Intro to federated authentication with Apple Business Manager
You use federated authentication to link Apple Business Manager to your instance of Microsoft Azure Active Directory (AD). As a result, your users can leverage their Microsoft Azure AD usernames and passwords as Managed Apple IDs. They can then use their Microsoft Azure AD credentials to sign in to their assigned iPad or Mac and even iCloud on the web.
Only domains that have not been claimed by another organisation can be added.
Important: Federated authentication requires that a user’s UserPrincipalName match their email address. UserPrincipalName aliases are not supported.
To use federated authentication with Apple Business Manager, your Apple devices must meet the following requirements:
iOS 11.3 or later
iPadOS 13.1 or later
macOS 10.13.4 or later
Microsoft Azure AD is the Identity Provider (IdP), which contains the user names and passwords for the accounts you want to use with Apple Business Manager. Federated authentication uses Security Assertion Markup Language (SAML) to connect Apple Business Manager to Microsoft Azure AD.
When you link to Microsoft Azure AD, Managed Apple IDs are created for users when they simply sign in with the same username and password they use with Microsoft Azure AD services. If a user is removed from Microsoft Azure AD, that user can be removed from Apple Business Manager.
Note: Users cannot sign in to icloud.com unless they first sign in on their Apple device associated with Apple Business Manager.