I'm testing this MS plug-in for SSO
It works fine with Safari, but I'm not able to use it with Desktop-Apps like Office 365 ones.
Anyone have experience in SSO in Office 365 apps?
Page 5 / 5
Enterprise SSO was working fine during Preview and General Release up until this week. Now only works with Teams and Safari. All installed apps (Word, Excel, Powerpoint, Outlook) experience a sign in or network error. I downloaded the troubleshooting scripts, passes all tests. Issue happens on new or existing macOS install. JSS config profile is exactly the same as documentation. I just opened a support case and waiting to hear back. Has anyone else noticed things completely breaking this week?
Enterprise SSO was working fine during Preview and General Release up until this week. Now only works with Teams and Safari. All installed apps (Word, Excel, Powerpoint, Outlook) experience a sign in or network error. I downloaded the troubleshooting scripts, passes all tests. Issue happens on new or existing macOS install. JSS config profile is exactly the same as documentation. I just opened a support case and waiting to hear back. Has anyone else noticed things completely breaking this week?
We're seeing the same thing. We've just started testing Jamf Connect and Enterprise SSO Extension. Thought the login issues in MS apps was related to our Conditional Access MFA policy, but works fine in Safari and Teams indeed... Seems to be a widespread issue. Could it be related to Jamf Connect 2.24.0? Since it worked for you earlier?
Enterprise SSO was working fine during Preview and General Release up until this week. Now only works with Teams and Safari. All installed apps (Word, Excel, Powerpoint, Outlook) experience a sign in or network error. I downloaded the troubleshooting scripts, passes all tests. Issue happens on new or existing macOS install. JSS config profile is exactly the same as documentation. I just opened a support case and waiting to hear back. Has anyone else noticed things completely breaking this week?
Confirming we are seeing a similar issue when trying to log into OneDrive, Server error 2605 paired with a keychain error. Seems to have just come up this week. Azure sign in logs report OneDrive syncengine error.
Authentication requirement
Single-factor authentication
Status
Failure
Continuous access evaluation
No
Sign-in error code
50000
Failure reason
There was an error issuing a token or an issue with our sign-in service.
Enterprise SSO was working fine during Preview and General Release up until this week. Now only works with Teams and Safari. All installed apps (Word, Excel, Powerpoint, Outlook) experience a sign in or network error. I downloaded the troubleshooting scripts, passes all tests. Issue happens on new or existing macOS install. JSS config profile is exactly the same as documentation. I just opened a support case and waiting to hear back. Has anyone else noticed things completely breaking this week?
Noticed the same in our environment today :(
We're seeing the same thing. We've just started testing Jamf Connect and Enterprise SSO Extension. Thought the login issues in MS apps was related to our Conditional Access MFA policy, but works fine in Safari and Teams indeed... Seems to be a widespread issue. Could it be related to Jamf Connect 2.24.0? Since it worked for you earlier?
We are not using Jamf connect at all but facing the same issue this week.
We are not using Jamf connect at all but facing the same issue this week.
Yeah, it's not Connect. Tried with 2.23.0 and a few older versions without luck. Seems to be tied to the SSO Extension. Connect is unrelated.
Enterprise SSO was working fine during Preview and General Release up until this week. Now only works with Teams and Safari. All installed apps (Word, Excel, Powerpoint, Outlook) experience a sign in or network error. I downloaded the troubleshooting scripts, passes all tests. Issue happens on new or existing macOS install. JSS config profile is exactly the same as documentation. I just opened a support case and waiting to hear back. Has anyone else noticed things completely breaking this week?
Please keep us informed about the case if you hear anything back :)
No updates on my MS support case. There are some updates from MS staff on MacAdmins Slack #microsoft-aad..
We've identified a breaking service change that is causing this issue thanks to those logs. We're evaluating the impact and mitigation options right now.
The issue is caused by a server side regression, shipped around 6/8. We're working on a server side mitigation of the regression, and I'll keep this thread updated on the progress.
