Adding Apple Secure Enclave explanation#1948
Open
chiyao-ms wants to merge 2 commits intoMicrosoftDocs:mainfrom
Open
Adding Apple Secure Enclave explanation#1948chiyao-ms wants to merge 2 commits intoMicrosoftDocs:mainfrom
chiyao-ms wants to merge 2 commits intoMicrosoftDocs:mainfrom
Conversation
Clarified requirements for Apple devices that use Secure Enclave in relation to Conditional Access policies.
Contributor
|
@chiyao-ms : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
Contributor
|
Learn Build status updates of commit 0270f28:
|
| File | Status | Preview URL | Details |
|---|---|---|---|
| docs/identity/conditional-access/concept-conditional-access-grant.md | Details |
docs/identity/conditional-access/concept-conditional-access-grant.md
- Line 73, Column 614: [Warning: hard-coded-locale - See documentation]
Link 'https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#device-identity-key-storage' contains locale code 'en-us'. For localizability, remove 'en-us' from links to most Microsoft sites. - Line 73, Column 614: [Suggestion: docs-link-absolute - See documentation]
Absolute link 'https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#device-identity-key-storage' will be broken in isolated environments. Replace with a relative link.
For more details, please refer to the build report.
Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.
| > [!NOTE] | ||
| > On Windows, iOS, Android, macOS, and some non-Microsoft web browsers, Microsoft Entra ID identifies the device by using a client certificate that is provisioned when the device is registered with Microsoft Entra ID. When a user first signs in through the browser, the user is prompted to select the certificate. The user must select this certificate before they can continue to use the browser. | ||
| > | ||
| > For Apple devices as Microsoft Entra ID transitions the storage of device identity keys from Apple Keychain to Apple Secure Enclave, the Microsoft Enterprise SSO plug‑in for Apple devices must be enabled for applications that do not use the Microsoft Authentication Library (MSAL), including Safari. Enabling the Enterprise SSO plug‑in ensures that these applications can participate in device-based authentication required by Conditional Access policies, such as Require device to be marked as compliant and Filter for devices condition. For more information about this transition to Apple Secure Enclave, see [Microsoft Enterprise SSO plug‑in for Apple devices – Microsoft identity platform on Microsoft Learn](https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#device-identity-key-storage) |
Contributor
There was a problem hiding this comment.
Suggested change
| > For Apple devices as Microsoft Entra ID transitions the storage of device identity keys from Apple Keychain to Apple Secure Enclave, the Microsoft Enterprise SSO plug‑in for Apple devices must be enabled for applications that do not use the Microsoft Authentication Library (MSAL), including Safari. Enabling the Enterprise SSO plug‑in ensures that these applications can participate in device-based authentication required by Conditional Access policies, such as Require device to be marked as compliant and Filter for devices condition. For more information about this transition to Apple Secure Enclave, see [Microsoft Enterprise SSO plug‑in for Apple devices – Microsoft identity platform on Microsoft Learn](https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#device-identity-key-storage) | |
| > For Apple devices as Microsoft Entra ID transitions the storage of device identity keys from Apple Keychain to Apple Secure Enclave, the Microsoft Enterprise SSO plug‑in for Apple devices must be enabled for applications that do not use the Microsoft Authentication Library (MSAL), including Safari. Enabling the Enterprise SSO plug‑in ensures that these applications can participate in device-based authentication required by Conditional Access policies, such as Require device to be marked as compliant and Filter for devices condition. For more information about this transition to Apple Secure Enclave, see [Microsoft Enterprise SSO plug‑in for Apple devices – Microsoft identity platform on Microsoft Learn](/entra/identity-platform/apple-sso-plugin#device-identity-key-storage) |
Contributor
|
Can you review the proposed changes? IMPORTANT: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the Conditional Access grant controls documentation to clarify how Apple Secure Enclave impacts device-based authentication and which Apple clients require the Microsoft Enterprise SSO plug-in to satisfy Conditional Access device requirements.
Changes:
- Added a NOTE explaining the transition of Apple device identity key storage (Keychain → Secure Enclave) and the resulting Enterprise SSO plug-in requirement for non-MSAL apps (including Safari).
- Fixed formatting/indentation for the “Report-only mode” link in the “Next steps” section.
| > [!NOTE] | ||
| > On Windows, iOS, Android, macOS, and some non-Microsoft web browsers, Microsoft Entra ID identifies the device by using a client certificate that is provisioned when the device is registered with Microsoft Entra ID. When a user first signs in through the browser, the user is prompted to select the certificate. The user must select this certificate before they can continue to use the browser. | ||
| > | ||
| > For Apple devices as Microsoft Entra ID transitions the storage of device identity keys from Apple Keychain to Apple Secure Enclave, the Microsoft Enterprise SSO plug‑in for Apple devices must be enabled for applications that do not use the Microsoft Authentication Library (MSAL), including Safari. Enabling the Enterprise SSO plug‑in ensures that these applications can participate in device-based authentication required by Conditional Access policies, such as Require device to be marked as compliant and Filter for devices condition. For more information about this transition to Apple Secure Enclave, see [Microsoft Enterprise SSO plug‑in for Apple devices – Microsoft identity platform on Microsoft Learn](https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#device-identity-key-storage) |
There was a problem hiding this comment.
