What is SSO on iOS and iPadOS?
SuperOps SSO Configuration connects your managed iPhones and iPads to Microsoft Entra ID so users sign in once with their work credentials and are automatically authenticated across every connected app and service.
On iOS and iPadOS, SSO works through Extensible SSO only. This handles app authentication. After a user signs into their device, every app connected to Microsoft Entra ID signs them in automatically without prompting for credentials again.
Before you begin
Your client's active Microsoft Entra ID tenant with users already configured
iPhones or iPads enrolled in SuperOps MDM and supervised via Apple Business Manager
No configuration is required in the Azure portal before setting up SSO in SuperOps.
Step 1: Enable SSO Configuration
Go to Settings and open Policy Management.
Click the MDM tab and select your Apple iOS Device Policy.
In the left sidebar under MDM Configurations, click SSO Configuration and toggle it on.
Select Entra as the identity provider.
SuperOps automatically pre-fills all Extensible SSO values for Microsoft Entra ID. Microsoft Authenticator is pushed automatically to enrolled devices when the policy is saved.
Step 2: Configure Extensible SSO
The following values are pre-filled when Entra is selected and do not require editing.
Field | Value |
Authentication Flow | Redirect |
SSO Extension Bundle ID | com.microsoft.azureauthenticator.ssoextension |
Redirection URLs |
You can add additional URLs to this field if needed.
Configure the following Extension Configuration settings:
Enable Allow browser sign-in via SSO to extend SSO to browsers and apps that do not use MSAL (Microsoft Authentication Library). Required if you want Safari or other non-Microsoft apps to benefit from SSO.
Enable Skip duplicate sign-in prompts to suppress redundant Microsoft sign-in prompts in apps that already support SSO.
Enable Apply SSO automatically to all managed apps to automatically apply SSO to apps matching the App Prefix Allowlist.
Under Apps allowed to use SSO, enter the bundle ID prefixes for apps that should participate in SSO. For all Microsoft apps, enter
com.microsoft. Add additional prefixes for other Entra-connected apps in your organization.
Note: Microsoft apps built with MSAL authenticate automatically. For all other apps (including browsers), add their bundle ID prefix here and enable Allow browser sign-in via SSO.
Step 3: Save and deploy
Click Save. SuperOps pushes the Extensible SSO configuration profile to all enrolled iPhones and iPads under this policy. Microsoft Authenticator is pushed automatically.
What users experience
Once the profile is deployed, users do not need to take any registration steps. The next time they open a Microsoft app or any Entra-connected app, they are signed in automatically using their existing Entra ID credentials. No prompts, no separate logins.