Description
Platform Single Sign-On (PSSO) for macOS extends cloud identity authentication directly into the macOS login window, creating a unified and seamless experience for users and administrators alike. When deploying PSSO with Microsoft Entra ID, it is important to understand how your organization's MFA configuration interacts with the registration process, particularly during migrations where legacy per-user MFA and Conditional Access policies may coexist.
PSSO Registration with Microsoft Entra ID
When a user registers for PSSO, the following happens in the background:
The Microsoft Authentication Broker initiates a Primary Refresh Token (PRT) acquisition
This flow runs non-interactively in the background
The broker exchanges credentials with Microsoft Entra ID to complete registration
Once successful, the user gains seamless SSO access across corporate apps and services
Because this flow runs entirely in the background, it cannot respond to an MFA challenge. Which is where legacy per-user MFA becomes a problem.
Legacy per-user MFA is Not Supported
When a user's Entra ID account has perUserMfaState set to Enforced, Microsoft Entra returns the following error during the broker's PRT acquisition:
AADSTS50076 — MFA required
The broker aborts the registration without surfacing any visible error message in Jamf Pro or to the end user. The user remains at the registration prompt with no indication of what went wrong. This makes the issue particularly difficult to identify — an administrator whose account has per-user MFA disabled will register successfully in the same environment, while an affected user will not.
Confirming the Issue
If users are getting stuck at the PSSO registration prompt, check the following:
Open the Microsoft Entra admin center and navigate to Users > All Users > Per-user MFA
Look for any user with their MFA state set to Enforced
Navigate to Entra sign-in logs and filter for error code AADSTS50076 to confirm blocked registration attempts
Per-user MFA vs. Conditional Access MFA
Organizations managing MFA through Conditional Access policies rather than legacy per-user MFA will not encounter this issue. Conditional Access respects Named Locations and broker flows, making it the recommended approach for environments using PSSO. The table below outlines the key differences:
Feature | Per-user MFA (legacy enforced) | Conditional Access MFA |
PSSO / Microsoft Auth Broker | ❌ Blocked — AADSTS50076 | ✅ Compatible |
Named Locations / Trusted IP | ❌ Completely ignored | ✅ Respected — no MFA at the office |
Apple Business Enrollment | ❌ Blocked if user is enforced | ✅ Works normally |
MFA on Trusted Network | ❌ Always requested | ✅ Exempt if IP is trusted |
Granularity | ❌ Per user, all or nothing | ✅ Per app, group, location, device state |
Visibility of Blocking | ❌ Silent failure in Jamf | ✅ Visible in Entra sign-in logs |
Recommended Configuration
Before deploying PSSO, ensure MFA is configured correctly in your Entra environment:
In the Microsoft Entra admin center, navigate to Users > All Users > Per-user MFA
Locate any affected users and set their MFA state from Enforced to Disabled
Confirm a Conditional Access policy is in place to enforce MFA as needed for your organization
Re-attempt PSSO registration on the affected device
PSSO enrollment completes immediately once the correct configuration is in place.