Ive started playing with this microsoft SSO as well.  Im looking to get the Adobe Creative Cloud app to recognize it too.

My overall goal would be when our students or faculty login to a machine for the first time, they setup the managed Apple ID for iCloud that we have using federated accounts which is the first thing that prompts for a microsoft login.  Im hoping to utilize that login to provide all the credentials for the rest of the apps.  So during the initial setup assistant, having it use this Microsoft SSO piece to have one login to rule them all!

Im trying to get the bundle ID of the setup assistant and I guess what the url is that apple is using for the login for federated apple ID with microsoft.  I did notice that the Microsoft Apps all register though.  I'm using the installer from macadmins.software and using some forced settings with a config profile for our Microsoft apps though.  Im hoping if i can trigger the sso window during that iCloud setup, that we would not need to use any other logins after that.

So I got this to work using com.apple.SetupAssistant in the plist and then the iCloud login allowed me to use the sso plug in.  Its not quite right though because underneath the SSO initial login, is the normal federated login, so its making us type it twice.  After that though when I went into the machine, Safari was already logged in and Zoom was already logged in, however Word still asked for a login name/email and didn't show the drop down list.  Once I typed the email address in though it didn't prompt for a password, just had the drop down list with the account already there.

Also I'm trying to get adobe creative cloud to use this, but I think their app isn't built correctly since I can see the Microsoft SSO plugin version pop for a split second before it triggers the normal federated login.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

    <key>AppAllowList</key>

    <string>com.microsoft.Outlook,com.microsoft.teams,com.microsoft.OneDrive,com.microsoft.Word,com.microsoft.Excel,com.microsoft.Powerpoint,com.microsoft.onenote.mac,com.jamfsoftware.selfservice.mac</string>

    <key>browser_sso_interaction_enabled</key>

    <integer>1</integer>

    <key>disable_explicit_app_prompt</key>

    <integer>1</integer>

</dict>

</plist>

What will be the plist name ? 

The attached plist is working SSO for Word, PPT, Excel, Outlook, Safari, Teams, and zscaler but it's not working for Chrome, Firefox, and Edge when I signed in Company Portal App.

Does anyone suggest how to achieve SSO for chrome, Firefox, and Edge?

Im having issues with SSO and Safari.

When trying to access myapplications.azure.us it just will not redirect to login.microsoftonline.us and just sits on a white page.

If I go directly to login.microsoftonline.us in Safari then the SSO appears to work and login without issue.

I also tested with the plist above to no avail.

Test system is macOS 11.6.

Anyone else experience similar issues?

What is the name of this .plist?

thanks

We have also been unable to get any version of the plist working for the SSO on the apps themselves.  We had opened a ticket with Microsoft about this and they mentioned that there is a known bug with Azure tokens and the Mac office apps, but the details were a little hazy.  They claimed a fix was on the way in October, but I don't have the fullest confidence.

The only place SSO is working for us is on the Microsoft websites.

Have you hear anything from Microsoft regarding the October Fix?

Recent testing of Azure and Office Apps using Azure SSO leads me to believe that nothing has been fixed, and your lack of confidence with MS is correctly placed.

I haven't gotten any update from Microsoft (as I suspected). We have still been unable to get apps to use SSO.

hi, do you know what the of the plist is?

Hi n_lechi,

I have got SSO working for Office 365, Outlook, other apps and works fine with all browsers ( safari, chrome, mozilla, etc.)

You can try miniOrange SSO for the same.

We federated our domain and with some basic configuration we are ready with the SSO solution.

You may check SSO for Office 365.

Hi Mahesh,

I am going to reply to this while it's an old topic, but advising to use a 3rd party paid software solution does not seem like a right solution here.

I've just started getting back to this.  I have gotten all microsoft apps working and am working on making Jamf Connect become the boot strap for the sso.  

My few hiccups are, iCloud prompts twice for the federated apple id login (once with the system prompt and once with the SSO prompt), Adobe Creative Cloud just will not utilize the SSO even though this is also a federated account login.

All the Microsoft Apps are now completely logged in and instead of showing a drop down with the name, are just logged in correctly since the plist now has the "disable_explicit_app_prompt_and_autologin" key in place.   Zoom seems to just need one click and its logged in completely.  And all Safari logins are good to anything microsoft.

my plist for com.microsoft.CompanyPortalMac.plist is set as the following:

@GabePPS Is this documented by Microsoft somewhere? I'm wondering if this is officially supported yet by them.

Is MS Company Portal or Intune involved? Can we achieve SSO for MS apps with Jamf Pro / Azure AD / Jamf Connect?

@MrRoboto Yes, the one requirement is that the MS Company Portal app must be installed (it doesn't have to be setup at all or opened or used) on the machines for sso to work.

This is the disclaimer from Microsoft:

"This feature is in public preview. This preview is provided without a service-level agreement and isn't recommended for production workloads. Some features might be unsupported or have constrained capabilities. For more information, see Supplemental terms of use for Microsoft Azure previews."

@Scott_Conway 

Links to the documentation: (which I had to piecemeal from about 3 or 4 azure articles:

https://docs.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin

https://techcommunity.microsoft.com/t5/intune-customer-success/best-practice-examples-for-configuring-macos-apps-with-microsoft/ba-p/2564255

https://docs.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-macos

https://docs.microsoft.com/en-us/mem/intune/configuration/device-features-configure#single-sign-on-app-extension

Im now pushing the Microsoft Company Portal Installer along with the SSO configured configuration profile that includes the above xml plist options and until I can use jamf connect to be the boot strap, its using the iCloud login (since we use managed federated apple ids with Microsoft logins.  So we see a slight issue where it prompts them for their email and password twice in iCloud, but once that is done, everything else (aside from Creative Cloud) is logged completely in.

