In this post I will be showing how to configure federated authentication with Apple Business Manager. In September 2019 Apple added support for Federated Authentication with Microsoft Azure Active Directory using JIT. By using federated authentication Managed Apple ID accounts are created using the Azure Active Directory as Identity Provider. When you try to logon with an account containing the federated domain, you will be forwarded to Azure for authentication. In the August 2020 update of Apple Business Manager SCIM was added to support app user provisioning in the Azure AD. With SCIM you are able to preprovision and deprovision accounts in Apple Business Manager. Although the account is preprovisioned in Apple Business Manager you still need first login on an Apple device to finish setting it up.
There are currently two ways to configure federated authentication with Apple Business Manager:
- Just In Time (JIT)
- System for Cross-domain Identity Management (SCIM)
If you are federating the Apple Business Manager with the Azure AD, JIT is used by default for the federation. When using JIT, a managed Apple account is created when a user logs on to an apple device with Azure AD credentials. Only users which have logged on to a device will have a Managed Apple ID in Apple Business Manager. The accounts are created with the role “Staff”. A disadvantage of JIT is that accounts are only created and not removed. If a user is removed from the AzureAD a stale Managed Apple ID will remain in Apple Business Manager. This account needs be cleaned manually.
An alternative for JIT called SCIM was introduced in August 2020. With SCIM, accounts are synced from the AzureAD to Apple Business Manager. To setup SCIM you need add provisioning to the Apple Business Manager Enterprise App which is created by connecting Apple Business Manager to the Azure AD. You can either sync only users which are assigned to the Apple Business Manager Enterprise App or all Azure AD users to Apple Business Manager. The sync will be performed every 40 minutes and will add new users and deactivate users which have been deleted in the Azure AD. Deactivated accounts will be removed within 30 days from Apple Business Manager.
To use federated authentication with Apple Business Manager, your Apple devices must meet the following requirements:
- iOS 11.3 or later
- iPadOS 13.1 or later
- macOS 10.13.4 or later
The configuration consists out of 6 steps including an optional step to configure SCIM.
- Verify your domain
- Connect to the Azure AD
- Test Federation for conflicts
- Configure SCIM (Optional)
- Enable Federation
- Test a federated account
Verify your domain
Before you are able to federate with the Azure AD, you will need to add your domain and verify your domain in Apple Business Manager. You can federate one or more domains as long as they are all configured within the same Azure tenant. You cannot federate multiple Azure tenants with one Apple Business Manager.
1. Login to Apple Business manager and select “Settings”
2. Select “Accounts” -> “Domains” and press “Edit”
3. Now you select the domain you want to federate and press “Verify”
4. Add the displayed TXT record to your DNS registrar configuration and wait some time before you press “Check Now”
5. The domain is now verified and can be used to be federated. Press “Done” to continue.
Connect to the Azure AD
During this step you will register the Apple Business Manager in the Azure AD. With this registration Apple Business Manager will be able to sign in and read user profiles.
6. Press “Edit” to start federation.
7. Press “Connect…” to connect with the Azure Active Directory.
8. In the popup “Connect to your Identity Provider” press the button “Sign in to Microsoft Azure Active Directory Portal…”
9. Sign in with an account which has rights to consent. For example a global admin. (https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal)
10. Press “Accept” to register Apple Business Manager as a enterprise application in the Azure AD. This will allow Apple Business Manager to Sign in and read user profiles in the Azure AD.
11. Apple Business Manager is now connected to the Azure Active Directory.
Now the Azure AD has succesfully been connected with Apple Business Manager the next step is to test the federation. The Federation will not be enabled.
12. Press “Federate” to sign in
13. Sign in to the portal with a Microsoft Azure AD Global Administrator, Application Administrator, or Cloud Application Administrator account
14. Apple Business Manager will now check for user name conflicts (e.g. personal accounts which are using the federated domain. This will take some time, press “Done” to continue.
15. If any conflicts are detected you will be notified in the domains overview. You wil not be able to see which account is causing the conflict.
