Sync user accounts from Microsoft Entra ID to Apple Business Manager
You can use OpenID Connect (OIDC) to sync user accounts to Apple Business Manager. Using this system, you can add Apple Business Manager properties (such as roles) with user account data imported from Microsoft Entra ID. When you use OIDC to sync user accounts, the account information is added as read-only until you disconnect from Microsoft Entra ID. At that time, the user accounts become manual accounts, and attributes in these accounts can then be edited.
Before you begin
Before you sync to Microsoft Entra ID using an OIDC connection, you must do the following:
If necessary, configure and verify the domain you want to use. See Add and verify a domain. If you’ve already verified the domain you want to federate with Google Workspace, you can skip this process.
Configure, federate and enable a domain. See Use federated authentication with Microsoft Entra ID.
When you configure connection, you should use the email address of user that has the role of Administrator or People Manager so they can receive notifications from Microsoft Entra ID.
Have on call a Microsoft Entra ID Global Administrator with permissions to edit Microsoft Entra ID settings.
Microsoft Entra ID user accounts and Apple Business Manager
When a user account is synced from Microsoft Entra ID using OIDC to Apple Business Manager, the default role is Staff. After the sync is complete, only the Roles user account attribute can be edited. This attribute is stored with the user account in Apple Business Manager and isn’t written back to Microsoft Entra ID.
Important: Don’t reuse a user name for 30 days in the Apple Business Manager Entra ID app.
Sign-in attribute
Apple Business Manager requires that the attribute used for the Managed Apple Account be unique. This is normally the user’s email address. If a user has an attribute that’s exactly the same as an existing Apple Business Manager user with the role of Administrator, no syncing is performed and the source field remains unchanged.
User Principal Name
If a user account has a User Principal Name (UPN) that is exactly the same as an existing user account that has the role of Administrator or People Manager, no syncing is performed and the source field remains unchanged.
Person ID
When a Microsoft Entra ID user account is synced to Apple Business Manager, a Person ID is created for the Apple Business Manager user account. The Person ID is used to identify conflicting user accounts.
Important considerations if you modify the Person ID:
If you modify the Person ID for a user account previously imported from Microsoft Entra ID, that user account is no longer paired with Microsoft Entra ID.
If you modify the Person ID for a user account previously imported from Microsoft Entra ID and want to reconnect the user account, see Resolve Microsoft Entra ID OIDC user account conflicts.
Microsoft Entra ID tenants
To use OIDC with Apple Business Manager, your organisation must not have the same Microsoft Entra ID tenant as any other Apple Business Manager organisation. If you want to use OIDC for your organisation, contact your Microsoft Entra ID Global Administrator to ensure that no other organisation is using your Entra ID tenant for OIDC.
Microsoft Entra ID groups
In Microsoft Entra ID, the user interface allows you to sync group accounts, but only user accounts within those groups are supported for syncing.
If you have a group account configured in Microsoft Entra ID, you can add that group to the Apple Business Manager Entra ID app instead of adding each user.
Note: Subgroups aren’t supported in the Apple Business Manager Entra ID app.
OIDC user attribute mapping
When a user account is synced from Microsoft Entra ID using OIDC to Apple Business Manager, the following user attributes are stored as read-only. The table also denotes whether the user attribute is required.
Important: Adding attributes not listed in the table may break the OIDC connection.
Microsoft Entra ID user attribute | Apple Business Manager user attribute | Required |
---|---|---|
givenName | First Name | |
surname | Last Name | |
userPrincipalName | Managed Apple Account and email address | |
objectId | (Not shown in Apple Business Manager. This attribute is used to identify conflicting accounts.) | |
Department | Department | |
Employee Id | Person Number | |
employeeOrgData.costCenter | Cost Center | |
employeeOrgData.division | Division |
Turn on Microsoft Entra Connect Sync
In Apple Business Manager , sign in with a user that has the role of Administrator or People Manager.
Select your name at the bottom of the sidebar, select Preferences , then select Managed Apple Accounts .
Turn on Microsoft Entra Connect Sync then select Sync Now.
Manually sync
You can manually sync Apple Business Manager to Microsoft Entra ID to import any changes made in Microsoft Entra ID.
In Apple Business Manager , sign in with a user that has the role of Administrator or People Manager.
Select your name at the bottom of the sidebar, select Preferences , then select Managed Apple Accounts .
Select Sync Now under Microsoft Entra ID.