We are facing an issue with Platform SSO registration on macOS devices for AD-bound user accounts with Microsoft EntraID configuration.
We are using the Platform SSO payload on macOS devices integrated with Entra ID, and it works as expected — registration completes successfully, and the password syncs with the Entra ID password.
However, when we try the same on macOS devices with AD-bound (mobile) user accounts, the registration does not complete. To elaborate, the process successfully completes the initial WebView authentication but fails at the stage where Apple prompts for the password to sync the local macOS user’s password with the Entra ID password.
It does not display any error, and even after entering a valid password, the process does not proceed further. However, when we try the same on a non-AD user account, it works fine.
We have checked with Microsoft, and they confirmed that there are no restrictions on their side for AD-bound accounts. Since the issue appears to occur at the Apple system level, they advised us to reach Apple teams on this.
Could you please check and let us know how we can proceed with this?
Payload used:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>ExtensionIdentifier</key>
<string>com.microsoft.CompanyPortalMac.ssoextension</string>
<key>PayloadDisplayName</key>
<string>Extensible Single Sign-On Payload</string>
<key>PayloadIdentifier</key>
<string>com.apple.extensiblesso.B408A658-3DAF-41FF-8A5D-AE77B380CB7B</string>
<key>PayloadType</key>
<string>com.apple.extensiblesso</string>
<key>PayloadUUID</key>
<string>D506CAFD-C802-41F2-9C3E-DF5289C315FF</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PlatformSSO</key>
<dict>
<key>AccountDisplayName</key>
<string>EntraID</string>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>EnableCreateUserAtLogin</key>
<true/>
<key>LoginFrequency</key>
<integer>3700</integer>
<key>LoginPolicy</key>
<array>
<string>AttemptAuthentication</string>
</array>
<key>NewUserAuthorizationMode</key>
<string>Admin</string>
<key>UseSharedDeviceKeys</key>
<true/>
<key>UserAuthorizationMode</key>
<string>Admin</string>
</dict>
<key>ScreenLockedBehavior</key>
<string>DoNotHandle</string>
<key>TeamIdentifier</key>
<string>UBF8T346G9</string>
<key>Type</key>
<string>Redirect</string>
<key>URLs</key>
<array>
<string>https://login.microsoftonline.com</string>
<string>https://sts.windows.net</string>
<string>https://login.partner.microsoftonline.cn</string>
<string>https://login.chinacloudapi.cn</string>
<string>https://login.microsoftonline.us</string>
<string>https://login.microsoft.com</string>
<string>https://login-us.microsoftonline.com</string>
</array>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Platform SSO</string>
<key>PayloadIdentifier</key>
<string>42GBHOLAP04621.1BD5B6D9-640B-4DC3-9275-56DDD191A5FB</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>58548FC6-38D9-4B28-9EDF-BEEAB03BAB23</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>