The Learn URL includes the locale segment /en-us. In this repo, Learn links should omit the locale (for example, use https://learn.microsoft.com/entra/...).
Suggested change
| > For Apple devices as Microsoft Entra ID transitions the storage of device identity keys from Apple Keychain to Apple Secure Enclave, the Microsoft Enterprise SSO plug‑in for Apple devices must be enabled for applications that do not use the Microsoft Authentication Library (MSAL), including Safari. Enabling the Enterprise SSO plug‑in ensures that these applications can participate in device-based authentication required by Conditional Access policies, such as Require device to be marked as compliant and Filter for devices condition. For more information about this transition to Apple Secure Enclave, see [Microsoft Enterprise SSO plug‑in for Apple devices – Microsoft identity platform on Microsoft Learn](https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#device-identity-key-storage) | |
| > For Apple devices as Microsoft Entra ID transitions the storage of device identity keys from Apple Keychain to Apple Secure Enclave, the Microsoft Enterprise SSO plug‑in for Apple devices must be enabled for applications that do not use the Microsoft Authentication Library (MSAL), including Safari. Enabling the Enterprise SSO plug‑in ensures that these applications can participate in device-based authentication required by Conditional Access policies, such as Require device to be marked as compliant and Filter for devices condition. For more information about this transition to Apple Secure Enclave, see [Microsoft Enterprise SSO plug‑in for Apple devices – Microsoft identity platform on Microsoft Learn](https://learn.microsoft.com/entra/identity-platform/apple-sso-plugin#device-identity-key-storage) |
| > [!NOTE] | ||
| > On Windows, iOS, Android, macOS, and some non-Microsoft web browsers, Microsoft Entra ID identifies the device by using a client certificate that is provisioned when the device is registered with Microsoft Entra ID. When a user first signs in through the browser, the user is prompted to select the certificate. The user must select this certificate before they can continue to use the browser. | ||
| > | ||
| > For Apple devices as Microsoft Entra ID transitions the storage of device identity keys from Apple Keychain to Apple Secure Enclave, the Microsoft Enterprise SSO plug‑in for Apple devices must be enabled for applications that do not use the Microsoft Authentication Library (MSAL), including Safari. Enabling the Enterprise SSO plug‑in ensures that these applications can participate in device-based authentication required by Conditional Access policies, such as Require device to be marked as compliant and Filter for devices condition. For more information about this transition to Apple Secure Enclave, see [Microsoft Enterprise SSO plug‑in for Apple devices – Microsoft identity platform on Microsoft Learn](https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#device-identity-key-storage) |
There was a problem hiding this comment.
This sentence is hard to parse as written ("For Apple devices as Microsoft Entra ID transitions..."). Consider rephrasing (for example, adding a comma after "For Apple devices" and/or splitting into shorter sentences) and formatting UI/control names like Require device to be marked as compliant and Filter for devices consistently (bold) to improve readability.
Suggested change
| > For Apple devices as Microsoft Entra ID transitions the storage of device identity keys from Apple Keychain to Apple Secure Enclave, the Microsoft Enterprise SSO plug‑in for Apple devices must be enabled for applications that do not use the Microsoft Authentication Library (MSAL), including Safari. Enabling the Enterprise SSO plug‑in ensures that these applications can participate in device-based authentication required by Conditional Access policies, such as Require device to be marked as compliant and Filter for devices condition. For more information about this transition to Apple Secure Enclave, see [Microsoft Enterprise SSO plug‑in for Apple devices – Microsoft identity platform on Microsoft Learn](https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#device-identity-key-storage) | |
| > For Apple devices, Microsoft Entra ID is transitioning the storage of device identity keys from Apple Keychain to Apple Secure Enclave. The Microsoft Enterprise SSO plug‑in for Apple devices must be enabled for applications that don't use the Microsoft Authentication Library (MSAL), including Safari. Enabling the Enterprise SSO plug‑in ensures that these applications can participate in device-based authentication required by Conditional Access policies, such as **Require device to be marked as compliant** and the **Filter for devices** condition. For more information about this transition to Apple Secure Enclave, see [Microsoft Enterprise SSO plug‑in for Apple devices – Microsoft identity platform on Microsoft Learn](/entra/identity-platform/apple-sso-plugin#device-identity-key-storage). |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Contributor
|
Learn Build status updates of commit f5562c5:
|
| File | Status | Preview URL | Details |
|---|---|---|---|
| docs/identity/conditional-access/concept-conditional-access-grant.md | Details |
docs/identity/conditional-access/concept-conditional-access-grant.md
- Line 73, Column 614: [Warning: hard-coded-locale - See documentation]
Link 'https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#device-identity-key-storage' contains locale code 'en-us'. For localizability, remove 'en-us' from links to most Microsoft sites. - Line 73, Column 614: [Suggestion: docs-link-absolute - See documentation]
Absolute link 'https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#device-identity-key-storage' will be broken in isolated environments. Replace with a relative link.
For more details, please refer to the build report.
Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Clarified requirements for Apple devices that use Secure Enclave in relation to Conditional Access policies.