Microsoft Enterprise SSO plug-in for Apple devices

n_lecchi
Contributor

I'm testing this MS plug-in for SSO

It works fine with Safari, but I'm not able to use it with Desktop-Apps like Office 365 ones.

Anyone have experience in SSO in Office 365 apps?

117 REPLIES 117

Tribruin
Valued Contributor II

I have added all the O365 apps to the AppAllowList custom setting. Here is my custom setting PLIST that i add to the SSO Profile:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AppAllowList</key>
    <string>com.microsoft.Outlook,com.microsoft.teams,com.microsoft.OneDrive,com.microsoft.Word,com.microsoft.Excel,com.microsoft.Powerpoint,com.microsoft.onenote.mac,com.jamfsoftware.selfservice.mac</string>
    <key>browser_sso_interaction_enabled</key>
    <integer>1</integer>
    <key>disable_explicit_app_prompt</key>
    <integer>1</integer>
</dict>
</plist>

I don't think OneDrive is working yet, but it seems like all the other Apps pickup on the SSO credentials.

What will be the plist name ? 

MSSSOEXTCustom.plist

Oops, sorry that is what I use for the "extra" stuff - this is the PList:
com.microsoft.CompanyPortalMac.ssoextension

See https://learn.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-mac...

n_lecchi
Contributor

RBlount, does it work well for you? In my tests, Office apps still require authentication.

nelsoni
Contributor III

I tested the plist in my environment, it does in fact work, but the results are not consistent. A mac with a fresh setup worked out of the box but my daily driver was inconsistent.

jmariani
Contributor

Does one need to be signed into the Intune Company Portal for this to get applied properly?

Tribruin
Valued Contributor II

I find it hit or miss. Some apps seem to work better than other (Teams & Jamf Self Service seem to pick up the user better than the other Microsoft Apps.)

Is seems that when I was testing it a few months ago, it seemed to work better. I don't know if Apple changed something or Microsoft did.

I guess that is why Microsoft still considers it to be in Beta Preview.

n_lecchi
Contributor
Does one need to be signed into the Intune Company Portal for this to get applied properly?

yes you need to log-in Intune company portal, too

vinu_thankachan
Contributor

I am also testing the Company portal SSO-E It's working with safari, office 0365 apps, and Skype for Business. Currently, Microsoft EDGE is not supporting SSO.

n_lecchi
Contributor

Hi Vinu, I am surprised you SSO works Office 365. For me it works only for Safari. When i launch word, excel or PP, it require me another authentication for license.
Can you share configuration you are usings?

I am also testing the Company portal SSO-E It's working with safari, office 0365 apps

Hobbs155
Contributor

Are you using Hybrid or pure Azure? We have been trying to just get it to work but we have failed.
azure-ad-and-seemless-single-sign-on

n_lecchi
Contributor

My Azure is in Hybrid but it does not matter. SSO works with Company Portal Authentication. I enroll the Mac with a test user different to the Azure one, than I authenticate in Company Portal that generate a token for SSO that in my case works but only with Safari and WebApps. Desktop Office Apps require another authentication for assign license. I need to solve this part.

Are you using Hybrid or pure Azure

nelsoni
Contributor III

To clarify, from my testing I have found that the Mac does not need to be enrolled into Intune for it to work, just that the company portal is installed. The SSO will work from there.

n_lecchi
Contributor

Yes, it's right

To clarify, from my testing I have found that the Mac does not need to be enrolled into Intune for it to work, just that the company portal is installed. The SSO will work from there.

n_lecchi
Contributor

Can anyone who managed authenticateìion with SSO into the Office 365 app share the correct configuration?

ali_fadavinia
New Contributor III

We are experiencing the same issue as the original poster.

If any one has any tips? what we are seeing it works with Safari and MS Teams only but not Office apps: Outlook, Excel and OneDrive,etc.

@ vinu.thankachan Could you tell us or share some more info how did you fix it and get that working please?

vinu_thankachan
Contributor

Hi ,
Sharing my configuration
54584e54698043478a3bc26a52741b2d
cebf1dbd663a422dae86a5b2a12ae472

Hey @vinu_thankachan 

I have a similar configuration and wondering if you can post what you see on the macOS device? I'm unable to see the additional custom configuration nor does it work on our test devices.

Did you get this to work? I have same issue you were having. Though it works in Safari.

n_lecchi
Contributor

@ vinu.thankachan: this configuration enable you to single sign on in office? I seem strange: Are you sure you have not authentication in keychain?

ali_fadavinia
New Contributor III

Thanks for providing the info Vinu,

We have exactly the same configuration, as I said it works fine with Teams and Safari but not Office Apps

Karl941
New Contributor III

I confirm as well, Safari and Teams are fine but not other MS office Apps.

ali_fadavinia
New Contributor III

One thing I thought to throw it here, ask and clarify with everyone: @Karl941 @n.lecchi @vinu.thankachan

1) How are you all installing office? 2) Are you using the app store, or are you installing via .pkg? 3) Do you think it matters? but Teams is installed for us through the Office .pkg; if it was a .pkg issue, then it shouldn't work for any of the apps.

What are your thoughts?

n_lecchi
Contributor

I think it doesn't matter. The app installation can take place via .pkg or the App Store but activation takes place via the web, so the user must be authenticated on the O365 portal to do so.

The question is, can you pass SSO in any way? According to my test no, and the MS documentation seems to copy it. So I'm surprised someone can do it and I can't figure out how.

Karl941
New Contributor III

@ali.fadavinia I have seen in the past slightly differences from deploying through PKG or Appstore push. So to validate, I did a test with Word from Appstore deploy and It's the same results as PKG, no matter the installation type, the app. is prompting to authenticate and don't transit through SSOEx. like Teams does
@vinu.thankachan Can you confirm it works (or not) for you if the Keychain and cookies are cleared ? Thanks.

vinu_thankachan
Contributor

Sharing my experiance with Ms teams When I open teams for the first time, I get a prompt to choose the account. once I chose the account , Teams loads automatically 8290cfb7014948d4a8f46e1b01407e9e

8044b367041e497f8bcdc32e8c14cc41

b6e421f8767341d98c9a21dfc6ce57ab

Karl941
New Contributor III

@vinu.thankachan Thanks, however what we would like to validate it's the other MS apps (like Word, PPT or Excel), are you prompted from these ones or not?

GabeShack
Valued Contributor III

@pbowden Wondering if you had any info on this or if there is someone else from Microsoft who could comment on this thread?

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

Scott_Conway
New Contributor III

Did anyone ever figure this out? We are getting the same experience. SSO extension is configured and works with Microsoft websites, but the individual Office apps do not pick up the credentials, hence forcing us to sign into the apps manually. Teams is the only app that is close (it shows us the account selection, same as the screenshot above from @vinu.thankachan )

GabeShack
Valued Contributor III

Ive started playing with this microsoft SSO as well.  Im looking to get the Adobe Creative Cloud app to recognize it too.

My overall goal would be when our students or faculty login to a machine for the first time, they setup the managed Apple ID for iCloud that we have using federated accounts which is the first thing that prompts for a microsoft login.  Im hoping to utilize that login to provide all the credentials for the rest of the apps.  So during the initial setup assistant, having it use this Microsoft SSO piece to have one login to rule them all!

Im trying to get the bundle ID of the setup assistant and I guess what the url is that apple is using for the login for federated apple ID with microsoft.  I did notice that the Microsoft Apps all register though.  I'm using the installer from macadmins.software and using some forced settings with a config profile for our Microsoft apps though.  Im hoping if i can trigger the sso window during that iCloud setup, that we would not need to use any other logins after that.

 

Gabe Shackney
Princeton Public Schools

GabeShack
Valued Contributor III

So I got this to work using com.apple.SetupAssistant in the plist and then the iCloud login allowed me to use the sso plug in.  Its not quite right though because underneath the SSO initial login, is the normal federated login, so its making us type it twice.  After that though when I went into the machine, Safari was already logged in and Zoom was already logged in, however Word still asked for a login name/email and didn't show the drop down list.  Once I typed the email address in though it didn't prompt for a password, just had the drop down list with the account already there.

Also I'm trying to get adobe creative cloud to use this, but I think their app isn't built correctly since I can see the Microsoft SSO plugin version pop for a split second before it triggers the normal federated login.

Gabe Shackney
Princeton Public Schools

Jamftechelp
New Contributor II

The attached plist is working SSO for Word, PPT, Excel, Outlook, Safari, Teams, and zscaler but it's not working for Chrome, Firefox, and Edge when I signed in Company Portal App.

Does anyone suggest how to achieve SSO for chrome, Firefox, and Edge?

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AppAllowList</key> 
 <string>com.microsoft.Outlook,com.microsoft.teams,com.microsoft.OneDrive,com.microsoft.Word,com.microsoft.Excel,com.microsoft.Powerpoint,com.microsoft.onenote.mac,com.zscaler.Zscaler,</string>
    <key>browser_sso_interaction_enabled</key>
    <integer>1</integer>
    <key>disable_explicit_app_prompt</key>
    <integer>1</integer>
</dict>
</plist>

 

What is the name of this .plist?

thanks

hi, do you know what the of the plist is?

com.microsoft.CompanyPortalMac.ssoextension

Hello @Jamftechelp 

Are you still looking for the Chrome plist (see below)?

I had a session with Apple Pro Services in 2021. Part of the sessions was to create SSO extensions for our O365 suite.  It worked great.  We were also told Company Portal must be registered with Intune and Signed in.

The issue we have recently discovered on Monterey is Teams sporadically does not authenticate. No mater what we do, Teams will not authenticate.  We also have issues with Company Portal Intune registration. As soon as we remove the SSO Extension, Teams works perfectly. All other apps (O365) work how they should.

The SSO extension is in Preview mode (still) the MS web page does warn us to not use in Production. It appears most of us are using it anyways, including myself.

What concerns me is our 12.x upgrade next week. How many machines will Teams stop working on? 

I hope someone else is experiencing this issue and may have a work around.
 I am guessing I can remove the teams Bundle ID or use  

AppCookieSSOAllowList

with 

AppPrefixAllowList

Cheers.

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>ShowHomeButton</key>
	<true/>
	<key>HomepageLocation</key>
	<string>https://intranet.domain.com</string>
	<key>RestoreOnStartup</key>
	<integer>4</integer>
	<key>RestoreOnStartupURLs</key>
	<array>
		<string>https://intranet.domain.com</string>
	</array>
	<key>AuthServerWhitelist</key>
	<string>*.domain.com</string>
	<key>AuthNegotiateDelegateWhitelist</key>
	<string>*.domain.com</string>
	<key>DefaultBrowserSettingEnabled</key>
	<false/>
	<key>HomepageIsNewTabPage</key>
	<false/>
</dict>
</plist>

 

GabeShack
Valued Contributor III

Hey @pueo Im having success on 12.2 with Teams and all Microsoft apps using the sso.

If you look at my company portal plist these are the settings that might affect it:

<string>com.apple.SetupAssistant,com.microsoft.Outlook,com.microsoft.teams,com.microsoft.OneDrive,com.microsoft.Word,com.microsoft.Excel,com.microsoft.Powerpoint,com.microsoft.onenote.mac,com.jamfsoftware.selfservice.mac,us.zoom.xos,zoom.us</string>
<key>Enable_SSO_On_All_ManagedApps</key>
	<integer>1</integer>
	<key>browser_sso_disable_mfa</key>
	<integer>1</integer>
	<key>browser_sso_interaction_enabled</key>
	<integer>1</integer>
	<key>disable_explicit_app_prompt_and_autologin</key>
	<integer>1</integer>

 Also your plist for chrome seems to be just for default settings for Chrome in general, but I don't see how it ties into the SSO with those settings.  Thanks though for the info.

Gabe Shackney
Princeton Public Schools

Hello Gabe.  

Hello @GabeShack 
Thanks for sharing your MS Extension. I will give it a try.  
Apple gave me the Google Chrome plist. From understanding SSO does not work with Chrome.  But by adding in your own websites to the above plist it provides the best experience using Chrome and signing on. 
I understand its not much but it was I was given.