Federated authentication for Managed Apple IDs

This week is all about federated authentication for Managed Apple IDs. When using Microsoft Intune for managing Apple devices, the use of Managed Apple IDs is adding more and more value to the solution. That value gets even more when those Managed Apple IDs are federated with Azure AD. That would provide the user with a single account to remember and to use. Together that brings a very nice experience to Apple devices that are using federated Managed Apple IDs and are managed with Microsoft Intune. In this post I’ll discuss and describe the following information regarding Managed Apple IDs:

What are Managed Apple IDs and why using them?

Managed Apple IDs are the business versions of personal Apple IDs and are the solution to prevent the use of personal Apple IDs for work. Managed Apple IDs are also unique to an organization and are owned and managed by that organization. That also means that that organization is responsible for everything around managing that account and its password. Apple Business Manager (ABM) can be used for managing everything around Managed Apple IDs.

Within Microsoft Intune, Managed Apple IDs are required for shared iPad devices and for user enrollment. In the first scenario a Managed Apple ID is used to actually sign in to the device, and in the second scenario a Managed Apple ID is used to differentiate between personal and work data and apps. The latter experience is similar to what might be known from a Work Profile on an Android device. The integration is just a bit prettier for the user, but more about that is for another post.

Besides the Microsoft Intune specific scenarios, in which Managed Apple IDs are required, Managed Apple IDs can also be used to sign in to devices and to access Apple services. That experience is similar to the use of personal Apple IDs. However, there is a big difference. The available services and features are limited to what is useful for businesses. That means that signing in to iCloud (including 5GB of storage) and collaborating in iWork and Notes is available, but other features like Apple Pay, Find My and Apple Homekit are not available. For a complete list of available features refer to the Apple docs.

Federated authentication for Managed Apple IDs

Managed Apple IDs can be created and associated with basically any email address. That includes the personal Apple ID of users. However, it might be a lot easier to create Managed Apple IDs based on the work email address, or, even better, automatically create them. To achieve that, organizations can use a federation with Azure AD for Managed Apple IDs, and automatically provision those Manage Apple IDs from Azure AD.

The first step in that process is to create the federation with Azure AD. That will enable users to also use their Azure AD work account for business purposes on their Apple devices. A single account for all business purposes in the Microsoft world and the Apple world. A very pleasant experience. To create that experience, an organization should to link their Apple Business Manager to their Azure AD tenant. That link will make Azure AD the identity provider that authenticates the users for Apple Business Manager.

Important: Apple Business Manager can only be linked to a single Azure AD tenant.

The following 11 steps walk through the different stages of configuring Azure AD as the identity provider for the Managed Apple IDs. During the configuration an Enterprise application – with the name Apple Business Manager – will be created in Azure AD. Keep that in mind for any Conditional Access policies.

  1. Open Apple Business Manager and navigate to Settings > Accounts

Note: The account that is used should have the role of Administrator or People Manager.

  1. In the Domains section, click Edit > Add Domain, add the required domain and click Continue (and the result is shown below in Figure 1)
  1. Back in the Domains section, click Verify next to the added domain, copy the information for the TXT record and create a TXT record in the public DNS (and the result is shown below in Figure 2)
  1. Back in the Domains section, after the TXT record has been added, click Check Now next to the added domain (and the result is shown below in Figure 3)
  1. In the Federated Authentication section, click Edit > Connect
  2. On the Connect to your Identity Provider dialog box, click Sign in to Microsoft Azure Active Directory Portal… and sign in with an account of the Azure AD tenant

Note: The account that is used should have the role of Global administrator, Application administrator, or Cloud application administrator.

  1. On the Permissions requested dialog box, verify the information about the Apple Business Manager app and the requested permissions and click Accept
  2. Back on the Connect to your Identity Provider dialog box, click Done (and the result is shown below in Figure 4)

Note: Once the federation is configured, the configuration cannot be undone via Apple Business Manager and requires contact with Apple.

  1. Back in the Domains section, click Verify next to the added domain
  2. On the Federated Domain dialog box, click Sign in to Microsoft Azure Active Directory Portal… and sign in with an account of the Azure AD tenant

Note: The account that is used should have the role of Global administrator, Application administrator, or Cloud application administrator and should have a UPN of the verified domain.

  1. Back on the Federated Domain dialog box, click Done (and the result is shown below in Figure 5)

Important: When automatically provisioning of the Managed Apple IDs should also be configured, do not yet enabled the federation.

Note: Once the federation is tested, Apple will verify that no existing Apple IDs are using the verified domain name.

Automatically provisioned users from Azure AD

After creating the federation with Azure AD, the second step is to automatically provision the user in Apple Business Manager. That enables an organization to have a single place to maintain the identity of the users. Users created in Azure AD (or AD) are automatically created in Apple Business Manager, after the next synchronization. The same is applicable for disabling and removing accounts in Azure AD. After the next synchronization, the Managed Apple IDs will be updated in Apple Business Manager.

Note: When an account is disabled or removed in Azure AD, it will be deactivated in Apple Business Manager and it will be removed after 30 days.

