Back to Blog

macOS + Intune + Entra ID: Seamless Login with Platform SSO and Password Sync

Platform SSO with Password Sync allows macOS users to sign in with their Entra ID password, keep local and cloud passwords synced, and unlock FileVault using cloud credentials.

February 10, 20265 minute readAlex Dolney

macOS + Intune + Entra ID: Seamless Login with Platform SSO and Password Sync

Platform SSO with Password Sync allows macOS users to sign in with their Entra ID password, keep local and cloud passwords synced, and unlock FileVault using cloud credentials.

🔐 macOS + Intune + Entra ID: Seamless Login with Platform SSO and Password Sync

Modern IT environments are moving away from legacy directories and embracing cloud identity.

But MacBooks have always been a little tricky when it comes to syncing local logins with Microsoft Entra ID.

That is starting to change.

With Platform SSO for macOS and Password Sync, organizations can now give users a more consistent sign-in experience across their Mac, Microsoft 365 apps, and cloud identity.

Platform SSO with Password Sync allows users to:

  • Sign in to their Mac with their Entra ID password
  • Keep the local macOS password and cloud password in sync
  • Unlock FileVault at boot using cloud credentials
  • Get single sign-on into Microsoft 365 apps and web resources

For organizations already using Microsoft Intune, Apple Business Manager, and Automated Device Enrollment, this is a major improvement.

✅ Prerequisites

Before setting this up, make sure the environment is ready.

You will need:

  • Apple Business Manager integrated with Intune
  • Macs enrolled using Automated Device Enrollment
  • Devices supervised through Apple Business Manager
  • Microsoft Intune configured and licensed
  • Microsoft 365 Business Premium, E3, or E5 licensing
  • macOS 13 or newer
  • macOS 14 or newer recommended
  • FileVault enabled through Intune policy
  • Cloud-only or hybrid Microsoft Entra ID user accounts

🔧 What You’re Deploying

With Password Sync mode, Platform SSO allows the Mac to sync the user’s Microsoft Entra ID password with the local macOS account.

This gives users a much cleaner experience.

Instead of having one password for Microsoft 365 and another password for the local Mac, users can use the same Entra ID password across both.

Platform SSO with Password Sync helps with:

  • Local macOS sign-in
  • FileVault unlock
  • Microsoft 365 app authentication
  • Web-based single sign-on
  • Password consistency across cloud and local accounts

🛠️ Step 1: Create the Platform SSO Configuration Profile

In the Intune admin center:

  1. Go to Devices
  2. Select macOS
  3. Select Configuration profiles
  4. Click Create profile
  5. Set Platform to macOS
  6. Set Profile type to Settings catalog

Name the profile something like:

macOS - Platform SSO - Password Sync

⚙️ Step 2: Configure Platform SSO Settings

In the Settings Catalog, click Add settings.

Search for and add the Platform Single Sign-On settings.

Configure the following:

  • Enable Platform SSO: Enabled
  • Use Platform SSO: Enabled
  • Enable Password Sync: Enabled
  • Identity Provider Domain Hint: yourdomain.com
  • OIDC App Redirect URI: Optional

For the OIDC App Redirect URI, you can usually leave this blank.

If you are using Microsoft apps with deep linking, you may use something like:

msauth.yourdomain.com://auth

Important:
Do not enable Enable Secure Enclave if you are deploying Password Sync mode.

Secure Enclave is a different authentication method and behaves differently from Password Sync.

👥 Step 3: Assign the Profile

Assign the profile to a dynamic device group that contains only ADE-enrolled macOS devices.

The devices should be:

  • Enrolled through Apple Business Manager
  • Enrolled using Automated Device Enrollment
  • Supervised
  • Managed by Intune
  • Not manually enrolled

Manually enrolled Macs will not provide the same experience.

🔒 Step 4: Enable FileVault Through Intune

To make sure FileVault works properly with Platform SSO, configure FileVault through Intune.

In the Intune admin center:

  1. Go to Endpoint security
  2. Select Disk encryption
  3. Create a macOS FileVault policy

Configure the following settings:

  • FileVault: Enable
  • Recovery key: Store in Intune
  • Escrow location: Intune

Assign the FileVault policy to the same ADE-enrolled macOS device group.

🧪 Step 5: Test the User Experience

Once everything is configured, the user experience should look like this:

  1. The Mac boots to the FileVault unlock screen
  2. The user enters their Microsoft Entra ID password
  3. FileVault unlocks
  4. macOS sign-in continues
  5. Microsoft apps such as Outlook, OneDrive, and Teams use SSO

This helps avoid password mismatch issues, especially after a user changes their Microsoft Entra ID password online.

🚨 Things to Watch Out For

There are a few important items to keep in mind.

Manually Enrolled Macs Are Not Ideal

For the best experience, Macs should be enrolled through Apple Business Manager and Automated Device Enrollment.

Manual enrollment can lead to inconsistent behavior.

FileVault Timing Matters

If FileVault was enabled before Platform SSO was configured, you may need to reissue FileVault keys or re-enroll the device.

This is especially important when testing on existing Macs.

Password Sync Requires Connectivity

Offline password changes will not sync immediately.

Users need to be online for the local macOS password and Microsoft Entra ID password to stay synchronized.

Do Not Mix Authentication Methods Without a Plan

Password Sync and Secure Enclave are different Platform SSO methods.

Avoid mixing them across the same device group unless you have a clear reason and testing plan.

🤔 Why Not Use Secure Enclave?

Secure Enclave mode is useful, especially on newer Macs, but it is not the same as Password Sync.

Secure Enclave mode:

  • Does not sync passwords
  • Uses token-based authentication
  • Relies on cached tokens for FileVault unlock
  • Can feel less familiar to users who expect password changes to apply everywhere

Password Sync is usually the better fit when you want:

  • Microsoft Entra ID to be the source of truth for passwords
  • A consistent login experience
  • FileVault unlock using cloud credentials
  • A simpler experience for Microsoft 365 users

🧩 Why This Matters

For years, Mac authentication in Microsoft environments has been awkward.

Organizations wanted the cloud identity benefits of Microsoft Entra ID, but Macs still depended heavily on local accounts and local passwords.

Platform SSO with Password Sync helps close that gap.

It gives IT a more native way to manage macOS sign-in while giving users a login experience that feels familiar and predictable.

🤝 A Better macOS Login Experience

Platform SSO with Password Sync is a major improvement for organizations managing Macs with Microsoft Intune.

It gives users a consistent way to sign in, helps keep passwords synchronized, and supports FileVault unlock with cloud credentials.

For small and midsize businesses already using Microsoft 365, Intune, and Apple Business Manager, this is one of the cleanest ways to modernize macOS authentication without adding third-party tools or legacy directory dependencies.

Practical Business Technology

Want direct help from experienced IT engineers?

Work with TCTechPros on Microsoft 365, Azure, security, endpoint management, cloud strategy, and practical IT improvement projects.

Start a Conversation