Federated Authentication with Apple Business Manager

In this post I will be showing how to configure federated authentication with Apple Business Manager. In September 2019 Apple added support for Federated Authentication with Microsoft Azure Active Directory using JIT. By using federated authentication Managed Apple ID accounts are created using the Azure Active Directory as Identity Provider. When you try to logon with an account containing the federated domain, you will be forwarded to Azure for authentication. In the August 2020 update of Apple Business Manager SCIM was added to support app user provisioning in the Azure AD. With SCIM you are able to preprovision and deprovision accounts in Apple Business Manager. Although the account is preprovisioned in Apple Business Manager you still need first login on an Apple device to finish setting it up.

There are currently two ways to configure federated authentication with Apple Business Manager:

  • Just In Time (JIT)
  • System for Cross-domain Identity Management (SCIM)

JIT

If you are federating the Apple Business Manager with the Azure AD, JIT is used by default for the federation. When using JIT, a managed Apple account is created when a user logs on to an apple device with Azure AD credentials. Only users which have logged on to a device will have a Managed Apple ID in Apple Business Manager. The accounts are created with the role “Staff”. A disadvantage of JIT is that accounts are only created and not removed. If a user is removed from the AzureAD a stale Managed Apple ID will remain in Apple Business Manager. This account needs be cleaned manually.

SCIM

An alternative for JIT called SCIM was introduced in August 2020. With SCIM, accounts are synced from the AzureAD to Apple Business Manager. To setup SCIM you need add provisioning to the Apple Business Manager Enterprise App which is created by connecting Apple Business Manager to the Azure AD. You can either sync only users which are assigned to the Apple Business Manager Enterprise App or all Azure AD users to Apple Business Manager. The sync will be performed every 40 minutes and will add new users and deactivate users which have been deleted in the Azure AD. Deactivated accounts will be removed within 30 days from Apple Business Manager.

Requirements

To use federated authentication with Apple Business Manager, your Apple devices must meet the following requirements:

  • iOS 11.3 or later
  • iPadOS 13.1 or later
  • macOS 10.13.4 or later

Configuration

The configuration consists out of 6 steps including an optional step to configure SCIM.

  1. Verify your domain
  2. Connect to the Azure AD
  3. Test Federation for conflicts
  4. Configure SCIM (Optional)
  5. Enable Federation
  6. Test a federated account

Verify your domain

Before you are able to federate with the Azure AD, you will need to add your domain and verify your domain in Apple Business Manager. You can federate one or more domains as long as they are all configured within the same Azure tenant. You cannot federate multiple Azure tenants with one Apple Business Manager.

 

1. Login to Apple Business manager and select “Settings”

 

2. Select “Accounts” -> “Domains” and press “Edit”

 

3. Now you select the domain you want to federate and press “Verify”

 

4. Add the displayed TXT record to your DNS registrar configuration and wait some time before you press “Check Now”

 

5. The domain is now verified and can be used to be federated. Press “Done” to continue.

 

Connect to the Azure AD

During this step you will register the Apple Business Manager in the Azure AD. With this registration Apple Business Manager will be able to sign in and read user profiles.

 

6. Press “Edit” to start federation.

 

7. Press “Connect…” to connect with the Azure Active Directory.

 

8. In the popup “Connect to your Identity Provider” press the button “Sign in to Microsoft Azure Active Directory Portal…”

 

9. Sign in with an account which has rights to consent. For example a global admin. (https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal)

 

10. Press “Accept” to register Apple Business Manager as a enterprise application in the Azure AD. This will allow Apple Business Manager to Sign in and read user profiles in the Azure AD.

 

11. Apple Business Manager is now connected to the Azure Active Directory.

 

Test Federation

Now the Azure AD has succesfully been connected with Apple Business Manager the next step is to test the federation. The Federation will not be enabled.

 

12.  Press “Federate” to sign in

 

13. Sign in to the portal with a Microsoft Azure AD Global Administrator, Application Administrator, or Cloud Application Administrator account

 

14.  Apple Business Manager will now check for user name conflicts (e.g. personal accounts which are using the federated domain. This will take some time, press “Done” to continue.