If you don’t want to use SCIM this step can be skipped and you can continue with enabling federation. During this step you will add provisioning to the Apple Business Manager enterprise app. This will allow automated (de)provisioning of users and synchronization of data between identities.
16. Select “Data Source” in the Settings menu and press “Connect”
17. Copy the Token and Tenant URL. (The token is valid for 1 year, add a reminder to your calendar to renew it before it expires)
18. Login to the Azure Portal and select “Azure Active Directory” -> “Enterprise applications” and select the registration for “Apple Business Manager” (This registration is created during the connection with the Azure Active Directory)
19. Select “Provisioning” in the navigation pane and press “Get started”.
20. Set the “Provisioning Mode” to “Automatic”. Paste the Tenant URL/Secret Token (step 17) and press “Test Connection” to test the connection. Press “Save” before you continue.
21. Add additional mappings if required. By default: First Name, Last Name, UPN, Object ID, Department and Employee ID is created. Only use attributes listed by Apple otherwise it may break the SCIM connection. Also do not add user attributes during provisioning.
Azure AD user attribute
Apple Business Manager user attribute
|First Name||First Name||Yes|
|Last Name||Last Name||Yes|
|User Principal Name||Managed Apple ID and email address||Yes|
|Object ID||(Not shown in Apple Business Manager. This attribute is used to identify conflicting accounts.)||Yes|
|Employee ID||Person Number||No|
|Custom Attribute (must be created in the Apple Business Manager Azure AD app)||Cost Center||No|
|Custom Attribute (must be created in the Apple Business Manager Azure AD app)||Division||No|
22. In the Settings pane select if you want to recieve notifications when a failure occurs and select the scope of users you want to sync.
|Sync only assigned users and groups||Only users assigned to Apple Business Manager|
|Sync all users and groups||Sync all users in the Azure AD|
23. Turn on provisioning and press “Save”
The final step is to enable federation. The steps you need to perform to enable federation depend on whether there are any user name conflicts. If there are no conflicts you can flip the switch “Federation Not Enabled”. But if you do have conflicts you need to perform the following steps to reclaim the account. one of the things that I noticed, when there are conflicts and you enable federation.It is then not possible to disconnect a domain for 60 days.
24. Enable Federation by flipping the switch.
25. A popup will appear to send a notification to all users which have used the federated domain to enroll a personal account. Press “Send Notifications” to continue.
26. Confirm that a notification (email) will be send to conflicting accounts by pressing “OK”.
27. A notification will be send, this will take a few seconds. (Also notice that “Disconnect” will get transparent and unable to be used to disconnect the domain)
28. Because of the user name conflict the federation was not enabled. You can wait untill the conflicts have been resolved or you can enable federation immediatly by flipping the switch “Federation Not Enabled” again.
29. Federation is now enabled.
Test a Federated account
The final step is to test if the federation is working. Let’s see what happens when a user tries to login to an iPhone with a federated Apple ID.
30. Enter a federated Azure AD account and press “Next”.
31. A message will appear that you will be redirected to the sign in page of the IDP (Azure AD) for authenticaion, press “Continue”.
32. Enter your credentials and press “Sign in” to continue.
33. You will now be signed in with your federated Managed Apple ID.
34. Your now signed in on your iPhone with a Managed Apple ID account.
I hope you liked this blog about federated authentication with Apple Business Manager. Just leave a reply if you have questions or remarks about this post.
Great article! This clarifies things quite a bit.
I was hoping you could answer a couple of things for me if you have the time?
1. Say you have an Azure AD user John Doe with upn email@example.com. Apple says you can use any registered domain name for your apple ids. Can you use a different domain than vmlablog.com as the name of the domain you want to federate? If you f.ex use vmlablog.appleid.com, the UPN will differ from Azure AD and the federated domain. Will this cause any issues?
2. In your article you write that when you enable federation, an email will be sent out to those who have an apple id with conflicting names. They are given 60 days to get the heck out of Dodge, but you say that if you click “federate” once more the federation starts now. Does that mean that the conflicting users are kicked out immediately?
