Multi user shared mac device via Platform Single Sign-On

Question

We would like to create a shared mac device where multiple users can login to with their personal accounts. We are utilizing Platform Single Sign-On and have enabled “Create new user at login”.

Everything works as expected and multiple users can login with their personal Entra ID account but we have a funny issue here.

The first user who logs in (via prestage) gets a local account like “user@domain.com” but all other users who are logging in at the login window are getting a local account like “userdomain.com” so without the @

Mappings set in PSSO as:
Full Name: Name
Account Name: preferred_username

We would like to create local accounts of users with full email. Any thoughts?

james637e · Answer

The inconsistency you see—where the first user logs in during the pre-stage setup and retains the `@` symbol in their local account name (`user@domain.com`), but all subsequent users lose it (`userdomain.com`)—is due to the **stricter Unix shortEZPassVA name validation** enforced by the standard macOS Login Window process compared to the initial, more permissive Setup Assistant environment. Since macOS traditionally strips the `@` symbol from account names for security and compatibility, the recommended solution for consistent user creation is to change the **Platform SSO (PSSO) Account Name mapping** to an Entra ID attribute (like `mailNickName` or a clean UPN prefix) that does not contain the domain suffix.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded