I did see that. Your profile was enabled but its disabled by default, so I removed it.  The GP issue maybe a separate issue. Possibly coincidence.

**Update**.  My tester confirmed Teams stopped working again.  He could authenticate but across the top he receives the 'we are not able to establish a connection'. I have seen this before.  This extension has been a big pain for some people. I have tickets open with Apple and Jamf. Can't pin point when or why this occurs.  But it's only Monterey and only Teams. Apple built my Extension which worked flawlessly until 12.x

I see.  We are not a teams heavy district so I probably have not gone back to check that it worked after the first launch, but I do know teams is separately developed than the rest of the office apps.  

How are you installing the microsoft apps?  By app store or by the https://macadmins.software download package?  I use the latter, installing the business pro version during enrollment.

and removing the profile Teams works again...Screen sharing images/pictures was blocked until we removed the profile. Very strange.
I used to use MAS for Office but the Update issue and asking for an Apple ID to do updates (users would enter their ID but it failed), caused us to remove the MAS office and reinstall from portal anyway.  in Catalina drove me away from that method. Now I download the entire suite from O365 portal, upload in Jamf and deploy as part of our DEP Notify workflow. The apps then update themselves. Of course I update the package as well. It works for now. I may test the MAS deployment again.

Hey Gabe,

What is your workflow? Where do your users first sign in? I've installed CP and added the config profile you've suggested above but all MS apps still require my users to log in. Do I need to install CP before the MS apps? 
Can CP get the credential from the Kerberos SSO Extension?  

I've tried logging into Chrome, Safari and Outlook but regardless when I open Teams, OneDrive or Adobe CC it still prompts for username/email and password.

So I push the company portal app as an enrollment package in the prestage along with the office installer. I also push the config profile with the prestage as well. We use JAMF connect for a tie in to Microsoft azure and that is the first sign in screen however we can’t get JAMF connect to be the “boot strap” for the Microsoft sso.
The first sign in with a Microsoft account should hold the credentials and in our workflow it’s the iCloud sign in that triggers it all. Another slight glitch is that the iCloud sign in prompts for user name and password twice. Once for the sso plug-in and once for apples standard login. 

Just having the company portal app and config profile installed before the user logs in should be enough from what I’ve at least tested. 

hope that helps. 

I should also note that all of this still requires one successful login to create the boot strap. It needs one Microsoft sign in to happen. 

with creative cloud I created a universal installer package from Adobe admin that requires “browser based logins”. I have creative cloud install as an enrollment complete package so when the user logs in it auto opens a browser window to login to creative cloud. (We use federated o365 logins for creative cloud as well) I created a script that types the current users email address into the safari window and hits enter which then logs them in (due to them already having logged in with iCloud in the setup assistant). It’s a bit complex but works great. 

Also chrome doesn’t support the Microsoft sso so far that I can tell at this point. 

@djrory here is a screen shot of our sso config profile. It has a ton of extra stuff in the app approval settings that aren’t needed (you can lose all the Adobe stuff as it doesn’t work as well as the chrome and Firefox stuff.  But use redirect and not Kerberos as seen below. 

Thanks Gabe that's really helpful. 
I've replicated pretty much everything above but I'm finding the actual PLIST file does not seem to take? Am I looking at the right plist? 

You should just create it from scratch and set the keys with the “defaults” command, but before you upload it into the config profile you have to convert the file with this command 

plutil -convert xml1 ~/Desktop/com.microsoft.CompanyPortalMac.plist

I did convert it, but I didn't create from scratch. I'll give that a go now. Cheers

I actually haven’t checked the plist that gets written after but it shouldn’t matter. 

when I’m back in the office tomorrow I’ll take a look. Also I’m wondering if my Microsoft setting config profile is helping in my case. I have another config just to set up the Microsoft apps 

Another note, Im not sure if this affects our workflow vs other workflows, but upon first opening of word I have a script that runs which sets a default email activation setting to word...wondering if that is affecting this in any way.  We see no issues with this (although I cant seem to get rid of the privacy screen for microsoft no matter what settings I try in our microsoft autoupdate and app settings config profile).

@pueo 

Yea, from what I've been told its best to use the installers on macadmins

SO I just checked teams again, and i'm guessing between last week and this week an update hit that is breaking it.  When it worked for us, it would show a drop down menu with the user name already populated that you can click on.  Now Im seeing the same behavior as you describe.  I've reached out to microsoft as well.  What it looks like though is their Teams app is designed with non native apple developer tools.  It has elements of "Electron" which is horrible at making mac apps.  I cant even get an bundle identifier for teams if i do a osascript -e 'id of app "Microsoft Teams"' it errors out.  I know teams is a different division and doesnt seem to have a Natively developed mac app as well as the updater not being a part of the office updater pieces.  Its pretty bad.  All that being said, I wonder if one of the other processes that are running are what need to be added to the sso plist like Microsoft teams helper or the electron or squirrel processes.

Hello @GabePPS 

Sorry for the delay, just pushing out my Nudge, Erase Install Monterey upgrade for past few days.

What you are experiencing is spot on to my random issue.  
It was pointed out to me this morning when people upgrade to Monterey the MS Extension is removed. I do recall adding that in to prevent a storm of requests especially from our CTO and other SVP's who live in various parts of the world. 
I tried with your extension on one machine where Teams did not work, and it just did not work at all. Remove the profile, Teams loads.

Apple are asking me who in Apple told me to use the SSO Extension since I have a ticket opened with them.

I have to figure out a way to put the extension back on but we rely heavily on Teams and can't afford to have people calling the SD about Teams not working.

A co worker sent me this regarding Teams:  Teams dropping Electron for Edge Webview 2 

Its not out yet, but we can hope.

Hey @vinu_thankachan 

I have a similar configuration and wondering if you can post what you see on the macOS device? I'm unable to see the additional custom configuration nor does it work on our test devices.

After updating my MacOS to 12.2.1 this no longer seems to work for me. Upon registering the device to intune, and signing in, the last part of Safari would automatically sign in. (The part where you get a popup to press Continue)
This now required me to enter a password.

Office apps and my VPN client also no longer get SSO. 

Anyone experiences the same, and/or has found a workaround/solution yet?

Im using 12.2.1 and it is seeming to work properly (aside from the dumb teams piece).  However we do not use intune so not sure about that side of it.  We just push the authenticator app and use the sso config profile and its been working well.

Hi Gabe, 

I didn't notice anything at first, only after doing a fresh install.

If you have a chance, could you see if you get the same behavior on a fresh install? 

I'm using a similar config as you have through Jamf. Straight after the update I did a factory reset and it broke for me. 

Much appreciated!

-Tobias

We are using both the erase-install script and using the wipe command from jamf directly when we re-enroll devices.  This is still working for us as of the 10 we erased today.

Looks like it had something to do with my home network. It works again at the office!

Ive done a little reworking of our install order and now I'm seeing the sso piece being broken again in 12.3.  I previously had the company portal app in the prestage packages to install, but now moved it to happen after enrollment, and perhaps thats the issue, but on a 12.3 install im not getting any indication that sso is working.

Is anyone able to get this working for Office apps or OneDrive?

Even using the simple example plist that MS provides, I'm not able to get it to work for Office.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AppPrefixAllowList</key>
<string>com.microsoft.,com.apple.</string>
<key>browser_sso_interaction_enabled</key>
<integer>1</integer>
<key>disable_explicit_app_prompt</key>
<integer>1</integer>
</dict>
</plist>