we would like to use Azure AD credentials to sign in Mac machines and we are aware of that could be achieved to use Azure AD credentials to sign in local machines via Azure AD join while it is currently only supported for Windows 10. Hence may I know is there a work around for us to achieve using Azure AD credentials to sign in Mac machines? And we figure out the possible solution that we could create ADDS service in our Azure Active directory, and join the Mac machine to Azure AD Domain Service then use our Azure AD credentials to sign in the Mac Machine. May I know is it possible for Mac machine to join Azure AD Domain Service? and is the whole process workable for us to achieve the requirement? Thanks a lot on any ideas on this issue!!!
Azure AD for Mac
azureazure-active-directoryazure-active-directory-ds
Related Solutions
For the critical requirement:
Yes it can be achieved after you enabling Azure AD Domain service feature and wait for the user accounts & credential hashes been synchronized successfully from Azure AD to Azure AD DS managed domain.
For the other two questions:
The Enable Azure AD Domain service feature is located on the Configure tab of your Azure AD page (Azure classic portal) like below. The more details can be found in the docs here.
The sync from Azure AD to Azure AD DS managed domain is started automatically and one-way/unidirectional on background. More details here.
Additionally, if your users are synced from on-premises AD. Don't forget to configure the password synchronization (cannot be ADFS sync here) with NTLM and Kerberos credential hashes to make sure the synced users can use their corporate credentials to login the servers & services in the managed domain. More details here for reference.
The solution would depend both on user account type and device type.
Microsoft accounts (personal)
Currently only personal Microsoft accounts (e.g. @outlook.com) are fully supported for passwordless login to Windows 10/11 using Authenticator app.
Azure AD accounts (work or school) on Azure AD joined devices
There is a feature which is called Web sign-in and it allows signing in to Windows using Azure AD account and Authenticator app. Unfortunately it is supported only on Azure AD joined devices, but not on hybrid PCs. Also, it is currently in preview with no clear ETA, so it might not be ready for production yet.
Azure AD account or AD account on hybrid AAD hybrid-joined device or domain device
You can still achieve passwordless login for domain accounts (hybrid or on-prem) using Windows Hello for Business (WHfB) via device PIN, biometrics, smart card or FIDO2 key. Authentication app is not supported for this scenario. Basically, WHfB replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair. It gets a bit tricky down from here. E.g. WHfB is NOT the same as Windows Hello, even though it has exact same words in it (I know, right). The deployment might get complicated based on your current environment. More info can be found at official deployment guide
Best Answer
You cannot join Azure AD with Mac OS X. If this is important to you , you can upvote this in this Feedback forum.
it's possible for Mac to join Azure AD Domain Service.
One Identity Authentication Services enables Unix, Linux, and Mac OS X systems to use the access, authentication, and authorization of an organization’s existing Active Directory (AD) infrastructure. Authentication Services now supports Azure Active Directory Domain Services enabling non-Windows resources to utilize the same next-generation platform that your existing SaaS solutions already use.
Also, there is a guide to integrate Mac OS X with AD.
Due to that I don't have Mac OS X in my test lab, so I didn't test.
Hope this helps!