There are also alternatives to automatically provisioning users from Azure AD. An alternative is manually creating Managed Apple IDs and another alternative is letting Apple Business Manager automatically create Managed Apple IDs once their used for the first tine. However, in both cases there is administrative effort required for managing those Managed Apple IDs in Apple Business Manager. If possible, use automatic provisioning of users from Azure AD.

To facilitate the automatic provisioning of users from Azure AD in Apple Business Manager, Azure AD and Apple Business Manager can rely on System for Cross-Domain Identity Management (SCIM). SCIM is an open standard for automating the exchange of user identity information between identity domains and IT systems. That standard is focused on exchanging user and group information. However, Apple Business Manager doesn’t know the concept of groups and is only focused on user information. The following number of steps walk through the different stages of configuring a SCIM synchronization between Azure AD and Apple Business Manager.

  1. Open Apple Business Manager and navigate to Settings > Data Source
  2. In the SCIM section, click Connect, copy the Token and click Close
  3. Open the Azure portal and navigate to Azure Active Directory > Enterprise applications > Apple Business Manager

Note: The Apple Business Manager app is created during the configuration of de federation.

  1. Select the Provisioning tab, click Get started and set Provisioning Mode to Automatic
  2. In the Admin Credentials section, specify the following information (as shown below in Figure 6) and click Test Connection
  • Tenant URL: Specify https://federation.apple.com/feeds/business/scim as value
  • Secret Token: Specify the earlier copied Token as value
  1. In the Mappings section, specify any additional (or adjust any default) Azure AD attributes that should be mapped with Apple Business Manager attributes (as shown below in Figure 7)

Important: Only use the Apple Business Manager attributes as documented here, or the SCIM synchronization will break.

Note: By default the following Azure AD attributes are mapped to Apple Business Manager attributes – with the target object actions of Create, Update and DeleteuserPrincipalName, Not([IsSoftDeleted]), givenName, surname, objectId, department and employeeId.

  1. In the Settings section, specify the following information (as shown below in Figure 8) and click Save
  • Notification Email: Specify the email address of an administrator that should be notified for synchronization failures (when Send an email notification when a failure occurs is also checken)
  • Scope: Select Sync only assigned users and groups as value

Note: This configured scope will make sure that the provisioning can be scoped to specific users accounts.

  1. Select the Users and groups tab and click Add user/group to specify the users that should be part of the automatic provisioning in to Apple Business Manager

Note: This assignment doesn’t allow an administrator to configure a default assigned role yet. Every synchronized user account will created in Apple Business Manager with the role Staff.

  1. Back in Apple Business Manager, navigate to Settings > Accounts
  2. In the Domains section, click Edit and move the slider to enable federation with the added domain (and the result is shown below in Figure 9)

Note: After enabling the federation, the user accounts will start coming to Apple Business Manager.

Provisioned user with federated authentication in Apple Business Manager

There are many places to look for a successful configuration of the SCIM synchronization and the federation of Managed Apple IDs. The Provisioning tab, of the Apple Business Manager app in Azure AD, provides a nice status overview and the provisioning interval (by default every 40 minutes), and the Provisioning logs tab, of the Apple Business Manager app in Azure AD, provides a nice overview of the actions that are performed during the synchronization. However, a successfully synchronized user is the best example. Below, in Figure 10, is an example of a synchronized user account with a snippet and short description of the most important information of that user account.

  1. Name: Based on the givenName attribute is Azure AD
  2. Managed Apple ID: Based on the userPrincipleName attribute in Azure AD
  3. Email address: Also based on the userPrincipleName attribute in Azure AD

Note: As both, the Managed Apple ID and the email address, are based on the UPN in Azure AD, it’s important that the email address and the UPN are the same.

  1. Account status: Based on the status and the usage of the user account and will change when the user account is used to log in, or when the user account is disabled or removed in Azure AD
  2. Authentication: Based on the identity provider of the user account and is set to Federated for synchronized and federated user accounts
  3. Role/location: Set to a default value and can be edited in Apple Business Manager
  4. Source: Based on how the user account was created

More information

For more information about the federated authentication and Managed Apple IDs, refer to the following docs.

28 thoughts on “Federated authentication for Managed Apple IDs”

  1. Hi Peter,
    awesome article as always !
    I’ve been thinking to take ownership of our domain in ABM for some time now but the team that is responsible of deploying phones in our organization created apple IDs for our users for years now.
    Some users have been using personnaly these “corporate” apple IDs and bought applications over the year and my understanding is that all of their purchases will not be theirs anymore once we take the domain’s ownership.
    That being said, the technical aspect of this feature is not really complicated to configure as compare to some possible impacts of taking the domain’s ownership.

    Reply
  2. I have had an open ticket with Apple for 4 weeks now. We have a problem with third-party Microsoft federated domains. We use a third-party single sign-on for M365 and it does not work with iOS. It was working prior to iOS 14. Do you have any insight?

