Skip to main content
This guide applies to Mac computers
This article goes over configuring Passport to use Mac login. If you’re using MFA, or want to configure Web Login, please see Configure Passport with Microsoft Entra ID - Web Login.

About Passport with Microsoft Entra ID Mac Login

Passport with Microsoft Entra ID Mac Login enables users to log into Mac computers using their Microsoft Entra ID credentials through a standard username/password interface. This method is ideal for environments without multi-factor authentication requirements.

How It Works

Passport integrates with your Microsoft Entra ID tenant to authenticate users at the macOS login screen using standard username and password fields. When users enter their Entra ID credentials, Passport verifies them against your tenant and creates or updates the local Mac user account.

Prerequisites

  • Access to a Microsoft Entra ID admin user account to grant the Passport app the proper permissions

Create the App Registration

1

Sign in to Microsoft Entra admin center

Sign in to the Microsoft Entra admin center using a Global Administrator account.
2

Navigate to Identity

Open the portal menu and then select Identity.
3

Access App registrations

On the Identity menu, under Applications, select App registrations.
4

Start new registration

On the App registrations page, select + New registration on the menu.
5

Configure application details

On the register an application dialog, enter a name for the new application (such as “Iru Passport Mac Login”).
6

Set account type

Choose Accounts in this organizational directory only.
7

Configure redirect URI

In the Redirect URI section, in the Select a platform drop-down, choose Web.
8

Enter redirect URI

In the URI field, enter the following: https://localhost.redirect.
9
For more information about redirect URI restrictions, platform types, and best practices, see Microsoft’s redirect URI documentation.
10

Complete registration

Click Register.

Configure Application Details

1

Prepare secure document

Open a secure text document where the values for this OIDC app can be temporarily stored. You will need these details when you configure the Passport Library Item.
2

Copy Application ID

On the Overview page, copy the Application (client) ID to a temporary secure text document.
3

Access endpoints

While still on the Overview page, click Endpoints.
4

Copy metadata document

Copy OpenID Connect metadata document(identity provider URL) to a temporary secure text document.
5

Access Authentication settings

On the left, select Authentication.
6

Enable mobile and desktop flows

Set Enable the following mobile and desktop flows to Yes.
7

Save authentication settings

Click Save.
8

Access Token configuration

On the left, select Token configuration.
9

Add optional claim

Click Add optional claim.
10

Configure token type

For the Token type, select ID.
11

Select claim

For the Claim, select preferred_username.
12

Add the claim

Click Add.
13

Add groups claim

While still on the Token configuration page, click Add groups claim.
14

Select groups

Select All groups.
Entra ID SAML only supports up to 150 security groups. If you have more than 150 security groups, you should not use All groups, but rather select specific groups. You can read more in Microsoft’s Configure group claims for applications by using Microsoft Entra ID article.
15

Add groups claim

Click Add.
Once you complete the token configurations, you will see both optional claims.

Configure API Permissions

1

Access API Permissions

Select API Permissions.
2

Add permission

Click Add a permission.
3

Select Microsoft Graph

Click Microsoft Graph.
4

Select delegated permissions

Select Delegated permissions.
5

Expand OpenID permissions

Confirm that the OpenId permissions section is expanded. If the OpenID permissions section isn’t expanded, click the icon next to the OpenId permissions section to expand it.
6

Select email permission

Select email.
7

Select profile permission

Select profile.
8

Search for User.Read permission

In the Select permissions field, enter User.Read.
9

Confirm User.Read selection

In the User section, confirm that User.Read is already selected. If User.Read isn’t selected, select it.
10

Add permissions

Click Add permissions.
11

Grant admin consent

While still on the API permissions page, select Grant admin consent for <your_tenant_name>.
12

Confirm admin consent

Select Yes.
You should see a notification similar to the one below, and you should see a “Granted for <your_tenant_name> …” message in the Status column next to each permission.
Microsoft Entra ID API permissions showing Granted for tenant status

Assign Users and Groups

By default, when you create a new App registration, the “Assignment required?” attribute is set to “No”. However, if your Passport Enterprise app is set to require assignment, you will need to follow these steps to assign users in order to be able to use your Passport app.
1

Access Enterprise Applications

In the Identity navigation menu on the left, open Applications and select Enterprise Applications.
2

Select your Passport app

In the All applications list, select Iru Passport Mac Login or whatever name you named the App registration in the previous section.
Microsoft Entra ID App registrations for Passport Mac login configuration
3

Access Properties

Under Manage, select Properties.
4

Add logo (optional)

Optionally, add a logo to your Enterprise App.
5

Check assignment requirement

Inspect the Assignment required? setting. If it is set to “No,” then you can skip the rest of this section. All users in Entra ID will be able to use the Passport app.
6

Configure visibility

Confirm that the Visible to users? setting is set toggled to “No”; otherwise, users will see it in their portal. The Passport app is only useful as a replacement for the macOS login window.
7

Save properties

Click Save.
Microsoft Entra ID app registration or token configuration for Passport Mac login
8

Access Users and Groups

If the Assignment required? setting is set to “No,” you can skip the remaining steps in this section and continue to the next section. If it is set to “Yes,” proceed with the following steps to assign users and groups.
Under Manage, select Users and Groups.
Microsoft Entra ID app Overview or Authentication for Passport Mac login
9

Add user or group

On the menu, select + Add user/group.
10

Select users and groups

On the Add Assignment dialog, select the link under Users and groups.
Microsoft Entra ID Certificates and secrets or redirect URI for Passport Mac login
11

Choose users and groups

A list of users and security groups is displayed. You can search for a specific user or group or select multiple users and groups that appear in the list.
12