 

15.  If any conflicts are detected you will be notified in the domains overview. You wil not be able to see which account is causing the conflict.

 

 

Configure SCIM

If you don’t want to use SCIM this step can be skipped and you can continue with enabling federation. During this step you will add provisioning to the Apple Business Manager enterprise app. This will allow automated (de)provisioning of users and synchronization of data between identities.

 

16. Select “Data Source” in the Settings menu and press “Connect”

 

17. Copy the Token and Tenant URL. (The token is valid for 1 year, add a reminder to your calendar to renew it before it expires)

 

18. Login to the Azure Portal and select “Azure Active Directory”  -> “Enterprise applications” and select the registration for “Apple Business Manager” (This registration is created during the connection with the Azure Active Directory)

 

19. Select “Provisioning” in the navigation pane and press “Get started”.

 

20. Set the “Provisioning Mode” to “Automatic”. Paste the Tenant URL/Secret Token (step 17) and press “Test Connection” to test the connection. Press “Save” before you continue.

 

21. Add additional mappings if required. By default: First Name, Last Name, UPN, Object ID, Department and Employee ID is created. Only use attributes listed by Apple otherwise it may break the SCIM connection. Also do not add user attributes during provisioning.

Azure AD user attribute

Apple Business Manager user attribute

Required

First Name First Name Yes
Last Name Last Name Yes
User Principal Name Managed Apple ID and email address Yes
Object ID (Not shown in Apple Business Manager. This attribute is used to identify conflicting accounts.) Yes
Department Department No
Employee ID Person Number No
Custom Attribute (must be created in the Apple Business Manager Azure AD app) Cost Center No
Custom Attribute (must be created in the Apple Business Manager Azure AD app) Division No

22. In the Settings pane select if you want to recieve notifications when a failure occurs and select the scope of users you want to sync.

Sync only assigned users and groups Only users assigned to Apple Business Manager
Sync all users and groups Sync all users in the Azure AD

 

23. Turn on provisioning and press “Save”

Enable Federation

The final step is to enable federation. The steps you need to perform to enable federation depend on whether there are any user name conflicts. If there are no conflicts you can flip the switch “Federation Not Enabled”. But if you do have conflicts you need to perform the following steps to reclaim the account. one of the things that I noticed, when there are conflicts and you enable federation.It is then not possible to disconnect a domain for 60 days.

 

24. Enable Federation by flipping the switch.

 

25. A popup will appear to send a notification to all users which have used the federated domain to enroll a personal account. Press “Send Notifications” to continue.

 

26. Confirm that a notification (email) will be send to conflicting accounts by pressing “OK”.

 

27. A notification will be send, this will take a few seconds. (Also notice that “Disconnect” will get transparent and unable to be used to disconnect the domain)

 

28. Because of the user name conflict the federation was not enabled. You can wait untill the conflicts have been resolved or you can enable federation immediatly by flipping the switch “Federation Not Enabled” again.

 

29. Federation is now enabled.

Test a Federated account

The final step is to test if the federation is working. Let’s see what happens when a user tries to login to an iPhone with a federated Apple ID.

 

30. Enter a federated Azure AD account and press “Next”.

 

31. A message will appear that you will be redirected to the sign in page of the IDP (Azure AD) for authenticaion, press “Continue”.

 

32. Enter your credentials and press “Sign in” to continue.

 

33. You will now be signed in with your federated Managed Apple ID.

 

34. Your now signed in on your iPhone with a Managed Apple ID account.

 

I hope you liked this blog about federated authentication with Apple Business Manager. Just leave a reply if you have questions or remarks about this post.

10 thoughts on “Federated Authentication with Apple Business Manager

  1. Per Johnsen

    Hi Aad!
    Great article! This clarifies things quite a bit.
    I was hoping you could answer a couple of things for me if you have the time?
    1. Say you have an Azure AD user John Doe with upn jd@vmlablog.com. Apple says you can use any registered domain name for your apple ids. Can you use a different domain than vmlablog.com as the name of the domain you want to federate? If you f.ex use vmlablog.appleid.com, the UPN will differ from Azure AD and the federated domain. Will this cause any issues?

