Platform SSO with MS Entra ID Advice

We’ve been testing Platform SSO with Microsoft Entra ID in a Password Authentication configuration, and found that we need to create a local account on the system first in System Settings > Users & Groups, before a user can log in with user@domain.com as their username, is that expected behavior? If that is what is required then we can work with that, but ideally once the system has the relevant configuration profiles installed I’d like anyone in Entra ID to be able to log in without any manual configuration. If I don’t manually create a local, standard account with the same username beforehand, the user just gets a dialogue box containing a yellow warning triangle with no other information and is then automatically logged out again.

Or would I be better off with a Secure Enclave configuration? We have hundreds of staff 1:1 Macs (mostly MacBooks) and about 100 lab iMacs/Mac Studios.

We are a big MS/Azure/Entra house, currently bind to AD (which we are desperate to come away from, but my management are reluctant to pay for Jamf Connect), so if anyone has any advice around the best way forward for our scenario, that would be very much appreciated!

Page 1 / 1

Currently, we have to create a local account. But it doesn’t have to match the domain or username. The local account could be named anything, then we Register with Microsoft PSSO. So not sure about your specific username requirement.

This experience is all changing with macOS 26 and Platform SSO. We can setup and sign into Platform SSO at Setup Assistant.

Info:

• https://medium.com/@drewsmith_6943/macos-26-tahoe-and-other-observations-from-wwdc25-c24fac6c29ad

• What’s New in Apple Device Management and Identity and jump to 00:14:50 for a quick overview.
•

Thanks - I haven’t yet tested with macOS 26, but in my testing thus far (on Sonoma/Sequoia) I’ve been able to login with a local administrator account created during the Prestage and do the device registration with the help of an account with Entra domain join permissions.

What I am finding is that I need to create local accounts with a similar username before that user is able to log in with user@domain.com. Otherwise, they just see the following pop-up, before being automatically logged straight out:

Yeah. That is odd. Might be a something in the MPSSO configuraiton profile you’re using, maybe.

If I created a local account called “test” or something, it will register with MPSSO. We are using smart cards, so my config is a little different from yours.

Maybe worth contacting Microsoft and Jamf support?

I already have, and they just send me back to each other

Sent you a message ...

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded