DoD environments, the Microsoft Platform SSO for macOS reference has the current matrix. Check it monthly, because Microsoft has updated this guidance four times in 2026 already.
Conditional Access policies that break Platform SSO
Coming from the Windows side, I'd assumed Conditional Access would treat a registering Mac the same way it treats a registering Windows device. It doesn't, and I've watched two separate tenants get this wrong, so let me save you the ticket queue.
The registration call comes in as a sign-in event from the Microsoft Authentication Broker application (app ID 29d9ed98-a469-4536-ade2-f981bc1d605e) on behalf of the user, from the device being enrolled. If your Conditional Access policy requires "compliant device" or "Microsoft Entra hybrid joined device" for All Cloud Apps, the registration call gets blocked because the device isn't compliant yet. It's literally in the process of registering. Classic chicken-and-egg.
The fix is an exclusion policy. Create a Conditional Access policy that:
Targets Microsoft Authentication Broker, Device Registration Service, and Microsoft Intune Enrollment as cloud apps.
Targets only the Entra group containing your macOS users.
Grants access with "Require multi-factor authentication" only, no compliance requirement.
Then in your tenant-wide "Require compliant device" policy, exclude those same three cloud apps for the macOS user group. If you've already deployed a tenant-wide Conditional Access baseline, double-check that the macOS users aren't caught by a "Block legacy authentication" policy as well. The AppSSO extension uses modern auth, but the broker handshake can look like a non-interactive sign-in in the logs, which confuses some policy auditors.
While you're in the sign-in logs, filter on the broker app ID above and check the Device Information column. If it shows "unknown" with a 50158 error, the device record didn't make it into Entra ID. Go back to the registration troubleshooting section above. If it shows the device but with 53003, Conditional Access blocked it, and the policy name is in the error detail.
Platform SSO vs Enterprise SSO: which one do you need?
This is the question that comes up in every architecture review, usually after someone has read half the Microsoft docs and gone away confused. The short answer: deploy both, with PSSO as the primary and Enterprise SSO as the fallback for older Macs. Here's the longer answer.
Capability
Enterprise SSO (legacy)
Platform SSO (PSSO)
Token bound to hardware
No (software-only)
Yes (Secure Enclave)
Device registers with Entra
No
Yes (full device object)
Phishing-resistant MFA claim
No
Yes
FileVault unlock with Entra creds
No
Yes (with config)
Works on macOS 12 and older
Yes
No
Required for Conditional Access "compliant device"
No
Yes
Local account password sync
No
Yes (password method)
Enterprise SSO was the original macOS SSO plug-in shipped in Company Portal back in 2020. It silently brokers tokens for Microsoft apps, but the device itself is anonymous to Entra ID, which is why your Conditional Access "require compliant device" check can't see it. Platform SSO replaces that model: the Mac becomes a first-class citizen in your tenant, equivalent in trust to a Hybrid-Joined or Entra-Joined Windows box. If you've deployed Windows Hello for Business on the PC fleet, Platform SSO is the macOS conceptual peer, same Secure Enclave-style trust, same phishing-resistance, same headache when registration fails.
The diagnostic checklist I run on every PSSO ticket
Tier-1 staff: copy this block, run it on the user's Mac when they call in, and paste the output into the ticket. It catches 80% of failures before you have to escalate.
# Platform SSO triage script. Saves output to ~/Desktop/psso-triage.log
# Each command is commented so tier-1 can read and explain what it does
OUT=~/Desktop/psso-triage.log
echo "=== macOS version ===" > "$OUT"
sw_vers >> "$OUT"
# Confirm Company Portal version (must be 5.2406.0 or newer for PSSO)
echo "=== Company Portal version ===" >> "$OUT"
defaults read "/Applications/Company Portal.app/Contents/Info.plist" \
CFBundleShortVersionString >> "$OUT" 2>&1
# Dump the current Platform SSO state (registered / not registered / error)
echo "=== Platform SSO state ===" >> "$OUT"
app-sso platform -s >> "$OUT" 2>&1
# List installed SSO extensions and verify the Microsoft one is present
echo "=== Installed SSO extensions ===" >> "$OUT"
pluginkit -m -A -p com.apple.AuthenticationServices.AccountAuthenticationPlugin \
>> "$OUT" 2>&1
# Check that the MDM profile actually landed on the device
echo "=== MDM profiles installed ===" >> "$OUT"
profiles show >> "$OUT" 2>&1
# Pull last 30 minutes of AppSSO log entries for offline analysis
echo "=== Last 30 min of AppSSO log ===" >> "$OUT"
log show --predicate 'subsystem == "com.apple.AppSSO"' --info --last 30m \
>> "$OUT" 2>&1
echo "Done. Attach $OUT to the ticket."
If the app-sso platform -s output shows registrationCompleted: 0 with no error, the user hasn't completed the Login Window prompt yet. That's a training issue, not a technical one. If it shows registrationCompleted: 1 but apps still prompt for credentials, you're in token-refresh territory, which usually points back at Conditional Access. The fastest reset is the app-sso platform -d wipe shown earlier, followed by a reboot.
Frequently Asked Questions
Does macOS Platform SSO require Intune?
No, but it does require an MDM that can deliver an Extensible SSO configuration profile. Intune, Jamf Pro, Kandji, Mosyle, and Workspace ONE all support this. The profile content is identical across MDMs because Apple defines the payload schema; you can lift the XML from one and paste it into another with no changes.
What is the difference between Platform SSO and Enterprise SSO?
Enterprise SSO brokers tokens for Microsoft apps but the Mac itself stays anonymous to Entra ID. Platform SSO registers the device as a full Entra ID object with a Secure Enclave-bound key, which is what lets Conditional Access policies enforce "compliant device" or "phishing-resistant MFA" on the Mac. Deploy PSSO as the primary; keep Enterprise SSO available for Macs on macOS 12 or older.
Why does Platform SSO keep prompting for the password at the Login Window?
You have enabled the Password authentication method but the user's local account password is out of sync with their Entra ID password. Either reset the local account password to match, or switch the profile to UserSecureEnclaveKey authentication. The Secure Enclave method does not require local-cloud password parity and is the recommended default in 2026.
Can Platform SSO unlock FileVault with Entra ID credentials?
Yes, on macOS 14 and later, with the Secure Enclave authentication method, and only after the user has completed PSSO registration at least once. Set EnableFileVaultUnlock to true in the configuration profile. Note that the very first reboot after enabling this still prompts for the local password; the Entra ID unlock only kicks in once the Secure Enclave key has been written to the recovery partition.
How do I force a Mac to re-register with Platform SSO?
Run sudo app-sso platform -d in Terminal to wipe the current registration state, then sign out and back in to macOS. The Login Window will display the PSSO registration card again. If it doesn't, your MDM profile isn't being applied. Re-push the configuration profile from Intune or Jamf before troubleshooting further.
A field guide to fixing FSLogix Profile Container failures on AVD, Windows 365, and Citrix in 2026. Decode log status codes, debug Azure Files Kerberos, and survive Cloud Cache outages without losing user data.
A field-tested walkthrough of Windows Autopilot error 0x80180014, what the MDM enrollment failure actually means, how to read the IME logs, and four fixes confirmed on Surface and Dell hardware.