    Reply
  3. Great article Peter. What happens when a user already has created an Apple ID on his business mail address ? When adding domain Apple does a check but what happens or can we do/choose (in Docs i read the account is “transfered” as managed Apple ID but what impact does this have? Thanks!

    Reply
  4. Hi Jonathan,

    I recently did a migration within a company with over 1000 Apple ID’s that used their company mail for their Apple ID account. Here’s what happens: if you claim the ownership of the domain the users have 60 days to change their Apple ID mailadres at appleid.apple.com. After these 60 days their Apple ID will change automatically from frist.lastname@company.com to first.lastname@company.appleid.com the password keeps the same. This wont happen if the user changed their Apple ID. Also if you start claim the domain the users receive push notifications and mails from Apple that they need to change their Apple ID.

    This means that the accounts will not be removed. They only will be renamed. All the purchases will be kept in the account.

    Reply
  5. Great article. In my experience even though SCIM is setup it’s not always clear when the users will be synchronized (even though membership in AAD is established for a user and the SCIM connection is green and tested (both in AAD and in ABM). Even when there is no conflict. I’m not sure if Apple have any other timer except the SCIM-sync one which clocks at every 40 min as per default?

    Another experience I’ve encountered is that even if a user’s primary email on it’s apple ID is a private one, if there is another mailconnection added (later sometime) to the domain which you want to obtain ownership against, Apple will count that as a conflict until that connection is gone or if 60 days pass and as Joey stated, the domain-name will change to @company.appleid.com

    Reply
    • Hi Twilight Imperium,
      The default synchronization interval is once every 40 minutes and it seems to be doing okay in my environment. Do keep in mind however, that the provisioning connector in Azure AD is still preview functionality (according to the UI).
      Regards, Peter

      Reply
  6. Hey,

    We are using federated managed apple IDs but the iPhones are popping up asking for the apple account to be re-verified. This is happening at least once every 24 hours? Has anyone else had a similar issue?

    Reply
  7. Great article. We have setup federation with Azure and working as expected. All our devices are managed, pushed to intune, and ready to enroll by users. With testing policies, we are now prompting the user for Apple IDs. When I put my corporate email address, apple knows it is federated and the M365 login is triggered. All working well. Now, how, if possible, Can we prevent the phone (as it is managed) from accepting other AppleIDs (Personals). I have tried different scenarios with no success. Can this be accomplished with Enrollment types?

    thanks

    Reply
        • Not sure if that’s completely possible, but I haven’t checked the Apple Configurator. You can at least make it nearly impossible with a combination of not showing the screens during ADE and removing access via a configuration policy.
          Regards, Peter

          Reply
        • What do you mean by managed devices. Are those devices managed via Apple DEP/Apple Business Manager. You can use Managed Apple ID’s for the User Enrollment method with managed for business apps only. But this option is not available when you use an iPhone managed via Apple DEP/Apple Business Manager but only for BYOD iPhones.

          To prevent installing apps from the App Store you can disable the App Store (only with DEP). You can use Apple VPP to serve apps via the Company Portal. You can also disable the possibility to backup managed apps to iCloud. This way prevents users to upload company data to iCloud.

          You can’t get your result with Enrollment Options, but you can try the options i mentioned above.

          Reply
          • Hey Joey, thanks for the tips. Yes our devices are managed via DEP/ABM. We do have the apple store disabled by policies, as well as VPP. Our phones are pretty well locked down to the point to not permit the use of Apple IDs. After doing federation, we have tested enabling the use of apple IDs and successfully login with a Federated account. My problem is not configuration, as we also push all apps via CP. But, enabling the use of apple ids, there is nothing preventing me to use my personal Apple ID, even though I won’t be able to download apps, or use any other features like icloud backups, the user can still register their phone with their personal apple ID. We have even disabled the activation lock, but we just want to prevent users to use personal IDs. We can tell end users, here is your corporate apple ID, use it, it is using SSO, but they will put their own.

            Having Managed Apple IDs for managed devices is a plus, as it enables imessage and other nice features like pushing an active sync profile for contact synchronization (knowing that the sync between outlook and native app is one way only). But not having an option not to be able to use personal apple IDs, opens a door for end-users to use their own.

            hope you understand,

  8. Great article! Very helpful!
    Since ABM (and every domain verified in it) can only be Federated with a single Azure AD, it appears that the only way to test in a UAT/TEST (non-prod) Azure AD environment would be to create a second ABM instance and federated the second ABM with the non-prod Azure AD. Am I understanding this correctly? Any options to avoid a second ABM environment?

    Reply
  9. Hi Peter,

    Great article here.

    I’m just going through the motions of enabling SCIM. We have a profile within Intune that has previously been applied via Apple Configurator 2. Now that we are no longer using Apple Configurator, I’d like to apply that same profile or create a new version of it and apply it through Apple Business Manager.

    Are you able to share how I go about doing that?

    Thanks,

    Ad

    Reply
    • Hi Adam,
      That depends a bit on the type of settings. Many settings are available via the different policies and profiles within Intune already. An alternative could always be to create a custom configuration profile and providing the .mobileconfig file.
      Regards, Peter

      Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.