Yes, temporarily un-scoping SSO extension for impacted Office apps and users would be a workaround for now.
No updates on my MS support case. There are some updates from MS staff on MacAdmins Slack #microsoft-aad..
We've identified a breaking service change that is causing this issue thanks to those logs. We're evaluating the impact and mitigation options right now.
The issue is caused by a server side regression, shipped around 6/8. We're working on a server side mitigation of the regression, and I'll keep this thread updated on the progress.
Yes, temporarily un-scoping SSO extension for impacted Office apps and users would be a workaround for now.
thanks you for the update and keep us posted on the progress 
Really appreciated! ❤️
Confirming we are seeing a similar issue when trying to log into OneDrive, Server error 2605 paired with a keychain error. Seems to have just come up this week. Azure sign in logs report OneDrive syncengine error.
Authentication requirement
Single-factor authentication
Status
Failure
Continuous access evaluation
No
Sign-in error code
50000
Failure reason
There was an error issuing a token or an issue with our sign-in service.
12 hours ago, I experienced this and just called it a night, put the mac to sleep. I wake it up now, and SSO just worked. Not sure if it's just fixed by now or what.
It started to work I our environment today
Seems to work here as well. Won’t roll out SSOE in production until it’s been stable for a while though.
We are having a few issues with the Extension on 12.6.6. We have followed the guidance from Microsoft. We are not using Jamf Connect. We are doing the initial sign-in via Safari (microsoft365.com) but then finding that other Microsoft apps do not immediately sign-in. Only after quitting and relaunching these apps are we signed in and even then, it does not silently auto sign us in to all apps. For Office apps, it will silently sign us in however for OneDrive and Teams it will only pre-populate the username field - we then have to click Login. We do have additional policies set for OneDrive.
We are having a few issues with the Extension on 12.6.6. We have followed the guidance from Microsoft. We are not using Jamf Connect. We are doing the initial sign-in via Safari (microsoft365.com) but then finding that other Microsoft apps do not immediately sign-in. Only after quitting and relaunching these apps are we signed in and even then, it does not silently auto sign us in to all apps. For Office apps, it will silently sign us in however for OneDrive and Teams it will only pre-populate the username field - we then have to click Login. We do have additional policies set for OneDrive.
For OneDrive and Teams, this is expected, the sign in webview implementation must be different than the rest of Office and isn't fully compatible with the plugin.
With the plugin, to get the initial PRT or "SSO token", the sign-in must be done through a compatible app, not a browser.
For OneDrive and Teams, this is expected, the sign in webview implementation must be different than the rest of Office and isn't fully compatible with the plugin.
With the plugin, to get the initial PRT or "SSO token", the sign-in must be done through a compatible app, not a browser.
Taken from the below URL:
Not all Microsoft first-party native applications use the MSAL framework. At the time of this article's publication, most of the Microsoft Office macOS applications still rely on the older ADAL library framework, and thus rely on the Browser SSO flow.
Which means it has to be a browser (safari) that is used initially to generate the token. Which is fine... We launch Safari and are greeted with the SSO pop-up - which we then sign into.
Taken from the below URL:
Not all Microsoft first-party native applications use the MSAL framework. At the time of this article's publication, most of the Microsoft Office macOS applications still rely on the older ADAL library framework, and thus rely on the Browser SSO flow.
Which means it has to be a browser (safari) that is used initially to generate the token. Which is fine... We launch Safari and are greeted with the SSO pop-up - which we then sign into.
Ah, yes, you can bootstrap the PRT with Safari when you have enabled browser_sso_interaction_enabled.
Edit:
Bootstrapping doesn’t need to be done with Safari, you can get a PRT from any app that uses MSAL.
Based on what I've seen from Okta, it looks like Platform SSO will soon be a replacement for this plug-in. I'm just going to wait until MS supports Platform SSO. I haven't had much luck with the plug-in.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.