![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 57.00000000000001%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Microsoft Security | Intune | Microsoft Intune MacOs
Managing macOS devices using Microsoft Intune
Platform SSO (PSSO) registration on macOS is tied to the user account, not only to the device.
From the documented behavior:
- Each user who signs in and uses Platform SSO must complete a registration flow where they authenticate to Microsoft Entra ID and (if required) perform MFA. This process joins the device to Microsoft Entra ID and binds the workplace join (WPJ) certificate and SSO tokens to that user context.
- After registration, the status is visible under Settings > Users & Groups > Network Account Server > Edit, where Platform SSO is shown as Registered, and the authentication method (Secure enclave, Smart Card, or Password) is associated with the signed‑in user.
- The guidance for shared-device scenarios explicitly instructs testing with a second user by logging out, choosing Other… at the login screen, and having the new user sign in with their Microsoft Entra ID UPN and password. That second user is expected to go through the setup/registration experience and then land on the desktop.
This confirms the following for the scenario described:
- PSSO registration is effectively per user: each user account that will use Platform SSO must complete its own registration so that SSO tokens and authentication method are correctly associated with that user.
- It is expected that a second user signing into the same Mac (including a local admin account that is being brought under PSSO) will be prompted to complete PSSO registration, even if another user has already registered on that device.
Regarding configuration to avoid repeated prompts for multiple users:
- Current guidance focuses on ensuring the Platform SSO profile is correctly deployed (via Intune), that the Registration required notification is completed, and that each user who needs SSO completes their own registration.
- The documentation does not describe any configuration that would suppress or “reuse” an existing PSSO registration from one user for another user on the same device, nor a setting to globally bypass registration prompts for additional users. Instead, it provides troubleshooting and repair options (for example, Settings > Users & Groups > Network Account Server > Edit > Repair on macOS 14+) when registration fails or needs to be retriggered.
Therefore, the behavior observed—each new user on the same ADE‑enrolled, Intune‑managed Mac being prompted to complete PSSO registration—is expected and aligned with the per‑user registration model. No supported configuration is documented to eliminate those per‑user registration prompts; the available controls are around deploying the PSSO profile, ensuring prerequisites are met, and repairing or retriggering registration when needed.
References:
- Platform SSO configuration guide for macOS devices using Microsoft Intune
- Join a Mac device with Microsoft Entra ID during the out of box experience with macOS PSSO
- Join a Mac device with Microsoft Entra ID and configure it for shared device scenarios
- Join a Mac device with Microsoft Entra ID using Company Portal
- Configuring macOS Platform SSO (PSSO) to meet NIST SP 800-63 and EO 14028 Requirements