Enforcing Azure AD SSO at macOS Login with Swif | Help Center

With Swif’s Identity Login Policy you can replace the standard macOS login window with an Azure AD / Entra ID Single-Sign-On flow. Users authenticate with their Microsoft credentials (with MFA), and Swif provisions—or unlocks—the matching local account before macOS finishes booting.

1 Prerequisites

Requirement	Details
macOS 11 or later	Swif Agent v1.235.0 + installed.
Entra ID (Azure AD) tenant	Global Admin rights to create an App Registration.
Swif Org Admin	Permission to create and deploy policies.

2 Create an Azure AD App Registration

Sign in to the Azure Portal → Microsoft Entra ID → App registrations → New registration.
Name: Swif macOS Login.
Supported account types: Single tenant (or Multi-tenant if required).
Redirect URI → Web → https://127.0.0.1/xcreds.
Click Register.
After the app is created, copy the Application (client) ID (GUID).
Under API permissions, ensure openid, profile, email, and offline_access (for refresh tokens) are present (delegated).
Certificates & Secrets → Not required for a public-loopback client, so you may omit a client secret.

3 Configure the Identity Login Policy in Swif

In Swif Admin:

Policies → Create New Policy → Identity Login Policy.
Populate the fields as follows:

Field	Value	Notes
clientId	`f3d6db2c-bb72-4fc3-805a-d888af58ab15`	Your Azure AD Client ID.
discoveryURL	`https://login.microsoftonline.com/common/.well-known/openid-configuration`	Entra OIDC metadata.
redirectURI	`https://127.0.0.1/xcreds`	Must match the URI in Azure.
scopes	`openid profile email offline_access`	Grants ID + refresh token.
createAdminUser	`true` (or `false`)	Creates the local user as admin if absent.
mapFirstname / mapLastname	`given_name` / `family_name`	JWT → macOS fields.
mapUsername / mapFullusername	`name`	Uses UPN or email as short name.

Tip: If you add a Client secret, place it in clientSecret; otherwise leave blank for a public client.

Save the policy.

4 Assign the Policy to Macs

Select the Mac devices or a Smart Group (e.g. All macOS).
Click Deploy.
Swif sends a configuration profile that replaces the native login window.

5 End-User Login Flow

At power-on, the user sees Sign in with Microsoft.
A secure browser (Edge WebView) opens to login.microsoftonline.com; the user enters credentials and completes MFA.
Swif’s login agent:
- Validates the ID token.
- Creates or unlocks the mapped local account.
- Logs the user in—no local password is stored.

6 Troubleshooting

Issue	Fix
Blank login window	Confirm the profile is installed (System Settings → Privacy & Security → Profiles) and reboot.
“Redirect URI mismatch”	Ensure `https://127.0.0.1/xcreds` appears identically in Azure AD and the Swif policy.
Offline login fails	Azure AD requires online auth; a refresh token allows subsequent logins if network is momentarily down, but the first login must be online.
Account mapping incorrect	Adjust `mapUsername`, `mapFullname`, or other claim mappings to match your naming scheme.

7 Security Best Practices

MFA: Enforce Azure AD multi-factor authentication for maximum protection.
Client secrets: If you create a confidential client, rotate secrets annually.
Admin vs. Standard user: Set createAdminUser = false for least-privilege deployments.
Pilot first: Test with a small Mac cohort before enabling org-wide.

Deploying an Identity Login Policy with Azure AD ensures every macOS sign-in is governed by your corporate IdP—centralizing account lifecycle and strengthening endpoint security. For assistance, contact support@swif.ai.