Federated Authentication in Apple Business Manager with Azure AD

Posted on June 18, 2020

If your business is using Microsoft Azure Active Directory (Azure AD) as your identity provider, then you can use Federated Authentication to connect your instance of Azure AD with Apple Business Manager. This is a great way to create a seamless login experience for your employees.

In this guide, we’re going to take a closer look at what you can expect from Federated Authentication.

Updated 9/30/20: We’re also going to discuss a new feature that Apple announced, SCIM (System for Cross-domain Identity Management), which makes it easier to import users into Apple Business Manager.

Here’s a quick overview of what we’ll cover:

  • What is Federated Authentication?
  • Can I Use Other IdPs for Federated Authentication?
  • What's SCIM? How does it Differ from JIT?
  • How Do I Configure and Test it?
  • Resolving Federated Authentication Conflicts
  • Using Shared iPad with Federated Authentication

 

How does Federated Authentication work with Apple Business Manager?

Using Federated Authentication lets you link your company’s Apple Business Manager account to Azure AD. This allows your employees to use their existing Azure AD login credentials as Managed Apple IDs, letting them sign in to Apple products and services, such as iPad and Mac devices, iCloud, and even Shared iPad.

apple business manager federation azure ad

Image source: support.apple.com

In this way, Federated Authentication simplifies the login process for employees. Rather than having to remember multiple sets of login credentials, employees just have to remember the credentials for their Azure AD account.

 

Apple Business Manager: Azure AD Federation

Essentially, Azure AD is a cloud-based directory and identity management service from Microsoft – it’s the authentication platform behind Office 365. As of macOS Catalina 10.15, companies can use Apple Business Manager Azure AD federation by connecting their instance of Azure AD to Apple Business Manager.

This lets IT automate the creation of Managed Apple IDs at scale during the enrollment process. In most cases, when you use Federated Authentication, Azure AD will play the part of the Identity Provider (IdP) – this is the platform that stores login credentials and controls authentication to a service provider.

With Federated Authentication, these credentials are passed from Azure AD to your company’s Apple Business Manager account via Security Assertion Markup Language (SAML) in order to seamlessly create Managed Apple IDs for your employees. This is known as Just in Time (JIT) account creation.

In this way, using Apple Business Manager Azure AD Federation, Managed Apple IDs are automatically created for Azure AD users when they log in to an Apple service. For employees to access their Managed Apple IDs, they are directed to the Azure sign-in page to enter their credentials, and that authorization is passed back to Apple.

Can I Use Other IdPs for Federated Authentication?

You can if your IdP works with Azure AD. While you can’t federate Apple Business Manager directly with IdPs like Okta or OneLogin, you can create and integrate Azure AD with those IdPs – and then leverage Azure AD to federate to Apple Business Manager.  

For example, you can sync Azure AD with your Google Directory, so if you’re a Google shop using G Suite, you can integrate Azure AD to G Suite. This allows you to use your G Suite credentials with Apple Business Manager Azure AD Federation.

Since Azure AD is free for up to 500,000 objects, this is a feasible plan for organizations that rely on other IdPs. However, while this works well for some IdPs like the ones mentioned above, it can be more complicated for others.

How Federated Authentication Works with Managed Apple IDs

Once federation is set up, Managed Apple IDs are automatically created for Azure AD users when they log in to an Apple service. This automated account creation is the heart of Federated Authentication – by letting employees access Apple services using their existing Azure AD credentials, you’re streamlining their login experience, and since it integrates into the device setup process, admins won’t have to manually create an account and users won’t have to log in multiple times.

It’s also important to mention Apple’s domain verification requirements. We’ll talk about this in a bit more depth later, but for now just know that whenever a Managed Apple ID is created, you have to prove that your organization owns the domain. In some cases, initiating Federation and claiming domains can lead to conflicts. We’ll talk about how you can resolve these in the section titled “Apple Business Manager Federated Authentication Conflicts.” For more information on verification, you can read our guide to the domain verification requirement.

 

What’s SCIM?

Image source: support.apple.com

Apple’s recent implementation of SCIM lets IT provision and deprovision users from Azure AD in Apple Business Manager. Apple’s SCIM documentation explains that the feature merges Apple Business Manager properties with any account data imported from Azure AD.

While using the feature, the account information in Apple Business Manager is locked in read-only mode. However, once you disconnect from SCIM, the accounts can be edited manually. This includes Azure AD account roles, which defaults to “Staff,” but can be edited in Apple Business Manager once disconnected from SCIM (more information on roles here).

If you’re already using federated authentication when your Azure AD accounts are sent to Apple Business Manager, your accounts will sync from the federated domain, even though you won’t see any activity. In this case, Azure AD acts as the IdP, authenticating users for Apple Business Manager. That means any other IdPs that work with Azure AD will also work with Apple Business Manager, such as ADFS (Active Directory Federated Services).

