This guide applies to Mac computers
This article goes over configuring Passport to use Web login. If you want to configure Mac Login, please see Configure Passport with Microsoft Entra ID - Mac Login.
About Passport with Microsoft Entra ID Web Login
Passport with Microsoft Entra ID Web Login enables users to log into Mac computers using their Microsoft Entra ID credentials through a web-based authentication interface. This method supports multi-factor authentication and provides a more secure login experience.How It Works
Passport integrates with your Microsoft Entra ID tenant to authenticate users at the macOS login screen using a web view that displays your organization’s Entra ID login page. This allows for full MFA support and provides a familiar authentication experience for users.Prerequisites
You will need access to a Microsoft Entra ID admin user account to grant the Passport app the correct permissions. For instructions on configuring multifactor authentication (MFA) within Microsoft Entra ID, please see this Microsoft guide.Create the App Registration
1
Sign in to Microsoft Entra admin center
Sign in to the Microsoft Entra admin center using a Global Administrator account.
2
Navigate to Identity
Open the portal menu and then select Identity.
3
Access App registrations
On the Identity menu, under Applications, select App registrations.
4
Start new registration
On the App registrations select + New registration on the menu.
5
Configure application details
On the Register an application dialog, enter a name for the new application (such as Iru Passport Web Login).
6
Set account type
Choose Accounts in this organizational directory only.
7
Select platform
In the Redirect URI section, in the Select a platform drop-down, choose Public client/native (mobile & desktop).
8
Enter redirect URI
In the URI field, enter the following, https://login.microsoftonline.com/common/oauth2/nativeclient
9
Complete registration
Click Register.
Collecting Configuration Details
1
Prepare secure document
Open a secure text document where the values for this OIDC app can be temporarily stored. You will need these details when you configure the Passport Library Item.
2
Copy Application ID
Copy the Application (client) ID on the Overview page to a temporary secure text document.
3
Access Endpoints
While still on the Overview page, click Endpoints.
4
5
Copy Identity provider URL
Copy OpenID Connect metadata document (identity provider URL) to a temporary secure text document.
6
7
Access Authentication settings
On the left, select Authentication.
8
Enable mobile and desktop flows
Set Enable the following mobile and desktop flows to Yes.
9
Save authentication settings
Click Save.
10
11
Access Token configuration
On the left, select Token configuration.
12
Add optional claim
Click Add optional claim.
13
Select token type
For the Token type, select ID.
14
Select claim
For the Claim, select preferred_username.
15
Add the claim
Click Add.
16
17
Add groups claim
While still on the Token configuration page, click Add groups claim.
18
Select groups
Select All groups.
Entra ID SAML only supports up to 150 security groups. If you have more than 150 security groups, you should not use All groups, but rather select specific groups. You can read more in Microsoft’s Configure group claims for applications by using Microsoft Entra ID article.
19
Confirm groups claim
Click Add.
20
API Permissions
1
Access API Permissions
Select API Permissions.
2
Add permission
Click Add a permission.
3
Select Microsoft Graph
Click Microsoft Graph.
4
5
Select Delegated permissions
Select Delegated permissions.
6
Expand OpenID permissions
Confirm that the OpenID permissions section is expanded. If it isn’t, click the icon next to it to expand it.
7
Select email permission
Select email.
8
Select profile permission
Select profile.
9
10
Search for User.Read
In the Select permissions field, enter User.Read.
11
Confirm User.Read selection
In the User section, confirm that User.Read is already selected. If it isn’t, select it.
12
Add permissions
Click Add permissions.
13
14
Grant admin consent
While still on the API permissions page, select Grant admin consent for <your_tenant_name>.
15
Confirm admin consent
Select Yes.
16
17
You should see a notification similar to the one below and a “Granted for <your_tenant_name> …” message in the Status column next to each permission. 
Assign Users and Groups
By default, when you create a new App registration, the “Assignment required?” attribute is set to “No”. However, if your Passport Enterprise app is set to require assignment, you will need to follow these steps to assign users in order to be able to use your Passport app.
1
Access Enterprise Applications
In the Identity navigation menu on the left, open Applications and select Enterprise Applications.
2
Select Passport application
In the All applications list, select Iru Passport Web Login or whatever name you named the App registration in the previous section.
3
Access Properties
Under Manage, select Properties.
4
Add logo (optional)
Optionally, add a logo to your Enterprise App.
5
Check assignment requirement
Inspect the Assignment required? setting. If it is set to “No,” then you can skip the rest of this section. All users in Entra ID will be able to use the Passport app.
6
Configure visibility
Confirm that the Visible to users? setting is set toggled to “No”; otherwise, users will see it in their portal. The Passport app is only useful as a replacement for the macOS login window.
7
Save properties
Click Save.
8
9
Check if assignment is required
If the Assignment required? setting is set to “Yes,” continue with the following steps.
10
Access Users and Groups
Under Manage, select Users and Groups.
11
12
Add user or group
On the menu, select + Add user/group.
13
14
Select users and groups
On the Add Assignment dialog, select the link under Users and groups.
15
Choose users and groups
A list of users and security groups is displayed. You can search for a specific user or group or select multiple users and groups that appear in the list.
16
Confirm selection
After you have selected your users and groups, select Select.
17
18
If you see the message below, it means that a free tier is being used. You can only add users (not groups) to the Passport Enterprise App.
19
20
Complete assignment
Select Assign to finish the assignment of users and groups to the app.
21
22
Verify assignment
Confirm that the users and groups you added appear in the Users and groups list.
23
User Account Provisioning via Passport
If you use Specify per identity provider group option in the Passport Library Item, use the Entra ID group ObjectID in the Identity provider group field.
1
Access Groups
Sign in to the Microsoft Entra admin center. In the Identity navigation menu on the left, open Groups and select All groups.
2
Select group
Select the group that you want to use.
3
4
Copy Object ID
Copy the Object Id for that group.
5
6
Configure Passport Library Item
In the Iru Endpoint Passport Library Item, in the User Provisioning section, paste the value from the previous section into the Identity provider group field.
7
Repeat for additional groups
Repeat the previous steps for each additional Entra ID group you want to use.
8
Save configuration
In the Passport Library Item, click Save.
Other Considerations
- If you are setting the default account type to standard user, only add administrator account types in the Identity provider groups. Unless otherwise specified as administrators in your Identity provider groups, all users will be created as standard users by default.
- If you are setting the default account type to administrators, only add standard account types in the Identity provider groups. All users will be created as administrators by default unless otherwise specified as standard users in your Identity provider groups.