configure-enterprise-sso-plugin-ios.md

title	Configure iOS/iPadOS Enterprise SSO app extension with MDMs
description	Learn more about the Microsoft Enterprise single sign-on (SSO) plug-in. Add or create an iOS or iPadOS device configuration profile using the Microsoft Enterprise SSO plug-in app extension in Microsoft Intune, Jamf Pro, and other MDM solution providers.
ms.date	07/14/2025
ms.topic	how-to
ms.reviewer	miepping, tbc, alessanc
ms.collection	M365-identity-device-management

Use the Microsoft Enterprise SSO plug-in on iOS/iPadOS devices

[!INCLUDE Apple SSO Boilerplate]

This feature applies to:

• iOS/iPadOS

  For macOS, go to Configure Platform SSO for macOS devices in Microsoft Intune.

This article shows how to create an SSO app extension configuration policy for iOS/iPadOS Apple devices with Intune, Jamf Pro, and other MDM solutions.

App support

[!INCLUDE Apple SSO app support]

Prerequisites

To use the Microsoft Enterprise SSO plug-in on iOS/iPadOS devices:

Intune

• The device is managed by Intune.

• The device must support the plug-in:

  • iOS/iPadOS 13.0 and newer

• The Microsoft Authenticator app must be installed on the device.

  Users can install the Microsoft Authenticator app manually. Or, admins can deploy the app using Intune. For information on how to install the Microsoft Authenticator app, go to Manage Apple volume-purchased apps.

• The Enterprise SSO plug-in requirements are configured, including the Apple network configuration URLs.

Jamf Pro

• The device is managed by Jamf Pro.

• The device must support the plug-in:

  • iOS/iPadOS 13.0 and newer

• The Microsoft Authenticator app must be installed on the device.

  Users can install the Microsoft Authenticator app manually. Or, admins can deploy the app using Jamf Pro. For instructions, see Deploying the Microsoft Authenticator App to End Users on the Jamf Learning Hub.

• The Enterprise SSO plug-in requirements are configured, including the Apple network configuration URLs.

• Jamf Pro and Intune integration for device compliance is not required to use the SSO app extension.

Other MDMs

• The device is managed by a mobile device management (MDM) provider solution.
• The MDM solution must support configuring Single Sign-on MDM payload settings for Apple devices with a device policy.
• The device must support the plug-in:
  • iOS/iPadOS 13.0 and newer
• The Microsoft Authenticator app must be installed on the device. Users can install the Microsoft Authenticator app manually. Or, admins can deploy the app using an MDM policy.
• The Enterprise SSO plug-in requirements are configured, including the Apple network configuration URLs.

---

Note

On iOS/iPadOS devices, Apple requires that the SSO app extension and the Microsoft Authenticator app be installed. Users don't need to use or configure the Microsoft Authenticator app, it just needs to be installed on the device.

[!INCLUDE Apple Kerberos Extension Boilerplate]

---

For more information on the single sign-on app extension, go to SSO overview and options for Apple devices in Microsoft Intune.

Create a single sign-on app extension configuration policy

Intune

In the Microsoft Intune admin center, create a device configuration profile. This profile includes the settings to configure the SSO app extension on devices.

1. Sign in to the Microsoft Intune admin center.

2. Select Devices > Manage devices > Configuration > Create > New policy.

3. Enter the following properties:

   • Platform: Select iOS/iPadOS.
   • Profile type: Select Templates > Device features.

4. Select Create:

   :::image type="content" source="../media/enterprise-sso-plugin/ios-ipados-create-device-features.png" alt-text="Screenshot that shows how to create a device features configuration profile for iOS/iPadOS in Microsoft Intune." lightbox="../media/enterprise-sso-plugin/ios-ipados-create-device-features.png":::

5. In Basics, enter the following properties:

   • Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is iOS: SSO app extension.
   • Description: Enter a description for the policy. This setting is optional, but recommended.

6. Select Next.

7. In Configuration settings, select Single sign-on app extension, and configure the following properties:

   • SSO app extension type: Select Microsoft Entra ID.

     :::image type="content" source="../media/enterprise-sso-plugin/ios-ipados-device-features-sso-extension-type.png" alt-text="Screenshot that shows the SSO app extension type and Microsoft Entra ID for iOS/iPadOS in Intune.":::

   • Enable shared device mode:

     • Not configured: Intune doesn't change or update this setting.

       For most scenarios, including Shared iPad, personal devices, and devices with or without user affinity, select this option.

     • Yes: Select this option only if the targeted devices are using Microsoft Entra shared device mode. For more information, go to Shared device mode overview.

   • App bundle ID: Enter a list of bundle IDs for apps that don't support MSAL and are allowed to use SSO. For more information, go to Applications that don't use MSAL.

   • Additional configuration: To customize the end user experience, you can add the following properties. These properties are the default values used by the Microsoft SSO Extension, but they can be customized for your organization needs:

     [!INCLUDE Apple SSO Recommended Settings Table Boilerplate]

     When you're done configuring the settings and are allowing Microsoft & Apple apps, then the settings look similar to the following values in your Intune configuration profile:

     :::image type="content" source="../media/enterprise-sso-plugin/ios-ipados-sso-extension-additional-configuration.png" alt-text="Screenshot that shows the end user experience configuration options for the Enterprise SSO plug-in on iOS/iPadOS devices in Intune.":::

8. Continue creating the profile, and assign the profile to the users or groups that will receive these settings. For the specific steps, go to Create the profile.

   For guidance on assigning profiles, go to Assign user and device profiles.

