Skip to main content
This guide applies to Mac computers
This article goes over configuring Passport to use Web login. If you want to configure Mac Login, please see Configure Passport with Microsoft Entra ID - Mac Login.

About Passport with Microsoft Entra ID Web Login

Passport with Microsoft Entra ID Web Login enables users to log into Mac computers using their Microsoft Entra ID credentials through a web-based authentication interface. This method supports multi-factor authentication and provides a more secure login experience.

How It Works

Passport integrates with your Microsoft Entra ID tenant to authenticate users at the macOS login screen using a web view that displays your organization’s Entra ID login page. This allows for full MFA support and provides a familiar authentication experience for users.

Prerequisites

You will need access to a Microsoft Entra ID admin user account to grant the Passport app the correct permissions. For instructions on configuring multi-factor authentication (MFA) within Microsoft Entra ID, please see this Microsoft guide.

Create the App Registration

1

Sign in to Microsoft Entra admin center

Sign in to the Microsoft Entra admin center using a Global Administrator account.
2

Access App registrations

In the sidebar, under the Entra ID category, select App registrations.
3

Start new registration

On App registrations, select + New registration on the menu.
Microsoft Entra ID App registrations with New registration for Passport
4

Set application name

Enter a name for the new application (such as Iru Passport Web Login).
5

Set supported account types

Choose Single tenant only - (<tenant name>).
6

Set Redirect URI platform

In the Redirect URI section, open the Select a platform drop-down and choose Public client/native (mobile & desktop).
7

Enter redirect URI

In the URI field, enter https://localhost. You will use this redirect URI when you configure the Passport Library Item.
https://localhost
For more information about redirect URI restrictions, platform types, and best practices, see Microsoft’s redirect URI documentation.
8

Complete registration

Click Register.
Microsoft Entra ID New registration form showing name, supported account types, and redirect URI for Passport

Collecting Configuration Details

Open a secure text document where the values for this OIDC app can be temporarily stored. You will need these details when you configure the Passport Library Item.

Overview pane

Copy the application (client) ID from the app’s overview. You’ll need it for the Passport Library Item.
1

Open the Overview pane

In the left menu, select Overview to open that pane.
2

Copy Application ID

Copy the Application (client) ID to your secure document.
Microsoft Entra ID Overview pane showing Application (client) ID for Passport

Endpoints pane

Copy the OpenID Connect metadata URL from Endpoints; this is the identity provider URL Passport uses to discover sign-in and token endpoints.
1

Open the Endpoints pane

In the top menu, select Endpoints to open that pane.
Microsoft Entra ID App registration with Endpoints pane for Passport
2

Copy Identity provider URL

Copy OpenID Connect metadata document (identity provider URL) to your secure document.
3

Close Endpoints

Click the X at the top right to close the Endpoints pane.
Microsoft Entra ID Endpoints pane showing copy option and close button for Passport

Authentication (Preview) pane

Enable public client flows so the Mac app can complete the sign-in flow without a client secret.
1

Open the Authentication (Preview) pane

In the left menu, select Authentication (Preview) to open that pane.
2

Open Settings

Select the Settings tab.
3

Enable public client flows

Set Allow public client flows to Enabled.
4

Save authentication settings

Click Save.
Microsoft Entra ID Authentication settings showing Allow public client flows enabled for Passport

Token configuration pane

Add the required claims so the token includes the username and group membership Passport needs.
1

Open the Token configuration pane

In the left menu, select Token configuration to open that pane.
2

Add optional claim

Click Add optional claim.
3

Select token type

For the Token type, select ID.
4

Select claim

For the Claim, select preferred_username.
5

Add the claim

Click Add.
Microsoft Entra ID Token configuration showing preferred_username optional claim and Add button for Passport
6

Add groups claim

Click Add groups claim.
7

Select groups

Select All groups.
Entra ID SAML only supports up to 150 security groups. If you have more than 150 security groups, you should not use All groups, but rather select specific groups. You can read more in Microsoft’s Configure group claims for applications by using Microsoft Entra ID article.
8

Confirm groups claim

Click Add.
Microsoft Entra ID Token configuration Add groups claim for Passport
Once you complete the token configurations, you will see both optional claims.

API permissions

Add the Microsoft Graph permissions Passport needs (email, profile, User.Read) and grant admin consent so users can sign in.
1

Open the API permissions pane

In the left menu, select API permissions to open that pane.
2

Add permission

Click Add a permission.
Microsoft Entra ID API permissions pane showing Add a permission for Passport
3

Select Microsoft Graph

Click Microsoft Graph.
Microsoft Entra ID Request API permissions showing Microsoft Graph for Passport
4

Select Delegated permissions

Select Delegated permissions.
5

Expand OpenID permissions

Confirm that the OpenID permissions section is expanded. If it isn’t, click the icon next to it to expand it.
6

Select email and profile permissions

Select email and profile.
Microsoft Entra ID Request API permissions showing Delegated permissions for Passport
7

