Hi everyone,
I've been working through a deployment of Platform SSO Simplified Setup on macOS 26 using Microsoft Company Portal 5.2604.1 (5.2604.0 or newer is required per documentation), and I've hit a wall with username/account name mapping that I wanted to share in case others are running into the same thing and could potentially provide some alternative options.
---
Our Setup
- Jamf Pro 11.28.1
- macOS 26
- Microsoft Company Portal 5.2604.1 (deployed as a PreStage package)
- Microsoft Entra ID
- PSSO profile with Simplified Setup enabled (EnableCreateFirstUserDuringSetup + EnableCreateNewUserAtLogin both true)
- Authentication method: Password
- Associated Domains payload included in the same profile
---
The Problem
Everything works end-to-end — Simplified Setup fires during the Setup Assistant, the user signs in with their Entra credentials, and a local account gets created. However, the local account short name is being set to the full preferred_username value (e.g. John.Smith@company.com), which is not what we want.
Our goal is to have the local account short name match the user's on-premises SAM account name (e.g. jsmith), which is cleaner and consistent with how accounts are named in our environment.
What We've Tried
1. com.apple.PlatformSSO.AccountShortName — This strips the @company.com but leaves us with John.Smith (capital letter, period), which is still non-standard for us.
2. onPremisesSamAccountName — The attribute exists and is populated correctly in Entra (confirmed via Graph API), but it does not appear in the token issued to the Microsoft Authentication Broker (appId: 29d9ed98-a469-4536-ade2-f981bc1d605e) during PSSO registration.
3. Claims Mapping Policy — We created a claims mapping policy via Microsoft Graph PowerShell and successfully assigned it to the Authentication Broker service principal. However, the claim still does not appear in the token. This appears to be because OIDC apps require custom signing keys for claims mapping to take effect, and Microsoft-owned first-party apps cannot have custom signing keys configured.
4. mailNickName — Also not present in the token.
The token issued during PSSO authentication is extremely minimal — it only contains: name, preferred_username, oid, sub, tid, and a handful of internal Microsoft claims. No custom or optional claims can be injected into it through any self-service mechanism we've found.
We've opened a Microsoft support case and their response suggests this is by design — the Authentication Broker token is locked down and not customizable.
A script to rename it after the fact is a thought; however, it’s not our preferred route unless totally necessary.
---
Questions for the Community
1. Has anyone successfully gotten onPremisesSamAccountName or any equivalent clean short username into the PSSO token with Entra ID?
2. Is anyone aware of whether Microsoft has any plans to add onPremisesSamAccountName as a supported native claim for the PSSO broker token?
Any input appreciated — this feels like a significant gap when deploying PSSO with Jamf and Entra ID.