This guide applies to Mac computers
About Passport with Microsoft Entra ID Mac Login
Passport with Microsoft Entra ID Mac Login signs users in at the Mac login window with their Microsoft Entra ID username and password. For Web Login (Microsoft Entra ID sign-in in the Passport web view, including when you need MFA), use Configure Passport with Microsoft Entra ID - Web Login.How It Works
Passport integrates with your Microsoft Entra ID tenant to authenticate users at the macOS login screen using standard username and password fields. When users enter their Entra ID credentials, Passport verifies them against your tenant and creates or updates the local Mac user account.Prerequisites
- Access to a Microsoft Entra ID admin account that can grant the Passport app the correct permissions.
- Microsoft Entra ID
Iru Endpoint
Create the App Registration
Sign in to Microsoft Entra admin center
Sign in to the Microsoft Entra admin center using a Global Administrator account.
Configure application details
On the Register an application dialog, enter a name for the new application (such as Iru Passport Mac Login).
Set supported account types
Under Supported account types, open the drop-down and select Single tenant only (the option also shows your tenant name, for example Single tenant only - Accuhive). Passport should be single-tenant in your organization only. See Register an application in Microsoft Entra ID.
For more information about redirect URI restrictions, platform types, and best practices, see Microsoft’s redirect URI documentation.
Configure Application Details
Prepare secure document
Open a secure text document where the values for this OIDC app can be temporarily stored. You will need these details when you configure the Passport Library Item.
Copy Application ID
On the Overview page, copy the Application (client) ID to a temporary secure text document.
Copy metadata document
Copy the OpenID Connect metadata document (identity provider URL) to your temporary secure text document.
Select groups
Select All groups.
Entra ID SAML only supports up to 150 security groups. If you have more than 150 security groups, you should not use All groups, but rather select specific groups. You can read more in Microsoft’s Configure group claims for applications by using Microsoft Entra ID article.
Configure API Permissions
Expand OpenID permissions
Confirm that the OpenID permissions section is expanded. If it is not expanded, click the expand icon next to OpenID permissions.
Confirm User.Read selection
In the User section, confirm that User.Read is already selected. If User.Read isn’t selected, select it.
Grant admin consent
While still on the API permissions page, select Grant admin consent for [your tenant].
Assign Users and Groups
By default, when you create a new App registration, the “Assignment required?” attribute is set to “No”. However, if your Passport Enterprise app is set to require assignment, follow these steps to assign users so they can use your Passport app.
Select your Passport app
In the All applications list, select Iru Passport Mac Login or whatever name you named the App registration in the previous section.
Check assignment requirement
Inspect the Assignment required? setting. If it is set to “No,” then you can skip the rest of this section. All users in Entra ID will be able to use the Passport app.
Configure visibility
Confirm that Visible to users? is set to No; otherwise, users will see the app in their portal. The Passport app is only useful as a replacement for the macOS login window.
Access Users and Groups
If the Assignment required? setting is set to “No,” you can skip the remaining steps in this section and continue to the next section. If it is set to “Yes,” proceed with the following steps to assign users and groups.
Choose users and groups
A list of users and security groups is displayed. You can search for a specific user or group or select multiple users and groups that appear in the list.
Confirm selection
After you have selected your users and groups, select Select.If you see the message below, it means that a free tier is being used. You can only add users (not groups) to the Passport Enterprise App..png?fit=max&auto=format&n=2JN9EXN6FEm5sMxP&q=85&s=4bd38e97502d55069ffba70303e5f94b)
Microsoft Entra ID Conditional Access Considerations
Complete the steps below to register Passport - CA Policy API, add its scope to your Passport app, and exclude that app from applicable policies. Skip this section if you do not use Conditional Access. When you finish, add the scope under Additional scopes (optional) in Authentication Mode on the Iru Endpoint tab.Create the Passport - CA Policy API application
Create this application registration so Passport can request a scope beyond baseline scopes.Open App registrations
Sign in to the Microsoft Entra admin center and open Entra ID > App registrations.
Register the application
Select + New registration. Enter Passport - CA Policy API as the name, under Supported account types select Single tenant only, and leave Redirect URI empty. Select Register.
Grant admin consent for Microsoft Graph
Open API permissions. If admin consent is not already granted, select Grant admin consent for [your tenant].
Set Application ID URI
Review the Application ID URI. Entra ID suggests a default value (for example,
api://cca588ed-dfe6-4fb4-b695-abfa23b6475a). The default is fine. Select Save and continue. You do not need to copy this URI; copy the scope URI in Copy the scope URI below.Configure the Passport scope
For Scope name, enter 
Passport without spaces or special characters. Leave Who can consent at the default. Enter a display name and description in the Admin consent fields, then select Add scope.Copy the scope URI
Next to the scope URI in the Scopes list (for example,
api://cca588ed-dfe6-4fb4-b695-abfa23b6475a/Passport), select Copy. Save it for Add Additional scopes in Authentication Mode on the Iru Endpoint tab.Add the custom scope to your Passport app registration
Open your Passport app registration
If you aren’t already signed in, sign in to the Microsoft Entra admin center and open Entra ID > App registrations. Open the application you use for Passport Mac Login.
Select Passport - CA Policy API
Open the APIs my organization uses tab and select Passport - CA Policy API.
Add the Passport delegated permission
Select Delegated permissions, select the Passport permission, then select Add permissions.