Here is the Config Profile we have working:

I should also note, I am only testing this on newly enrolled machines with 11.6.3 or 12.2.

I also am not getting Chrome or Firefox to work with this extension.  Im assuming the 3rd party mini orange has extra hooks for other apps (possibly browser extension add ons?).  I pinged @pbowden who was going to put me in touch with some teams that handle the different pieces of SSO at Microsoft, but I think he got busy again.

I've also tried to get Jamf Connect to tie in and am working with my CSM at Jamf to push the info toward that team in hopes of that whole "no touch" set up lol.

Still I'm unable to get Creative Cloud to utilize it but I'm guessing Adobe's mess of an app just isn't built correctly.  If I can figure a way to bounce the authentication process from Creative Cloud to safari then it can still be auto logged in, but I cant find any plist entries to make it open a safari window for authentication.

So all the things I have working with sso are:

1.  Our federated and Managed apple ids work to set the first SSO login on the device (albeit with a double prompt during setup assistant).

2.  All the microsoft office apps are already logged in and don't need you to even click on a name (still giving me the privacy warning from microsoft though so I'll have to go further into that).

3.  Zoom is already logged in when it gets opened...just need to click the main "Launch Zoom" button that shows when its opened and the user is already there without any passwords needed.

4.  Safari logs in to any microsoft logins without issue.

Fun update today....I got adobe creative cloud working now as well!  Just had to make the installer for it with the login from browser option enabled, and since we use federated accounts for adobe, as long as the email is typed in then its already logged in!  So now  I'm back to scripting the automation of the first login to type the email address for the logged in user into the field in the browser and hit enter.

Hello @Jamftechelp 

Are you still looking for the Chrome plist (see below)?

I had a session with Apple Pro Services in 2021. Part of the sessions was to create SSO extensions for our O365 suite.  It worked great.  We were also told Company Portal must be registered with Intune and Signed in.

The issue we have recently discovered on Monterey is Teams sporadically does not authenticate. No mater what we do, Teams will not authenticate.  We also have issues with Company Portal Intune registration. As soon as we remove the SSO Extension, Teams works perfectly. All other apps (O365) work how they should.

The SSO extension is in Preview mode (still) the MS web page does warn us to not use in Production. It appears most of us are using it anyways, including myself.

What concerns me is our 12.x upgrade next week. How many machines will Teams stop working on? 

I hope someone else is experiencing this issue and may have a work around.
 I am guessing I can remove the teams Bundle ID or use  

with 

Cheers.

So I've essentially solved the Creative Cloud login issue by making creative cloud only authenticate through the default browser which at first login is Safari ; ) so now of course that works since Safari is working with the SSO!  Since switching the install of creative cloud to happen during enrollment complete, its preinstalled in the background before the user logs in and since switching it to browser based authentication it automatically opens a safari window on first login. Which then my 1st time user login script auto types their username into the browser and hits enter to authenticate Creative Cloud solving another no touch step.

In my above .plist settings you can remove all the "com.adobe" entries since they wont do anything.

 Still not getting chrome or firefox, and currently it looks like there is no way to pass the token from jamf connect to the user during the first login since the user gets created after jamf connect runs, but we are much closer to a "no touch" deployment.

EDIT: I just have to say I really do dislike this new Jamf Discussions.  It keeps posting my replies out of order...

Hey @pueo Im having success on 12.2 with Teams and all Microsoft apps using the sso.

If you look at my company portal plist these are the settings that might affect it:

 Also your plist for chrome seems to be just for default settings for Chrome in general, but I don't see how it ties into the SSO with those settings.  Thanks though for the info.

Hello Gabe.  

Hello @GabePPS 
Thanks for sharing your MS Extension. I will give it a try.  
Apple gave me the Google Chrome plist. From understanding SSO does not work with Chrome.  But by adding in your own websites to the above plist it provides the best experience using Chrome and signing on. 
I understand its not much but it was I was given.

It appears the config worked for the MS suite, but my tester mentioned GP could not connect after they rebooted. Wondering if its the 

Does this key stop MFA's like DUO and MS Authenticator from appearing?  We want that in our environment. 

Here is what I saw on that, and for some reason I had to set this, im sure there was some issue:

Disable asking for MFA during initial bootstrapping

By default, the Microsoft Enterprise SSO plug-in always prompts the user for MFA during the initial bootstrapping and while getting a shared credential. The user is prompted for MFA even if it's not required for the application that the user has opened. This behavior allows the shared credential to be easily used across all other applications without the need to prompt the user if MFA is required later. Because the user gets fewer prompts overall, this setup is generally a good decision.

Enabling browser_sso_disable_mfa turns off MFA during initial bootstrapping and while getting the shared credential. In this case, the user is prompted only when MFA is required by an application or resource.

To enable the flag, use these parameters:

• Key: browser_sso_disable_mfa
• Type: Integer
• Value: 1 or 0

We recommend keeping this flag disabled because it reduces the number of times the user is prompted to sign in. If your organization rarely uses MFA, you might want to enable the flag. But we recommend that you use MFA more frequently instead. For this reason, the flag is disabled by default.