Thanks again for your time. I am to present to the rest of the IT staff my thoughts about how to enable the federation, and anything that can help me look like I have an IQ above absolute zero will be appreciated!
1. You can only configure federated authentication with one Azure AD. But you can if this Azure AD contains multiple custom domains federate with all Custom domains within this Azure AD simultaneously.
Example: I currently have two custom domain names registered in my Azure AD: vmlabblog.com and vmlabexample.com. I can because vmlabexample.com is a custom domain of the same Azure AD also add it in Apple Business manager. I can also disable federation with vmlabblog.com and only vmlabexample.com.
2. When you enable federation the users will have 60 days to change their email address. The users will recieve an email:
Company x has claimed “@domain.com”. Starting March 17, 2021, you will no longer be able to use “firstname.lastname@example.org” as the email address for your Apple ID.
Choose a different email address to continue using this Apple ID. Your data and purchases will not be affected by this change. Update your Apple ID at appleid.apple.com or on any of your macOS or iOS devices where you are signed in to iCloud.
Users will receive such an email until the 60 days are up. In this case, March 17. After that, the email address will be changed to email@example.com. By using this email address and the current password, the email address can still be changed.
I hope this answers your questions.
best regards, Aad
Thanks for this info. It’s great.
One question – Can you confirm what the temporary Apple ID will be? For example, will it follow the same convention at the one being reclaimed, so firstname.lastname@example.org, or will the prefix be completely random?
You’re welcome. The prefix will contain the full email address of the user. As I don’t want to disclose your email address, I will use an example. If your current email address is “email@example.com” then after the change it will be “firstname.lastname@example.org”.
best regards, Aad
Yet again great, and such a quick response!
To confirm, it would be dcrossfield-vmlabblog.com@…, NOT dcrossfield-vmlabblog-com@…?
That’s correct. The “@” sign in the email address is replaced by a “-” and the “.” are unchanged.
Me again, sorry. I hope you’re well. Two questions if I may;
Once I’ve federated our domain, can end users change their temporary Apple ID back to the one which was conflicting in the first place? I know Apple allows users to edit their Apple IDs at any time.
Once the domain is federated users are able to login using their federated Email address. A Managed Apple ID will be then created. It’s not possible to change the email address of a personal apple id back to a federated email address.
best regards, Aad
Hi and thanks for the great guide!
There is one issue, I’m currently facing and maybe you have an idea: When I use a synchronized account to setup an iPhone authentication over AD, this is working quite fine. I just can’t use the apple store then with this account. I can search and select Apps but ‘download’ ist always grayed out. I would like to have people using the Store freely with their iPhones.
It’s not possible to “purchase” apps with a managed Apple ID. Apps can only be assigned using a MDM solution like Intune or others. Not all services are available with a managed Apple ID. On this support page created by Apple shows the services which are not available with a managed apple id.
Best regards, Aad
thanks for the detailed guide. I had a question, perhaps you can shed some light?
the upn used for the current apple id is the same as the ones in azure so the user is signed in with email@example.com as their apple id and also has a azure ad email firstname.lastname@example.org. In this case when federation is enabled, will they still need to change their email or will it automatically recognize that the names are same so after enabling it the users can automatically authenticate with azure ad ?
It depends if the apple id is a personal apple id “email@example.com” it will be renamed to “firstname.lastname@example.org” after 60 days. If the Apple ID is a managed apple ID (created in ABM) then it will be automatically used by the federated account with the same upn.
Great guide! Really detailed, straight forward, and useful!
I just have a couple of questions:
1) can you federate to two separate Azure AD tenancies? We have a test tenancy and a production tenancy, but would like to like them both to the same ABM. So, for example, we have an ABM account, and we have verified test-domain.com and prod-domain.com, but then we’d also like to federate to both separate Azure AD directories.
2) If you’re not able to federate to two separate directories, are you able to disconnect from one, and then federate to another? So, for example, federate to test-domain.com, and once we’d finished testing, we’d like to disconnect, and then re-federate to prod-domain.com?
