Use federated authentication with Microsoft Entra ID in Apple Business Manager
In Apple Business Manager, you can link to Microsoft Entra ID using federated authentication to allow users to sign in to Apple devices with their Microsoft Entra ID user name (generally their email address) and password.
As a result, your users can leverage their Microsoft Entra ID credentials as Managed Apple IDs. They can then use those credentials to sign in to their assigned iPhone, iPad or Mac, and even to iCloud on the web.
Microsoft Entra ID is the identity provider (IdP) that authenticates the user for Apple Business Manager and issues authentication tokens. This authentication supports certificate authentication and two-factor authentication (2FA).
Before you begin
Before you link to Microsoft Entra ID, consider the following:
Federated authentication requires that a user’s userPrincipalName (UPN) match their email address. userPrincipalName aliases and Alternate IDs aren’t supported.
For existing users with an email address in the federated domain, their Managed Apple ID is automatically changed to match that email address.
If necessary, configure and verify the domain you want to use. See Link to new domains. If you’ve already verified the domain you want to federate with Microsoft Entra ID, you can skip this process.
User accounts with the role of Administrator or People Manager can’t sign in using federated authentication; they can only manage the federation process.
When the Microsoft Entra ID connection has expired, federation and syncing user accounts with Microsoft Entra ID stops. You must reconnect to Microsoft Entra ID to continue using federation and syncing.
Federated authentication process
This process involves three main steps:
Configure federated authentication.
Test federated authentication with a single Microsoft Entra ID user account.
Turn on federated authentication.
Step 1: Configure federated authentication
This task allows Microsoft Entra ID to trust Apple Business Manager.
Note: After you complete this step, users can’t create new personal Apple IDs on the domain you configure. This could affect other Apple services you use. See Transfer Apple services when federating.
In Apple Business Manager , sign in with a user that has the role of Administrator or People Manager.
Select your name at the bottom of the sidebar, select Preferences , select Managed Apple IDs, then select Get Started under “User sign in and directory sync.”
Select Microsoft Entra ID, then select Continue.
Select “Sign in with Microsoft,” enter a Microsoft Entra ID Global Administrator user name, then select Next.
Enter the password for the account, then select Sign In.
Carefully read the application agreement, select “Consent on behalf of your organisation,” then select Accept.
You are consenting to Microsoft giving Apple access to information found in Microsoft Entra ID.
If necessary, review the verified and conflicted domains.
Select Done.
In some cases you may not be able to sign in to your domain. Here are some common reasons:
The user name or password from the account in step 4 is incorrect.
Step 2: Test authentication with a single Microsoft Entra ID user account
You can test the federated authentication connection after you’ve performed the following tasks:
The check for username conflicts is complete.
The Managed Apple ID default format is updated.
After you successfully link Apple Business Manager to Microsoft Entra ID, you can change the role of a user account to another role. For example, you may want to change the role of a user account to a Staff role.
Note: User accounts with the role of Administrator or People Manager can’t sign in using federated authentication; they can only manage the federation process.
Select Federate next to the domain you want to federate.
Select “Sign in to Microsoft Entra ID Portal,” enter a Microsoft Entra ID user name of an account that exists in the domain, then select Next.
Enter the password for the account, select Sign In, select Done, then select Done.
In some cases you may not be able to sign in to your domain. Here are some common reasons:
The username or password from the domain that you chose to federate is incorrect.
The account isn’t in the domain that you chose to federate.
Step 3: Turn on federated authentication
In Apple Business Manager , sign in with a user that has the role of Administrator or People Manager.
Select your name at the bottom of the sidebar, select Preferences , then select Managed Apple IDs .
In the Domains section, select Manage next to the domain you want to federate, then select “Turn on Sign in with Microsoft Entra ID.”
Turn on “Sign in with Microsoft Entra ID.”
If necessary, you can now sync user accounts to Apple Business Manager. See Sync user accounts from Microsoft Entra ID.