Introduction to federated authentication with Apple Business Manager
You use federated authentication to link Apple Business Manager to your instance of Microsoft Azure Active Directory (Azure AD). As a result, your users can leverage their Azure AD usernames (User Principal Name) and passwords as Managed Apple IDs. They can then use their Azure AD credentials to sign in to their assigned iPad or Mac and even to iCloud on the web. Users can also use it to sign in on Shared iPad.
Multiple domains can be federated, but they must be from the same single tenant. If you are attempting to federate a domain you have already verified but another organisation has already federated the identical domain, you must contact that organisation to determine who has the authority to federate the domain. See About domain conflicts.
Important: Federated authentication requires that a user’s User Principal Name (UPN) match their email address. User Principal Name aliases and Alternate IDs are not supported.
To use federated authentication with Apple Business Manager, your Apple devices must meet the following requirements:
iOS 11.3 or later
iPadOS 13.1 or later
macOS 10.13.4 or later
Azure AD is the Identity Provider (IdP) that authenticates the user for Apple Business Manager and issues authentication tokens. Because Apple Business Manager supports Azure AD, other IdPs that connect to Azure AD — such as Active Directory Federation Services (AD FS) — will also work with Apple Business Manager. Federated authentication uses Security Assertion Markup Language (SAML) to connect Apple Business Manager to Azure AD.
Federated authentication and System for Cross-domain Identity Management (SCIM)
To add the Apple Business Manager Azure AD app with Microsoft tenants, the administrator of the tenants must go through the federated authentication setup process, including testing authentication. When successful, the Apple Business Manager Azure AD app is populated in the tenant and the administrator can federate domains and configure Apple Business Manager to use SCIM. See Review SCIM requirements.
There are two scenarios where you might use federated authentication:
Federated authentication only
When you link to Azure AD, Managed Apple IDs are created for users when they simply sign in with the same username and password that they use with Azure AD services. If a user is removed from Azure AD, that user can be removed from Apple Business Manager.
Federated authentication and Shared iPad
When you use federated authentication with Shared iPad, the sign-in process is different depending on whether the user already exists in Apple Business Manager. To view the sign-in scenarios with Shared iPad and Apple Business Manager, see Shared iPad overview.
If the user forgets their passcode, you must Reset a Shared iPad passcode.