Confirm selection

After you have selected your users and groups, select Select.If you see the message below, it means that a free tier is being used. You can only add users (not groups) to the Passport Enterprise App.
Groups are not available for assignment due to Active Directory plan level
13

Complete assignment

Select Assign to finish the assignment of users and groups to the app.
Add Assignment dialog with Users and groups and Select button
14

Verify assignment

Confirm that the users and groups you added appear in the Users and groups list.
Microsoft Entra ID policy configuration for Passport Mac login
15

Review configuration

With this portion of the Entra ID configuration complete, review the remaining sections of this article for your Microsoft Entra ID environment.
Microsoft Entra ID policy or app registration for Passport Mac login

Microsoft Entra ID Conditional Access Considerations

Microsoft Entra ID Conditional Access is included with Microsoft Entra ID Premium or better. Be sure to turn off both per-user MFA and Security defaults before you turn on Microsoft Entra ID Conditional Access policies.
When using the Mac Login Passport Configuration only: If Entra ID is configured with a Microsoft Entra ID Conditional Access policy that specifies MFA as a requirement and specifies all or specific cloud apps, you’ll need to exclude the Enterprise application that you use for Passport from that policy. Another way to describe such a policy is that the policy uses both of these criteria:
  • Assignments: Target resources: Cloud apps: All cloud apps or Select apps
  • Access controls: Grant: Grant access: Require multifactor authentication
Here’s an example of a policy that you don’t need to modify because it doesn’t use both of the criteria above (specifically, although it has the grant of Require multifactor authentication, it doesn’t have the assignment for Target resources).
Microsoft Entra ID Conditional Access policy that does not need modification, showing Require MFA without Target resources
Here’s an example of a policy that you do need to modify to exclude the Enterprise application for Iru Passport because the policy uses both criteria:
Microsoft Entra ID Conditional Access policy that must be modified to exclude Iru Passport Enterprise application
For you to exclude the Enterprise application, it needs to have a Redirect URI value, as seen in step 8 in the create the app registration section of this article.

Add the Cloud App Exclusion

Exclude the Enterprise app you use for Iru Passport for each applicable policy.
1

Access Protection settings

In the Microsoft Entra admin center, open the portal menu and then select Protection.
2

Navigate to Conditional Access

On the Protection menu, select Conditional Access.
3

Access Policies

On the Conditional Access page, select Policies.
4

Review policies

Confirm that the portal displays each policy with a Policy Name and a State (among other information).
Microsoft Entra ID policy exclusions or Assignments for Passport Mac login
5

Select active policy

Select a policy that has the State of On.
6

Check and access target resources

If the Target resources section displays No target resources selected, return to the previous step and select the next policy. Otherwise, click the link under Target resources.
Microsoft Entra ID Conditional Access policy Assignments or Exclusions for Passport
7

Exclude cloud apps

Click Exclude.
Microsoft Entra ID Exclude Iru Passport from policy configuration
8

Review excluded apps

Review the list of excluded cloud apps (there may be no excluded cloud apps). If the Enterprise app for Iru Passport is already excluded, you can return to step 3 and proceed to the next policy.
9

Select excluded cloud apps

Click the text link under Select excluded cloud apps.
Microsoft Entra ID policy or app configuration for Passport Mac login
10

Search for Passport app

In the Search field, enter the name of the Enterprise app you use for Iru Passport. Note that the search doesn’t just search for any part of the name; you need to enter at least the start of the name.
11

Select Passport app

Select the checkbox for your Enterprise app for Iru Passport from the search results.
12

Confirm selection

At the bottom of the Select excluded cloud apps blade, click Select.
Microsoft Entra ID Enterprise applications or Conditional Access for Passport
13

Verify exclusion

Confirm that the Enterprise app was added to the list of excluded apps.
Microsoft Entra ID Passport Mac login configuration summary or Settings
14

Save policy

In the lower-left corner of the page, click Save.
15

Repeat for other policies

Go back to step 3 and repeat for the next policy until you have examined or updated every Conditional Access policy.

User Account Provisioning via Passport

If you use Specify per identity provider group option in the Passport Library Item, use the Entra ID group ObjectID in the Identity provider group field.
The number of security groups supported by Entra is 150 for SAML assertions In larger organizations, the number of groups where a user is a member might exceed the limit that Microsoft Entra ID applies before emitting groups claims in a token. Exceeding this limit will cause Microsoft Entra ID completely omit sending group claims in the token.
1

Access Groups

Sign in to the Microsoft Entra admin center. In the Identity navigation menu on the left, open Groups and select All groups.
2

Select group

Select the group that you want to use.
Microsoft Entra ID app registration or policy configuration for Passport Mac login
3

Copy Object ID

Copy the Object Id for that group.
Microsoft Entra ID Passport Enterprise application or policy exclusions
4

Configure Passport Library Item

In the Iru Endpoint Passport Library Item, in the User Provisioning section, paste the value from the previous section into the Identity provider group field.
Microsoft Entra ID Passport Mac login configuration complete
5

Repeat for additional groups

Repeat the previous steps for each additional Entra ID group you want to use.
6

Save configuration

In the Passport Library Item, click Save.
  • If you set the default account type to standard user, only add administrator account types in the Identity provider groups. Unless otherwise specified as administrators in your Identity provider groups, all users will be created as standard users by default.
  • If you set the default account type to administrators, only add standard account types in the Identity provider groups. All users will be created as administrators by default unless otherwise specified as standard users in your Identity provider groups.

Microsoft Entra ID Troubleshooting

If you are experiencing issues with Entra ID Passport, please visit our Passport Troubleshooting with Microsoft Entra ID (formerly Azure AD) support article to learn more about common troubleshooting steps.

Next Steps

Please proceed to the Configure the Passport Library Item support article to finalize your setup.