In this post I will be showing how to configure federated authentication with Apple Business Manager. In September 2019 Apple added support for Federated Authentication with Microsoft Azure Active Directory using JIT. By using federated authentication Managed Apple ID accounts are created using the Azure Active Directory as Identity Provider. When you try to logon with an account containing the federated domain, you will be forwarded to Azure for authentication. In the August 2020 update of Apple Business Manager SCIM was added to support app user provisioning in the Azure AD. With SCIM you are able to preprovision and deprovision accounts in Apple Business Manager. Although the account is preprovisioned in Apple Business Manager you still need first login on an Apple device to finish setting it up.
There are currently two ways to configure federated authentication with Apple Business Manager:
- Just In Time (JIT)
- System for Cross-domain Identity Management (SCIM)
If you are federating the Apple Business Manager with the Azure AD, JIT is used by default for the federation. When using JIT, a managed Apple account is created when a user logs on to an apple device with Azure AD credentials. Only users which have logged on to a device will have a Managed Apple ID in Apple Business Manager. The accounts are created with the role “Staff”. A disadvantage of JIT is that accounts are only created and not removed. If a user is removed from the AzureAD a stale Managed Apple ID will remain in Apple Business Manager. This account needs be cleaned manually.
An alternative for JIT called SCIM was introduced in August 2020. With SCIM, accounts are synced from the AzureAD to Apple Business Manager. To setup SCIM you need add provisioning to the Apple Business Manager Enterprise App which is created by connecting Apple Business Manager to the Azure AD. You can either sync only users which are assigned to the Apple Business Manager Enterprise App or all Azure AD users to Apple Business Manager. The sync will be performed every 40 minutes and will add new users and deactivate users which have been deleted in the Azure AD. Deactivated accounts will be removed within 30 days from Apple Business Manager.
To use federated authentication with Apple Business Manager, your Apple devices must meet the following requirements:
- iOS 11.3 or later
- iPadOS 13.1 or later
- macOS 10.13.4 or later
The configuration consists out of 6 steps including an optional step to configure SCIM.
- Verify your domain
- Connect to the Azure AD
- Test Federation for conflicts
- Configure SCIM (Optional)
- Enable Federation
- Test a federated account
Verify your domain
Before you are able to federate with the Azure AD, you will need to add your domain and verify your domain in Apple Business Manager. You can federate one or more domains as long as they are all configured within the same Azure tenant. You cannot federate multiple Azure tenants with one Apple Business Manager.
1. Login to Apple Business manager and select “Settings”
2. Select “Accounts” -> “Domains” and press “Edit”
3. Now you select the domain you want to federate and press “Verify”
4. Add the displayed TXT record to your DNS registrar configuration and wait some time before you press “Check Now”
5. The domain is now verified and can be used to be federated. Press “Done” to continue.
Connect to the Azure AD
During this step you will register the Apple Business Manager in the Azure AD. With this registration Apple Business Manager will be able to sign in and read user profiles.
6. Press “Edit” to start federation.
7. Press “Connect…” to connect with the Azure Active Directory.
8. In the popup “Connect to your Identity Provider” press the button “Sign in to Microsoft Azure Active Directory Portal…”
9. Sign in with an account which has rights to consent. For example a global admin. (https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal)
10. Press “Accept” to register Apple Business Manager as a enterprise application in the Azure AD. This will allow Apple Business Manager to Sign in and read user profiles in the Azure AD.
11. Apple Business Manager is now connected to the Azure Active Directory.
Now the Azure AD has succesfully been connected with Apple Business Manager the next step is to test the federation. The Federation will not be enabled.
12. Press “Federate” to sign in
13. Sign in to the portal with a Microsoft Azure AD Global Administrator, Application Administrator, or Cloud Application Administrator account
14. Apple Business Manager will now check for user name conflicts (e.g. personal accounts which are using the federated domain. This will take some time, press “Done” to continue.
15. If any conflicts are detected you will be notified in the domains overview. You wil not be able to see which account is causing the conflict.
If you don’t want to use SCIM this step can be skipped and you can continue with enabling federation. During this step you will add provisioning to the Apple Business Manager enterprise app. This will allow automated (de)provisioning of users and synchronization of data between identities.
16. Select “Data Source” in the Settings menu and press “Connect”
17. Copy the Token and Tenant URL. (The token is valid for 1 year, add a reminder to your calendar to renew it before it expires)
18. Login to the Azure Portal and select “Azure Active Directory” -> “Enterprise applications” and select the registration for “Apple Business Manager” (This registration is created during the connection with the Azure Active Directory)
19. Select “Provisioning” in the navigation pane and press “Get started”.
20. Set the “Provisioning Mode” to “Automatic”. Paste the Tenant URL/Secret Token (step 17) and press “Test Connection” to test the connection. Press “Save” before you continue.
21. Add additional mappings if required. By default: First Name, Last Name, UPN, Object ID, Department and Employee ID is created. Only use attributes listed by Apple otherwise it may break the SCIM connection. Also do not add user attributes during provisioning.
Azure AD user attribute
Apple Business Manager user attribute
|First Name||First Name||Yes|
|Last Name||Last Name||Yes|
|User Principal Name||Managed Apple ID and email address||Yes|
|Object ID||(Not shown in Apple Business Manager. This attribute is used to identify conflicting accounts.)||Yes|
|Employee ID||Person Number||No|
|Custom Attribute (must be created in the Apple Business Manager Azure AD app)||Cost Center||No|
|Custom Attribute (must be created in the Apple Business Manager Azure AD app)||Division||No|
22. In the Settings pane select if you want to recieve notifications when a failure occurs and select the scope of users you want to sync.
|Sync only assigned users and groups||Only users assigned to Apple Business Manager|
|Sync all users and groups||Sync all users in the Azure AD|
23. Turn on provisioning and press “Save”
The final step is to enable federation. The steps you need to perform to enable federation depend on whether there are any user name conflicts. If there are no conflicts you can flip the switch “Federation Not Enabled”. But if you do have conflicts you need to perform the following steps to reclaim the account. one of the things that I noticed, when there are conflicts and you enable federation.It is then not possible to disconnect a domain for 60 days.
24. Enable Federation by flipping the switch.
25. A popup will appear to send a notification to all users which have used the federated domain to enroll a personal account. Press “Send Notifications” to continue.
26. Confirm that a notification (email) will be send to conflicting accounts by pressing “OK”.
27. A notification will be send, this will take a few seconds. (Also notice that “Disconnect” will get transparent and unable to be used to disconnect the domain)
28. Because of the user name conflict the federation was not enabled. You can wait untill the conflicts have been resolved or you can enable federation immediatly by flipping the switch “Federation Not Enabled” again.
29. Federation is now enabled.
Test a Federated account
The final step is to test if the federation is working. Let’s see what happens when a user tries to login to an iPhone with a federated Apple ID.
30. Enter a federated Azure AD account and press “Next”.
31. A message will appear that you will be redirected to the sign in page of the IDP (Azure AD) for authenticaion, press “Continue”.
32. Enter your credentials and press “Sign in” to continue.
33. You will now be signed in with your federated Managed Apple ID.
34. Your now signed in on your iPhone with a Managed Apple ID account.
I hope you liked this blog about federated authentication with Apple Business Manager. Just leave a reply if you have questions or remarks about this post.