Exclude Passport - CA Policy API from All resources policies
If you use Conditional Access, exclude Passport - CA Policy API from each policy scoped to All resources. Policies scoped to All resources include sign-ins that use theopenid scope. Excluding Passport - CA Policy API removes the MFA requirement for ROPG, which Passport uses for password verification and synchronization in Mac Login.Open Conditional Access
In the Microsoft Entra admin center, open Protection > Conditional Access > Policies.
Open a policy scoped to All resources
Select each policy scoped to All resources, then open Target resources.
Exclude Passport - CA Policy API
Open the Exclude tab, select Select resources, then select Passport - CA Policy API. Select Select, then Save.
If Save fails, confirm that Passport - CA Policy API does not allow public client flows. If the app has a redirect URI configured, remove it and try again.
User Account Provisioning via Passport
If you want Passport to set each user’s Mac account type from Entra ID security group membership, collect each group’s Object ID in the Microsoft Entra admin center using the steps in this section. You will use those values under User provisioning on the Passport Library Item Iru Endpoint tab. For more detail on this mode, see User provisioning in Configure the Passport Library Item.The number of security groups supported by Entra is 150 for SAML assertions. In larger organizations, the number of groups where a user is a member might exceed the limit that Microsoft Entra ID applies before emitting group claims in a token. Exceeding this limit will cause Microsoft Entra ID to omit group claims from the token.Access Groups
Sign in to the Microsoft Entra admin center. In the Identity navigation menu on the left, open Groups and select All groups.
Repeat for additional Entra ID groups
For each additional Entra ID group you want to use, repeat Select group and Copy Object ID. Keep the Object ID values in a secure document until you enter them on the Iru Endpoint tab.
Configure Authentication mode and User provisioning in the Passport Library Item on the Iru Endpoint tab.
Required Changes Before June 15, 2026
On June 15, 2026, Microsoft Entra ID starts enforcing Conditional Access more broadly for policies that target All resources (formerly All cloud apps) and include resource exclusions. Sign-ins that request only baseline scopes, includingopenid, profile, email, and User.Read, will be subject to those policies.
If you are not licensed for Conditional Access, this change does not apply to your organization. It applies only when policies target All resources with one or more resource exclusions and users sign in through applications that request only baseline scopes. If you do not use that policy layout, you are not affected. Policies that target All resources with no resource exclusions are also outside this change.
If you skip these updates
If you do not prepare before June 15, 2026:- New users might not be able to sign in with Passport.
- Password sync and state management can stop working.
- Microsoft Entra ID might record extra failed sign-in events.
If you do not use Conditional Access policies
If you do not use Conditional Access, or you want the old behavior across your tenant while you test:Register a placeholder application
Register a single-tenant application in Microsoft Entra ID to serve as the custom target resource for baseline scopes. No additional configuration is required during registration. See Create an application in Customize behavior.
Exclude the application from the relevant policy
In each Conditional Access policy where you need to retain legacy behavior, exclude the placeholder application from Target resources. See Exclude the application from the relevant policy in Microsoft’s documentation.
Select the application in Baseline scopes settings
Open Baseline scopes settings, select Customize behavior, select the placeholder application, then select Save. See Select the application in the Baseline scopes settings UX in Microsoft’s documentation.
If you use Conditional Access policies
If you use Conditional Access with Passport Mac Login, complete the steps below before June 15, 2026.Step 1 — Create the Passport - CA Policy API application
Open App registrations
Sign in to the Microsoft Entra admin center and open Entra ID > App registrations.
Register the application
Select + New registration. Enter Passport - CA Policy API as the name, under Supported account types select Single tenant only, and leave Redirect URI empty. Select Register.
Grant admin consent for Microsoft Graph
Open API permissions. If admin consent is not already granted, select Grant admin consent for [your tenant].
Set Application ID URI
Review the Application ID URI. Entra ID suggests a default value (for example,
api://cca588ed-dfe6-4fb4-b695-abfa23b6475a). The default is fine. Select Save and continue. You do not need to copy this URI; copy the scope URI in Copy the scope URI below.Configure the Passport scope
For Scope name, enter
Passport without spaces or special characters. Leave Who can consent at the default. Enter a display name and description in the Admin consent fields, then select Add scope.Step 2 — Add the custom scope to your Passport app registration
Open your Passport app registration
If you aren’t already signed in, sign in to the Microsoft Entra admin center and open Entra ID > App registrations. Open the application you use for Passport Mac Login.
Select Passport - CA Policy API
Open the APIs my organization uses tab and select Passport - CA Policy API.
Add the Passport delegated permission
Select Delegated permissions, select the Passport permission, then select Add permissions.
Step 3 — Exclude Passport - CA Policy API from All resources policies
Policies scoped to All resources include sign-ins that use theopenid scope. Excluding Passport - CA Policy API removes the MFA requirement for ROPG, which Passport uses for password verification and synchronization in Mac Login.
Open Conditional Access
In the Microsoft Entra admin center, open Protection > Conditional Access > Policies.
Open a policy scoped to All resources
Select each policy scoped to All resources, then open Target resources.
Exclude Passport - CA Policy API
Open the Exclude tab, select Select resources, then select Passport - CA Policy API. Select Select, then Save.
If Save fails, confirm that Passport - CA Policy API does not allow public client flows. If the app has a redirect URI configured, remove it and try again.
Step 4 — Update your Passport Library Item
Open the Passport Library Item
In Iru Endpoint, open Library and edit your Passport Library Item configured for Microsoft Entra ID Mac Login.
Add the scope URI
On the Iru Endpoint tab, paste the scope URI from step 1 above into Additional scopes (optional), then select Save.