When the device checks in with the Intune service, it receives this profile. For more information, go to Policy refresh intervals.

To check that the profile deployed correctly, in the Intune admin center, go to Devices > Manage devices > Configuration > select the profile you created and generate a report:

:::image type="content" source="../media/enterprise-sso-plugin/ios-ipados-enterprise-sso-profile-report.png" alt-text="Screenshot that shows the iOS/iPadOS device configuration profile deployment report in Intune.":::

Jamf Pro

In the Jamf Pro portal, you create a Computer or Device configuration profile. This profile includes the settings to configure the SSO app extension on devices.

1. Sign in to the Jamf Pro portal.

2. To create an iOS/iPadOS profile, select Devices > Configuration Profiles > New:

   :::image type="content" source="../media/enterprise-sso-plugin/ios-ipados-create-profile-jamf.png" alt-text="Screenshot that shows the Jamf Pro portal and how to create a configuration profile for iOS/iPadOS devices.":::

3. In Name, enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is: iOS/iPadOS: Microsoft Enterprise SSO plug-in.

4. In the Options column, scroll down and select Single Sign-On Extensions > Add:

   :::image type="content" source="../media/enterprise-sso-plugin/ios-ipados-sso-extensions-jamf.png" alt-text="Screenshot that shows the Jamf Pro portal. Select the configuration profiles SSO option and select add for iOS/iPadOS devices.":::

5. Enter the following properties:

   • Payload Type: Select SSO.
   • Extension Identifier: Enter com.microsoft.azureauthenticator.ssoextension.
   • Team Identifier: No value is needed. Leave the field blank.
   • Sign-On Type: Select Redirect.
   • URLs: Enter the following URLs, one at a time:
     • https://login.microsoftonline.com
     • https://login.microsoft.com
     • https://sts.windows.net
     • https://login.partner.microsoftonline.cn
     • https://login.chinacloudapi.cn
     • https://login.microsoftonline.us
     • https://login-us.microsoftonline.com

   :::image type="content" source="../media/enterprise-sso-plugin/ios-ipados-sso-extensions-settings-jamf.png" alt-text="Screenshot that shows the Jamf Pro portal and the payload type, extension identifier, team identifier, and SSO type settings for iOS/iPadOS devices.":::

   :::image type="content" source="../media/enterprise-sso-plugin/ios-ipados-sso-extensions-urls-jamf.png" alt-text="Screenshot that shows the Jamf Pro portal and the SSO URLs for iOS/iPadOS devices.":::

6. In Custom Configuration, you define other required properties. Jamf Pro requires that these properties are configured using an uploaded PLIST file. To see the full list of configurable properties, go to Microsoft Enterprise SSO plug-in for Apple devices documentation.

   The following example is a recommended PLIST file that meets the needs of most organizations:

   <?xml version="1.0" encoding="UTF-8"?>
   <plist version="1.0">
   <dict>
       <key>AppPrefixAllowList</key>
       <string>com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.</string>
       <key>browser_sso_interaction_enabled</key>
       <integer>1</integer>
       <key>disable_explicit_app_prompt</key>
       <integer>1</integer>
   </dict>
   </plist>

   :::image type="content" source="../media/enterprise-sso-plugin/ios-ipados-custom-configuration-plist-jamf.png" alt-text="Screenshot that shows a sample custom configuration with a PLIST file for Jamf Pro.":::

   These PLIST settings configure the following SSO Extension options. These properties are the default values used by the Microsoft SSO Extension, but they can be customized for your organization needs:

   [!INCLUDE Apple SSO Recommended Settings Table Boilerplate]

7. Select the Scope tab. Enter the computers or devices that should be targeted to receive the SSO Extension MDM profile.

8. Select Save.

When the device checks in with the Jamf Pro service, it receives the profile.

Other MDMs

In the MDM portal, create a device configuration profile. This profile includes the settings to configure the SSO app extension on devices.

1. Sign in to the MDM portal.

2. Create a new device configuration profile.

3. Select a Single Sign-On Extensions or SSO extension option. The name varies depending on the MDM solution you're using.

4. Enter the following properties:

   Key	Value
   Payload Type	SSO
   Extension Identifier	com.microsoft.azureauthenticator.ssoextension
   Sign-On Type	Redirect
   URLs	- https://login.microsoftonline.com - https://login.microsoft.com - https://sts.windows.net - https://login.partner.microsoftonline.cn - https://login.chinacloudapi.cn - https://login.microsoftonline.us - https://login-us.microsoftonline.com

5. Optionally, you can configure other properties. These properties are the default values used by the Microsoft SSO Extension, but they can be customized for your organization needs:

   [!INCLUDE Apple SSO Recommended Settings Table Boilerplate]

6. Assign the new policy to the devices that should be targeted to receive the SSO Extension MDM profile.

When the device checks in with the MDM service, it receives this profile.

---

[!INCLUDE Apple iOS End User Experience Boilerplate]

Tip

Learn more about how the SSO plug-in works and how to troubleshoot the Microsoft Enterprise SSO Extension with the SSO troubleshooting guide for Apple devices.

Related articles

• For information about the Microsoft Enterprise SSO plug-in, go to Microsoft Enterprise SSO plug-in for Apple devices.

• For information from Apple on the single sign-on extension payload, go to single sign-on extensions payload settings (opens Apple's web site).

• For information on troubleshooting the Microsoft Enterprise SSO Extension, go to Troubleshooting the Microsoft Enterprise SSO Extension plugin on Apple devices.