Intro to federated authentication with Apple Business Manager
You use federated authentication to link Apple Business Manager to your instance of Microsoft Azure Active Directory (AD). As a result, your users can leverage their MS Azure AD user names and passwords as Managed Apple IDs. They can then use their MS Azure AD credentials to sign in to their assigned iPad or Mac and even iCloud on the web. Users can also use it to sign in on Shared iPad.
If you are attempting to federate a domain you have already verified but another organisation has already federated the identical domain, you must contact that organisation to determine who has the authority to federate the domain.
Important: Federated authentication requires that a user’s UserPrincipalName match their email address. UserPrincipalName aliases are not supported.
To use federated authentication with Apple Business Manager, your Apple devices must meet the following requirements:
iOS 11.3 or later
iPadOS 13.1 or later
macOS 10.13.4 or later
MS Azure AD is the Identity Provider (IdP), which contains the user names and passwords for the accounts you want to use with Apple Business Manager. Federated authentication uses Security Assertion Markup Language (SAML) to connect Apple Business Manager to MS Azure AD.
When you link to MS Azure AD, Managed Apple IDs are created for users when they simply sign in with the same user name and password they use with MS Azure AD services. If a user is removed from MS Azure AD, that user can be removed from Apple Business Manager.
Note: Users cannot sign in to iCloud.com unless they first sign in with their Managed Apple ID on another Apple device.
Federated authentication and Shared iPad
When you use federated authentication with Shared iPad, the sign-in process is different depending on whether the user already exists in Apple Business Manager. To view the sign-in scenarios with Shared iPad and Apple Business Manager, see Shared iPad overview.
If the user forgets their passcode, you must reset their Shared iPad passcode.