Many thanks for your time, and guide!
Thanks for the compliments and the interesting questions.
1) It’s not possible to federate two separate Azure AD tenants to one ABM subscription. You can only connect to one Azure AD tenant, but you if this domain has multiple custom domains you can federate all of these domains to ABM.
2) I had to test this one because I thought it might be possible. But unfortunately this is not possible, once you configured federation with an Azure AD Tenant you’re unable to change the tenant from within ABM. You might be able to do this with some help from Apple Support but you will need to ask first.
Hope this will answer your questions!
Great guide! It is quite detailed and comprehensive.
I have couple of questions.
1. Is it possible to secure Privilege Account/ Administrator account (that manages ABM) using Azure AD MFA? For example, ABM allows upto 5 Administrator accounts. I am looking for options where I can leverage Azure AD MFA for authentication.
2. Does ABM portal support Single-Sign-on (SSO) with Azure AD? For example, If I was able to register ABM as an App in AAD would it support SSO login?
Thanks in Advance 🙂
Great writeup! I managed to do this whole process following multiple other guides, but this one has every detail. I wish I had found this one first! I have a question though:
When signing into a federated account, it uses a Microsoft login page (steps 31-33). This works as it should, it authenticates with the user’s password from Azure AD. The issue that I’ve run into is the session token for this expires after 1 hour. So after an hour, the phone starts asking for an Apple ID login. Is there anyway to stop this? The only thing I’ve found is Conditional Access policies, but this requires a premium license. This also only allows expanding it out to 90 days.
Thanks again for the great guide!
Awesome writeup! Do you know what happens to Federated Apple IDs if they change UPNs? We might have to do so for a bunch of users and so far Apple Support has not been able to answer our question. Thanks!
Great question I had to double check before I could answer your question, but the answer is: When you change the upn of a user in the AzureAd eg email@example.com to firstname.lastname@example.org the Managed Apple ID of the user gets automatically updated from email@example.com to firstname.lastname@example.org in the next provisioning cycle.
best regards, Aad
I’m trying to do an Azure federation on my console Apple Business Manager with multiple domains.
I succeeded for the first domain but I can’t for the others 2.
Is it possible to make several federations in the same Apple console?
The documentation isn’t clear on this point.
Thank you for your answer.
You can federate multiple domains, but they need be part of the same Azure AD (Tenant). For example: Tenant A has custom domain test1.com and test2.com and Tenant B has custom domain testb.com. You will be able to federate test2.com after you’ve federated with test1.com, but you will not be able to federate with testb.com. This is because testb.com belongs to a different Azure AD.
I am trying to find an answer to this across the internet, but haven’t been able to. We have a single Azure AD / Intune and a single domain. HOWEVER, we have 19 Apple School Managers – one per school. Currently they do not logon to iPads, but we’re attempting to Federate a subset of users to each of the 19 Apple School Managers. For completeness, we want to create Managed Apple IDs and allow passcode logon to iPads.
The specific question… is it possible to federate with multiple Apple School Managers from a single Azure AD and a single domain?
Is it possible to use Azure AD federation with onPrem ADFS authentication? we do not sync or use passwords in Azure AD
And what happens if the user no longer remembers password to email@example.com account?
It is logged on the iPhone, but no password recollection
Going via iforgot (in circles) evenatually ends up with idiotic message that e-mail will be send with instructions to: firstname.lastname@example.org
Good luck with that!
Depending on the contact email the mails should still be send to the original email account. If this isn’t the case you will need to contact Apple support.
thanks for this great blog
i have question about app store
once you are federated and login to the store . all apps are grated out (by apple design )
so i am thinking to ask the end user to log off and login again in to app store using personal apple id and install personal apps, am i right ?
Great Article, thank you for sharing. I have 2 domains that are not working, did not realise this existed. We have been creating users manually in apple bus man. What would be the best way to resolve this?
What would you like to know? You probably created the email@example.com correct? When you federate the new users will be created with user@domain. Then you need to copy icloud data from the old account to the new account.