Skip to main content
Question

Platform SSO with EntraID SecureEnclave

  • January 29, 2026
  • 1 reply
  • 67 views
U

I have successfully setup PlatformSSO for EntraID authentication and after running it for a while I have some oddities.

If the token expires Safari will offer passkey as an option for logging into EntraID federated applications.  Our conditional access policies allow passkeys, MFA, Strong Auth (FIDO etc).  Once the login is complete the Mac will passthrough creds for any access in any browser.

If the token has expired then in non-Safari (Edge, Chrome and Firefox) the user is only offerred password as the option to login unless they have a passkey in Authenticator or an external FIDO token registered in EntraID (Yubikey etc).

If you go to User/Groups and press the Authenticate button in the user account then the token is refreshed without any user interaction.

Trying to work out if I’ve missed something in the config profile or if there is another issue.

Anyone else seen similar and worked out a way to resolve so passkey/biometrics is offered across all browsers rather than just Safari?

1 reply

h1431532403240
Forum|alt.badge.img+6

This is a known architectural limitation, not a configuration issue you can fix.

Root cause:

Safari uses Apple's native networking stack (WKWebView, NSURLSession) which can natively interact with the SSO Extension and access the Secure Enclave key as a passkey via WebAuthN APIs.

Microsoft's documentation explicitly states:

"Applications that do not use Apple Networking technologies (like WKWebview and NSURLSession) will not be able to use the shared credential (PRT) from the SSO Extension. Both Google Chrome and Mozilla Firefox fall into this category."

Why Edge also fails:

Even though Edge is a Microsoft browser, it uses Chromium's networking stack, not Apple's. So when the token expires and re-authentication is required, Edge cannot natively prompt for the Platform SSO passkey from Secure Enclave.

What you CAN do:

  1. For Edge: Ensure users are signed into their Edge profile - this is required for browser SSO to work on PSSO-registered devices
  2. Enable Company Portal as passkey provider: System Settings > Passwords > Password Options > Company Portal
  3. Deploy browser extensions: Chrome and Firefox require the Microsoft Single Sign On extension
  4. Workaround: Users can manually trigger token refresh via System Settings > Users & Groups > Edit (Network account server) > Authenticate button (as you noted, this refreshes without user interaction)

Current expectation: This is a platform-level limitation where only Safari can offer the Secure Enclave passkey natively during re-authentication. Other browsers will fall back to password unless users have registered a separate passkey in Authenticator or an external FIDO2 key.

Reference:

Terms & ConditionsCookie settingsAccessibility statement