How to stop Mac Mini from prompting for keychain on SSO login

Question

How to stop Mac Mini from prompting for keychain on SSO login

Adrian Caswell 10

A new Mac Mini has been enrolled into Intune via company portal app, and secured with SSO. The user signs in with their M365 credentials. We have 10 new Mac mini's all working OK this way. However, one user has somehow triggered the Mac to prompt for the creation of a Keychain and it asks for password. There are no smart cards attached to the machine, and smart card is not enabled in our tenant. No other machine or user account prompts for this. Another user can log into the same machine and are not prompted for a keychain. It is only the one user account. When entering a password or cancelling, MacOS just resets the login, rendering the machine unusable for this user only. Bur it's all OK for any other user. We found this user's account in Entra had applications associated with it which we have removed, but the problem persists. Has anyone got any ideas as to how we can resolve this?

JP 0 Reputation points

2025-11-10T04:00:21.94+00:00

I’m experiencing the same issue with Intune and macOS. After a device is registered through the Company Portal, users are initially able to log in with their Entra ID credentials without any problems. However, after some time, the next login attempt triggers a macOS keychain creation prompt. Once that prompt appears, users get stuck in a loop where the login fails and the prompt keeps coming back.

This behavior is happening consistently across all users in our environment. I’ve reviewed my Platform SSO policy multiple times but haven’t been able to identify the underlying cause. Out of the three authentication methods available for Platform SSO (Secure Enclave, Smart Card, and Password), we’re using Password.

At this point, the devices register successfully and users can sign in initially, but the recurring keychain prompt blocks subsequent logins and leaves them stuck.
Adrian Caswell 10 Reputation points

2025-11-10T09:25:40.49+00:00

Hi i found the answer ... and it's easier than you thinkAssuming all your devices are running MacOS 16 or 26, you won't need the Deprecated method at all. Second, you can safely change the Authentication method you set in your Platform SSO Policy from 'Password' to 'Secure Enclave'. I'm assuming that your macs have a local admin account, because you'll be prompted as an admin along the way to allow permission to allow some changes. Also the assumption is you've already enrolled the mac in using company portal. Now re-sync the mac devices with Intune, then on the mac itself add a new local user. Don't register with 365 yet, but instead sign-out of your Admin account. Now sign-in to the mac this time with the new local account. You'll be prompted Registration Required, which the end user should do with their 365 credentials along with MFA of course. Then allow Intune / Platform SSO to manage the machine, there is a new prompt for this with a big blue button takes you to the setting, click the slider and job is done. From now on the user signs in with the local account which is now secured by Intune. The keychain prompt never comes back.

4 answers

Your answer

JP 0 Reputation points

2025-11-10T04:00:21.94+00:00

I’m experiencing the same issue with Intune and macOS. After a device is registered through the Company Portal, users are initially able to log in with their Entra ID credentials without any problems. However, after some time, the next login attempt triggers a macOS keychain creation prompt. Once that prompt appears, users get stuck in a loop where the login fails and the prompt keeps coming back.

This behavior is happening consistently across all users in our environment. I’ve reviewed my Platform SSO policy multiple times but haven’t been able to identify the underlying cause. Out of the three authentication methods available for Platform SSO (Secure Enclave, Smart Card, and Password), we’re using Password.

At this point, the devices register successfully and users can sign in initially, but the recurring keychain prompt blocks subsequent logins and leaves them stuck.
Adrian Caswell 10 Reputation points

2025-11-10T09:25:40.49+00:00

Hi i found the answer ... and it's easier than you thinkAssuming all your devices are running MacOS 16 or 26, you won't need the Deprecated method at all. Second, you can safely change the Authentication method you set in your Platform SSO Policy from 'Password' to 'Secure Enclave'. I'm assuming that your macs have a local admin account, because you'll be prompted as an admin along the way to allow permission to allow some changes. Also the assumption is you've already enrolled the mac in using company portal. Now re-sync the mac devices with Intune, then on the mac itself add a new local user. Don't register with 365 yet, but instead sign-out of your Admin account. Now sign-in to the mac this time with the new local account. You'll be prompted Registration Required, which the end user should do with their 365 credentials along with MFA of course. Then allow Intune / Platform SSO to manage the machine, there is a new prompt for this with a big blue button takes you to the setting, click the slider and job is done. From now on the user signs in with the local account which is now secured by Intune. The keychain prompt never comes back.

Answer 1

I managed to fix the login loop problem with Platform SSO on macOS. The issue was caused by having the authentication method set to Password, which is now deprecated and not recommended by Microsoft. After wiping and re‑enrolling the Mac, I updated the Platform SSO configuration to use Secure Enclave instead. With Secure Enclave enabled, users can now sign in at the login window using their Microsoft Entra ID credentials, and the repeated login prompts are gone.

Unfortunately, the account created on the Mac is a local account, and its password is not synchronized with the user’s Microsoft Entra ID credentials. The local password is set at the time of first login and remains independent, even if the Entra ID password is later changed.

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Answer 3

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Answer 4

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

How to stop Mac Mini from prompting for keychain on SSO login

4 answers

Your answer