    2. In your article you write that when you enable federation, an email will be sent out to those who have an apple id with conflicting names. They are given 60 days to get the heck out of Dodge, but you say that if you click “federate” once more the federation starts now. Does that mean that the conflicting users are kicked out immediately?
    Thanks again for your time. I am to present to the rest of the IT staff my thoughts about how to enable the federation, and anything that can help me look like I have an IQ above absolute zero will be appreciated!

    Reply
    1. Aad Lutgert Post author

      Hi Per,

      1. You can only configure federated authentication with one Azure AD. But you can if this Azure AD contains multiple custom domains federate with all Custom domains within this Azure AD simultaneously.

      Example: I currently have two custom domain names registered in my Azure AD: vmlabblog.com and vmlabexample.com. I can because vmlabexample.com is a custom domain of the same Azure AD also add it in Apple Business manager. I can also disable federation with vmlabblog.com and only vmlabexample.com.

      2. When you enable federation the users will have 60 days to change their email address. The users will recieve an email:

      Company x has claimed “@domain.com”. Starting March 17, 2021, you will no longer be able to use “email@domain.com” as the email address for your Apple ID.

      Choose a different email address to continue using this Apple ID. Your data and purchases will not be affected by this change. Update your Apple ID at appleid.apple.com or on any of your macOS or iOS devices where you are signed in to iCloud.

      Users will receive such an email until the 60 days are up. In this case, March 17. After that, the email address will be changed to email@temporary.appleid.com. By using this email address and the current password, the email address can still be changed.

      I hope this answers your questions.

      best regards, Aad

      Reply
  2. Daniel Crossfield

    Hi Aad,

    Thanks for this info. It’s great.

    One question – Can you confirm what the temporary Apple ID will be? For example, will it follow the same convention at the one being reclaimed, so dcrossfield@temporary.appleid.com, or will the prefix be completely random?

    Reply
    1. Aad Lutgert Post author

      Hi Daniel,

      You’re welcome. The prefix will contain the full email address of the user. As I don’t want to disclose your email address, I will use an example. If your current email address is “dcrossfield@vmlabblog.com” then after the change it will be “dcrossfield-vmlabblog.com@temporary.appleid.com”.

      best regards, Aad

      Reply
      1. Daniel Crossfield

        Yet again great, and such a quick response!

        To confirm, it would be dcrossfield-vmlabblog.com@…, NOT dcrossfield-vmlabblog-com@…?

        Regards,

        Dan

        Reply
  3. Daniel Crossfield

    Aad,

    Me again, sorry. I hope you’re well. Two questions if I may;

    Once I’ve federated our domain, can end users change their temporary Apple ID back to the one which was conflicting in the first place? I know Apple allows users to edit their Apple IDs at any time.

    Thanks,

    Dan

    Reply
    1. Aad Lutgert Post author

      Hi Dan,

      Once the domain is federated users are able to login using their federated Email address. A Managed Apple ID will be then created. It’s not possible to change the email address of a personal apple id back to a federated email address.

      best regards, Aad

      Reply
  4. Kai

    Hi and thanks for the great guide!

    There is one issue, I’m currently facing and maybe you have an idea: When I use a synchronized account to setup an iPhone authentication over AD, this is working quite fine. I just can’t use the apple store then with this account. I can search and select Apps but ‘download’ ist always grayed out. I would like to have people using the Store freely with their iPhones.

    Thanks,
    Kai

    Reply
    1. Aad Lutgert Post author

      Hi Kai,

      It’s not possible to “purchase” apps with a managed Apple ID. Apps can only be assigned using a MDM solution like Intune or others. Not all services are available with a managed Apple ID. On this support page created by Apple shows the services which are not available with a managed apple id.

      Best regards, Aad

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *