Setup single sign-on to Apple devices apps and websites that use Microsoft Azure AD for authentication

Configuring Microsoft Enterprise SSO Plug-In for Apple Devices:

The Microsoft Enterprise SSO plug-in enables users to sign in to apps and websites that rely on Microsoft Azure Active Directory (Azure AD) for authentication, including Microsoft 365, using a single sign-on (SSO) process. This plug-in utilizes the Apple single sign-on app extension framework to minimize the number of authentication prompts that users receive when accessing devices managed by Mobile Device Management (MDM). Additionally, any MDM that facilitates configuring SSO profiles is supported.

After configuring the Microsoft Enterprise SSO plug-in, apps that support the Microsoft Authentication Library (MSAL) automatically integrate with it. However, apps that don't support MSAL can also utilize the extension, such as browsers like Safari and apps that use Safari web view APIs. To do so, simply add the application bundle ID or prefix to the extension configuration.

For example, you can enable a Microsoft app that doesn't support MSAL by adding com.microsoft. to the AppPrefixAllowList property. It's crucial to be cautious about which apps you allow to use this feature, as they will bypass the interactive sign-in prompts for the signed-in user.

Prerequisites

  • The device is managed by Intune.
  • iOS/iPadOS 13.0 and newer
  • The Microsoft Authenticator app must be installed on the device.

A Step-by-Step Guide.

1. After logging into your endpoint.microsoft.com account, navigate to the Devices section, select iOS/iPadOS, and click on Create Profile under Configuration Profile. From there, choose Templates and then select Device Features.


2. Once you have created the profile, give it a name and then click on Next.

3.Once you click on Next, you will be directed to configure the profile. From there, you will need to modify the Single Sign-On App Extension and change the SSO extension type to Microsoft Azure AD


4.    You need to modify the App bundle Id under the SSO extension type. Please write "com.microsoft.azureauthenticator.ssoextension”.

5.    You also need to add the additional configuration, which is displayed below.

6.    Once you have completed all of these steps, you will need to assign it to either a group or a device.


Now, you can test single sign-on by opening Safari in private mode, then go to the https://portal.office.com site, you with automatically sign on to the application.

Please see link below for more information on this feature.

https://learn.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-macos?pivots=ios-ipados













Comments

Post a Comment

Popular posts from this blog

How to enable iOS unmanaged apps to read managed contacts & write unmanaged contacts without compromising security using Microsoft Intune

Image
The contacts saved in Exchange is considered managed contacts. with iOS 12 onwards managed contacts are not visible from unmanaged Apps. As stated in Apple Article (https://support.apple.com/en-au/HT208749)  iOS 12, you can use MDM to make the following exceptions to this policy: Allow unmanaged apps to access managed contacts Allow managed apps to save contacts to the local Contacts app Microsoft Intune have introduced new feature, but it has pre-requisite to "Viewing corporate documents in unmanaged apps" to write contact to unmanaged app and "Viewing non-corporate documents in corporate apps" to read managed contacts in unmanaged app.  This can be security issue for many organisations. However, you can enable this without changing the parent policy by following trick! Go to iOS restriction settings in Intune, go to 'App Store, Doc Viewing, Gaming controls'. As highlighted above 'Allow managed apps to write contacts
Read more

How to deploy Application (offline installer DMG) on Apple MacOS Devices using Microsoft Intune

Image
Microsoft Intune does not support deployment of DMG file. As per the  Microsoft documentation   : " Only  .pkg files may be used to upload macOS LOB apps to Microsoft Intune. Conversion of other formats, such as .dmg to .pkg is not supported." Microsoft Intune have provided support to deploy shell script to macOS. In the example below, I will deploy Adobe Acrobat Reader DC 2020.009.20063 DMG file on MacOS Device. Save following script as .sh package i.e.  InstallAdobeReader.sh #! /bin/sh url=https://ardownload2.adobe.com/pub/adobe/reader/mac/AcrobatDC/2000920063/AcroRdrDC_2000920063_MUI.dmg   set -x tempd=$(mktemp -d) curl $url > $tempd/AdobeReaderDC.dmg listing=$(sudo hdiutil attach $tempd/AdobeReaderDC.dmg | grep Volumes) volume=$(echo "$listing" | cut -f 3) package=$(ls -1 "$volume" | grep .pkg | head -1) sudo installer -pkg "$volume"/"$package" -target / sudo hdiutil detach "$(echo "$volume" | cut -f 1)" rm -r
Read more

ConfigMgr CB Backup Failing

Image
SCCM site backup was failing with following error,  smsbkup.log showing following error. Cannot find the dependent writer. The dependant component cannot be backed up. AddDependentComponent(pDependency) failed. Error code = 0x80,004,005.Error description = . Error: GatherWriterMetadata failed. 1. To fix this issue  Run 'VSSAdmin list writers' command. 2. Ensure following writers listed. 3. If you identify these two writers are not listed, restart 'SQL Server VSS Writer' if SQLServierWriter' is missing or 'SMS_Site_VSS_Writer' if SMS writer is missing. 4. 'VSSAdmin list writers', ensure both services are listed. 5. start sms_site_backup service to start backup, monitor smsbkup.log, ensure backup completed successfully.
Read more