diff --git a/src/azure-cli-core/azure/cli/core/_profile.py b/src/azure-cli-core/azure/cli/core/_profile.py
index e9c533cdf96..c7e321ffd43 100644
--- a/src/azure-cli-core/azure/cli/core/_profile.py
+++ b/src/azure-cli-core/azure/cli/core/_profile.py
@@ -860,8 +860,8 @@ def _create_identity_instance(cli_ctx, *args, **kwargs):
     """Lazily import and create Identity instance to avoid unnecessary imports."""
     from .auth.identity import Identity
 
-    # Only enable encryption for Windows (for now).
-    fallback = sys.platform.startswith('win32')
+    # Only enable encryption for Windows and MacOS (for now).
+    fallback = sys.platform.startswith('win32') or sys.platform.startswith('darwin')
     # encrypt_token_cache affects both MSAL token cache and service principal entries.
     encrypt = cli_ctx.config.getboolean('core', 'encrypt_token_cache', fallback=fallback)
 
diff --git a/src/azure-cli-core/azure/cli/core/auth/persistence.py b/src/azure-cli-core/azure/cli/core/auth/persistence.py
index 6ebec24883f..858d657d20f 100644
--- a/src/azure-cli-core/azure/cli/core/auth/persistence.py
+++ b/src/azure-cli-core/azure/cli/core/auth/persistence.py
@@ -21,6 +21,8 @@
 # Files extensions for encrypted and plaintext persistence
 file_extensions = {True: '.bin', False: '.json'}
 
+KEYCHAIN_SERVICE_NAME = 'azure-cli'
+
 
 def load_persisted_token_cache(location, encrypt):
     persistence = build_persistence(location, encrypt)
@@ -38,16 +40,27 @@ def build_persistence(location, encrypt):
     logger.debug("build_persistence: location=%r, encrypt=%r", location, encrypt)
     if encrypt:
         if sys.platform.startswith('win'):
+            # For FilePersistenceWithDataProtection, location is where the credential is stored.
+            logger.debug("Initializing FilePersistenceWithDataProtection.")
             return FilePersistenceWithDataProtection(location)
         if sys.platform.startswith('darwin'):
-            return KeychainPersistence(location, "my_service_name", "my_account_name")
+            # For KeychainPersistence, location is only used as a signal for the credential's last modified time.
+            # The credential is stored in Keychain identified by (service_name, account_name) combination.
+            # msal-extensions automatically computes account_name from signal_location.
+            # https://github.com/AzureAD/microsoft-authentication-extensions-for-python/pull/103
+            logger.debug("Initializing KeychainPersistence")
+            return KeychainPersistence(location, service_name=KEYCHAIN_SERVICE_NAME)
         if sys.platform.startswith('linux'):
+            # TODO: Support token cache encryption on Linux
+            logger.debug("Initializing LibsecretPersistence.")
             return LibsecretPersistence(
                 location,
                 schema_name="my_schema_name",
                 attributes={"my_attr1": "foo", "my_attr2": "bar"}
             )
     else:
+        # For FilePersistence, location is where the credential is stored.
+        logger.debug("Initializing FilePersistence")
         return FilePersistence(location)