Estimated Start Time: November 10, 2023 at 12:06 PM PST
Affected Services: Microsoft 365 suite
Issue Type: Advisory
User Impact: Users may encounter Microsoft Entra (aka: Azure AD) ID SSO failures on Mac and iOS devices.
Action Needed
Microsoft has received reports of an issue impacting Single Sign On (SSO) for Microsoft Entra ID accounts signing-in to multiple Microsoft 365 services.
Microsoft’s investigation has determined that a recent software update to iOS, iPadOS, and macOS included a version of WebKit identified to contain code regressions impacting the functionality of the Microsoft Enterprise SSO Plug-in. The Enterprise SSO Plug-in enables SSO for applications and resources protected by Microsoft Entra ID.
Impact is specific to the following operating system versions:
- iOS/iPadOS 17.1.x
- MacOS 14.1.x
Admins should be advised that using these versions of either iOS, iPadOS, or macOS will render the Enterprise SSO Plug-in inoperable when browser SSO is used. As a result, users may not be able to successfully sign-in to applications and resources that leverage browser SSO, such as web portals, cloud services, and native applications that use the Safari WebView, such as Apple Mail.
This regression has been found to have an outsized impact on Entra ID deployments that use third-party mobile device management (MDM) solutions, due to a lack of redundant fallback mechanisms for SSO.
While the new operating system versions from Apple contain enhancements and security fixes unrelated to the Enterprise SSO plug-in, they also introduce a regression that affects browser SSO functionality. Therefore, we advise you to evaluate upgrading to these versions carefully, based on your organizational security policies and the criticality of using the Enterprise SSO extension within your organization. You may want to postpone upgrading until a resolution is available from Apple or use alternative methods of authentication for accessing applications and resources that rely on browser SSO.
If you are using Intune as your MDM solution, you can use it to prevent operating system version updates for devices under management. This will allow you to control when and how your devices receive the new operating system versions from Apple.
For more information on how to use Intune to manage operating system updates, please refer to this Microsoft document.