Search for User.Read

In the Select permissions search field, enter User.Read.
8

Confirm User.Read selection

In the User section, confirm that User.Read is already selected. If it isn’t, select it.
9

Add permissions

Click Add permissions.
Microsoft Entra ID API permissions showing User.Read for Passport
10

Grant admin consent

Select Grant admin consent for <your_tenant_name>.
11

Confirm admin consent

Select Yes.
Microsoft Entra ID API permissions Add permissions for Passport
12

Verify permission status

Confirm that there is a Granted for <your_tenant_name> message in the Status column for each permission.
Microsoft Entra ID API permissions Status column Granted for tenant for Passport

Assign Users and Groups

Configure who can use the Passport app and whether it appears in the user portal. By default, all users in Entra ID can use the app; the steps below cover the Properties settings and assigning users or users and groups when required.
1

Access Enterprise Applications

In the sidebar, under the Entra ID category, select Enterprise apps.
2

Select Passport application

In the All applications list, select Iru Passport Web Login or whatever name you gave the App registration in the previous section.
Microsoft Entra ID Enterprise apps for Passport
3

Open the Properties pane

In the left menu, under the Manage category, select Properties to open that pane.
4

Add logo (optional)

Optionally, add a logo to your Enterprise App.
5

Check assignment requirement

Inspect the Assignment required? setting:
  • No: You will not need to assign users or users and groups.
  • Yes: You will need to assign users or users and groups.
6

Configure visibility

Set Visible to users? to No.If it is Yes, users will see the app in their portal. The Passport app is only useful as a replacement for the macOS login window.
7

Save properties

Click Save.
Microsoft Entra ID Properties pane showing Assignment required and Visible to users for Passport
If Assignment required? is set to No, you can go directly to User Account Provisioning via Passport. If it is set to Yes, continue with the steps below.

Assignment required

If your Passport Enterprise Application has the Assignment required? Property set to Yes, follow the steps below to assign users or users and groups.
1

Open the Users and groups pane

In the left menu, under the Manage category, select Users and groups to open that pane.
2

Add user or group

On the menu, select + Add user/group.
Microsoft Entra ID Users and groups pane under Manage for Passport
3

Select users and groups

On the Add Assignment page, under the Users or Users and groups heading, select the None selected link to choose who can use the app.
Depending on your Microsoft Entra ID plan, you may only be able to assign users, not groups. In that case, the heading shows Users and group assignment is not available.
Microsoft Entra ID Add Assignment page showing Users and groups with None selected link for Passport
4

Choose users or users and groups

A list of users or users and security groups is displayed. You can search for a specific user or group, or select multiple users or users and groups that appear in the list.
5

Confirm selection

After you have selected your users or users and groups, select Select.
Microsoft Entra ID Select users or users and groups for Passport
6

Complete assignment

Select Assign to finish the assignment of users or users and groups to the app.
Microsoft Entra ID Assign users or groups for Passport
7

Verify assignment

Confirm that the users or users and groups you added appear in the Users and groups list.
Microsoft Entra ID Users and groups list showing assigned users or groups for Passport
With this portion of the Entra ID configuration complete, review the remaining sections of this article for your Microsoft Entra ID environment.

User Account Provisioning via Passport

The Passport Library Item can set whether new Mac accounts are created as Administrator or Standard based on the user’s IdP group membership, so you can grant admin access to some groups and standard user access to others. If you want to use this, choose Specify per identity provider group in the Passport Library Item and follow the steps below to configure it; you will need the Entra ID group Object ID for the Identity provider group field.
1

Access Groups

Sign in to the Microsoft Entra admin center. In the Identity navigation menu on the left, open Groups and select All groups.
2

Select group

Select the group that you want to use.
Microsoft Entra ID Groups for Passport user provisioning
3

Copy Object ID

Copy the Object ID for that group.
Microsoft Entra ID Groups list showing Object ID for Passport
4

Configure Passport Library Item

In the Iru Endpoint Passport Library Item, in the User Provisioning section, paste the value from the previous section into the Identity provider group field.
Passport Library Item User Provisioning showing Identity provider group field for Entra ID Object ID
5

Repeat for additional groups

Repeat the previous steps for each additional Entra ID group you want to use.
6

Save configuration

In the Passport Library Item, click Save.

Account Provisioning Considerations

  • If you are setting the default account type to standard user, only add administrator account types in the Identity provider groups. Unless otherwise specified as administrators in your Identity provider groups, all users will be created as standard users by default.
  • If you are setting the default account type to administrators, only add standard account types in the Identity provider groups. All users will be created as administrators by default unless otherwise specified as standard users in your Identity provider groups.

Microsoft Entra ID Troubleshooting

If you are experiencing issues with Entra ID Passport, please visit our Passport Troubleshooting with Microsoft Entra ID (formerly Azure AD) support article to learn more about common troubleshooting steps.

Next Steps

Please proceed to the Configure the Passport Library Item support article to finalize your setup.