How Does SCIM Differ from JIT?

Before SCIM was introduced, new accounts would be created as you signed into a Managed Apple ID with your Azure AD credentials. Apple Business Manager would create the account just-in-time (JIT). Accounts removed from Azure AD would not be deprovisioned from Apple Business Manager even though their credentials would stop working.

Now that Apple has introduced support for SCIM, a new path has opened up for IT, allowing you to continue using JIT or switch to this functionality. The main difference is that SCIM supports both automated provisioning from Azure AD to Apple Business Manager and automated deprovisioning.

Provisioning will automatically create new accounts as new people join your organization (sourced from your IdP), while deprovisioning will deactivate those accounts as users are removed from your organization.

How to Setup and Configure SCIM

Only users with proper permissions can enable SCIM to sync accounts to Apple Business Manager. Before you use this feature, ensure that you’re an Application Administrator, Cloud Application Administrator, Application Owner, or Global Administrator. 

Note: Once you turn on provisioning, the initial Azure AD sync will begin immediately. After that, syncs will be triggered every 20 to 40 minutes. 

Before you begin using SCIM, Apple recommends doing the following:

  1. Configure and Verify Your Domain: We’ll elaborate domain verification in the next section, but SCIM requires that you confirm ownership of your Azure AD domain before continuing.
  2. Configure (But Don’t Enable) Federated Authentication: We’ll explain how to set up Federated Authentication in the next section. Apple recommends not turning it on until all steps are completed, but you can still proceed if you’ve already enabled it.
  3. Determine Syncing Type: Decide if you want to sync only assigned users or sync all users. If necessary, you can create groups in Azure AD to sync specific user accounts.
    • Sync Only Assigned Users: This option will only sync user accounts that appear in the Apple Business Manager Azure AD app. If you use groups, you can specify which accounts should be synced. However, keep in mind that Apple Business Manager doesn’t have a group feature, so the accounts will be independent once moved over from Azure AD.
    • Sync All Users: This option doesn’t pay attention to groups. It syncs and creates Managed Apple IDs for all accounts that appear in the Azure AD User tab.
  4. Have an Azure AD Admin Standing By: You’ll need an Azure AD administrator with proper permissions to edit enterprise applications.


Now, you’re ready to begin using SCIM. If any issues arise, you can reference Apple’s SCIM connection troubleshooting documentation. This document covers explanations for failed SCIM connections and for incorrect Azure AD users appearing in Apple Business Manager.

 

How to Set Up and Test Federated Authentication in Apple Business Manager

If you want to turn on and test Federated Authentication, there are three main steps:

  1. Add and Verify a Domain: Federated Authentication requires that you confirm ownership of your Azure AD domain. Doing so ensures that your organization has the authority to modify the domain name service records. (For more information on this, you can read our domain verification guide.)
  2. Set Up Apple Business Manager Federation: This step involves connecting Apple Business Manager to your instance of Azure AD. By configuring Federated Authentication, you ensure that Azure AD trusts Apple Business Manager and has permission to send relevant information.
  3. Test Authentication: Once you’ve verified your domain and configured Federated Authentication, you can begin testing it with an Azure AD account. If the test is successful, you can create additional accounts and continue federating your domain.

How to Configure Federated Authentication in Apple Business Manager

Once you’ve verified your domain, the first step is to configure the Apple Business Manager federation process. This will let you connect Apple Business Manager to your instance of Azure AD. Here’s what you need to do:

  1. Sign in to Apple Business Manager with an account that has the role of Administrator or People Manager.
  2. Go to Settings at the bottom of the sidebar, and then click Accounts below Organization Settings.
  3. Next to “Federated Authentication,” click Edit and then Connect.
  4. Click “Sign in to Microsoft Azure Portal.” Now, enter a Microsoft Azure AD Global Administrator, Application Administrator, or Cloud Application Administrator account, then click Next.
  5. Enter the password for the account, then click Sign In.
  6. Read the application agreement, consenting to Microsoft giving Apple access to information found in MS Azure AD. Click Accept.
  7. Click Done.

If you were unable to configure Apple Business Manager federation or add your domain, make sure that the username and password combination that you entered in steps 4 and 5 are correct. If you’re still having issues, you may be using an Azure AD User with insufficient privileges.  

How to Test Federated Authentication in Apple Business Manager

If you were able to successfully configure Apple Business Manager Federated Authentication, then you’re ready to test it with an Azure AD account. Here’s what you need to do:

First, turn on Federated Authentication. To do this just follow these steps:

  1. In Apple Business Manager, sign in with an account that has the role of Administrator or People Manager.
  2. Select Settings at the bottom of the sidebar, then click Accounts below Organization Settings.
  3. Click Edit in the Domains section. Turn on Federated Authentication for the domains that have been successfully added to Apple Business Manager.

