From c009f45b415957816469688d59c3646683fd64b0 Mon Sep 17 00:00:00 2001
From: Louis Simonetti <louissimonetti@outlook.com>
Date: Wed, 13 May 2026 15:40:27 -0400
Subject: [PATCH 1/2] Update configure-platform-sso-macos.md

The Platform SSO `preferred_name` for the account short name is no longer correct when leveraging the Apple Platform SSO extension.  Please update to use com.apple.PlatformSSO.AccountShortName per the Apple Documentation https://support.apple.com/guide/deployment/platform-sso-for-macos-dep7bbb05313/web
---
 .../settings-catalog/configure-platform-sso-macos.md            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md b/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md
index f226b6f551..cba5818187 100644
--- a/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md
+++ b/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md
@@ -216,7 +216,7 @@ To configure the Platform SSO policy, use the steps in this section to create an
     | **Platform SSO** > **Use Shared Device Keys** </br>(macOS 14+) | **Enabled** | When enabled, Platform SSO uses the same signing and encryption keys for all users on the same device. </br></br>Users upgrading from macOS 13.x to 14.x are prompted to register again. |
     | **Registration token** | `{{DEVICEREGISTRATION}}` | Copy and paste this value in the setting. You must include the curly braces. <br/><br/>To learn more about this registration token, go to [Configure Microsoft Entra device registration](/entra/identity-platform/apple-sso-plugin#configure-microsoft-entra-device-registration). <br/><br/>This setting requires that you also configure the `AuthenticationMethod` setting.<br/><br/>- If you use only macOS 13 devices, then configure the **Authentication Method (Deprecated)** setting.<br/>- If you use only macOS 14+ devices, then configure the **Platform SSO** > **Authentication Method** setting.<br/>- If you have a mix of macOS 13 and macOS 14+ devices, then configure both authentication settings in the same profile. |
     | **Screen Locked Behavior** | **Do Not Handle** | When set to **Do Not Handle**, the request continues without SSO. |
-    | **Token To User Mapping** > **Account Name** | `preferred_username` | Copy and paste this value in the setting. <br/><br/>This token specifies that the Microsoft Entra [`preferred_username`](/entra/identity-platform/id-token-claims-reference#payload-claims) attribute value is used for the macOS account's Account Name value. |
+    | **Token To User Mapping** > **Account Name** | `com.apple.PlatformSSO.AccountShortName` | Copy and paste this value in the setting. <br/><br/>This token specifies that the Microsoft Entra [`preferred_username`](/entra/identity-platform/id-token-claims-reference#payload-claims) attribute value is used for the macOS account's Account Name value. |
     | **Token To User Mapping** > **Full Name** | `name` | Copy and paste this value in the setting. <br/><br/>This token specifies that the Microsoft Entra [`name`](/entra/identity-platform/id-token-claims-reference#payload-claims) claim is used for the macOS account's Full Name value. |
     | **Team Identifier** | `UBF8T346G9` | Copy and paste this value in the setting. <br/><br/>This identifier is the team identifier of the Enterprise SSO plug-in app extension. |
     | **Type** | Redirect | |

From f7d17d58deda910fde5305477c07ce4e11ab569d Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <3229224+MandiOhlinger@users.noreply.github.com>
Date: Mon, 18 May 2026 12:16:23 -0400
Subject: [PATCH 2/2] Update date and Account Name token description

Updated the ms.date field and modified the Account Name token description to include 'preferred_username' as an option.
---
 .../settings-catalog/configure-platform-sso-macos.md          | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md b/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md
index 3e05faec02..b0f95def7e 100644
--- a/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md
+++ b/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md
@@ -1,7 +1,7 @@
 ---
 title: Configure Platform SSO for macOS devices
 description: Use Microsoft Intune to configure Platform SSO and deploy the configuration to your macOS devices. Platform SSO enables single sign-on (SSO) using Microsoft Entra ID with the Secure Enclave, smart card, or password authentication methods. You create a settings catalog policy to configure the settings. This article is a step-by-step guide to configure Platform SSO for macOS devices using Intune.
-ms.date: 05/11/2026
+ms.date: 05/18/2026
 ms.topic: how-to
 appliesto:
 - :::image type="icon" source="../../media/icons/16/check.svg" border="false"::: macOS
@@ -218,7 +218,7 @@ To configure the Platform SSO policy, use the steps in this section to create an
     | **Platform SSO** > **Use Shared Device Keys** </br>(macOS 14+) | **Enabled** | When enabled, Platform SSO uses the same signing and encryption keys for all users on the same device. </br></br>Users upgrading from macOS 13.x to 14.x are prompted to register again. |
     | **Registration token** | `{{DEVICEREGISTRATION}}` | Copy and paste this value in the setting. You must include the curly braces. <br/><br/>To learn more about this registration token, go to [Configure Microsoft Entra device registration](/entra/identity-platform/apple-sso-plugin#configure-microsoft-entra-device-registration). <br/><br/>This setting requires that you also configure the `AuthenticationMethod` setting.<br/><br/>- If you use only macOS 13 devices, then configure the **Authentication Method (Deprecated)** setting.<br/>- If you use only macOS 14+ devices, then configure the **Platform SSO** > **Authentication Method** setting.<br/>- If you have a mix of macOS 13 and macOS 14+ devices, then configure both authentication settings in the same profile. |
     | **Screen Locked Behavior** | **Do Not Handle** | When set to **Do Not Handle**, the request continues without SSO. |
-    | **Token To User Mapping** > **Account Name** | `com.apple.PlatformSSO.AccountShortName` | Copy and paste this value in the setting. <br/><br/>This token specifies that the Microsoft Entra [`preferred_username`](/entra/identity-platform/id-token-claims-reference#payload-claims) attribute value is used for the macOS account's Account Name value. |
+    | **Token To User Mapping** > **Account Name** | `com.apple.PlatformSSO.AccountShortName` or `preferred_username` | Copy and paste your value in the setting: <br/><br/>- `com.apple.PlatformSSO.AccountShortName`: Recommended. Uses the Identity Provider's (IDP) User Principal Name (UPN) prefix as the local account name (user’s short name), like `user@contoso.com` for the macOS account's Account Name value. See [Platform SSO: On-demand account creation (Apple docs)](https://support.apple.com/guide/deployment/dep7bbb05313/web). <br/>- `preferred_username`: This token specifies that the Microsoft Entra [`preferred_username`](/entra/identity-platform/id-token-claims-reference#payload-claims) attribute value is used for the macOS account's Account Name value. |
     | **Token To User Mapping** > **Full Name** | `name` | Copy and paste this value in the setting. <br/><br/>This token specifies that the Microsoft Entra [`name`](/entra/identity-platform/id-token-claims-reference#payload-claims) claim is used for the macOS account's Full Name value. |
     | **Team Identifier** | `UBF8T346G9` | Copy and paste this value in the setting. <br/><br/>This identifier is the team identifier of the Enterprise SSO plug-in app extension. |
     | **Type** | Redirect | |