It may take a while to update all accounts. Once complete, you can test the Federated Authentication connection. Just make sure that you’ve successfully connected and verified your domain, and that the check for user name conflicts is complete.

Keep in mind that accounts with Administrator roles cannot sign in using Federated Authentication.

  1. Sign in to Apple Business Manager. If the username is found, a new screen indicates that you are signing in with an account in your domain.
  2. Click Continue, enter the password for the user, then click Sign In.
  3. Sign out of Apple Business Manager.

Apple Business Manager: Remove Federated Authentication

If you want to disconnect or turn off federation for a domain in Apple Business Manager, remove Federated Authentication in the Domains settings. Depending on whether or not you’ve turned on federation, it will either be turned off or disconnected. Here’s what you need to do:

  1. Sign in to Apple Business Manager with an account that has the role of Administrator or People Manager.
  2. Select Settings, then click Accounts below Institution Settings.
  3. Click Edit next to Domains, then choose one of the following options:
    • If Federated Authentication is enabled, turn it off and click OK.
    • If Federated Authentication is not enabled, click Disconnect.

It’s important to note that you won’t be able to, in Apple Business Manager, remove Federated Authentication or disconnect from a federated domain if you’re in the middle of enabling federation or resolving an Apple ID conflict.

How to Change User Information

Once Apple Business Manager Federated Authentication is configured and a successful link between Azure AD and Apple Business Manager is achieved, changes to a user’s password in Azure AD will invalidate that users’ session. The user will have to log back in with the new password to continue using Federated Authentication.

Other changes to user information can be made as well, such as changing:

 

Apple Business Manager Federated Authentication Conflicts

In this section, we’re going to talk about common Apple Business Manager Federated Authentication conflicts that can arise.

When you set up Federated Authentication, Apple Business Manager checks for conflicts between existing Apple IDs and your domain name. If it finds that another user has claimed an Apple ID that contains the domain that you want to use, you can reclaim that username from the user.

For instance, if your organization registered the domain @accuhive.com and a previous employee has used his business email address as a Personal Apple ID (i.e., john@accuhive.com), then you cannot create a Managed Apple ID for john@accuhive.com.

Instead, Apple can notify the user that they must change their Apple ID within 60 days. If the username isn’t changed within the 60-day period, it will be automatically renamed to a temporary username, and the desired ID will be released to your organization.

When it comes to Managed Apple ID conflicts, it’s not quite as simple. If another organization is using Managed Apple IDs that contain your domain, Apple will have to investigate which organization truly owns the domain. Once the investigation is complete, you will be notified and the organization with proper ownership will claim the domain. If both organizations have a valid claim to the domain, neither can federate it.

Within Apple Business Manager, Federated Authentication conflicts concerning usernames can be found by following these steps:

  1. Using an account with the role of Administrator or People Manager, sign in to Apple Business Manager
  2. Select Activity in the sidebar, and then click Checking for Conflicts.
  3. If username conflicts are found, a dialog box will appear with the total number of conflicts.
  4. To notify these users about the conflict, click Continue > Send Notifications, and then click OK.

Note that when resolving conflicts, you will not be able to see the exact names as a privacy measure.

 

Federation with Shared iPad

As of iPadOS 13.4, Apple introduced Shared iPad for business. Previously exclusive to education customers using Apple School Manager, Shared iPad’s new integration for Apple Business Manager lets employees use their Managed Apple IDs to sign in to and recall their data on Shared iPad, achieving a true multi-user experience.

If you’re using Shared iPad and Federated Authentication, then the sign-in process will be different than with 1:1 devices. For a user to sign in to their Shared iPad account with Federated Authentication in use:

  1. The user will be prompted to enter their Microsoft Azure AD username and password.
  2. The user will then be asked to create a Shared iPad passcode or password.
  3. The next time the user signs in, they will use their Azure AD username and new Shared iPad passcode or password.

If the user forgets their passcode, an IT administrator can reset it for them in Apple Business Manager by locating the account in question and clicking the “Reset Shared iPad Passcode” button. However, it’s important to note that if Federated Authentication is configured, changing the Shared iPad passcode will not change the user’s Azure AD password. For a deeper dive into the implications, history, and deployment of this new feature, you can read our guide to Shared iPad.

 

From deployment to retirement, Kandji keeps your Apple devices safe and secure with a suite of features such as pre-built security settings, zero-touch deployment, one-click compliance, and much more. Start managing your devices like your business depends on it. Request access to Kandji today.

 

Share post
Subscribe to blog

The Latest in Apple Enterprise Management

Subscribe for regular updates and guides written exclusively for Mac admins.

Tactical tips 2x per month