Turn on and test federated authentication in Apple School Manager
After completing a successful administrator account sign-in and checking for username conflicts, you must turn on and test federated authentication.
Important: The federated authentication test also changes your default Managed Apple ID format. New accounts created in your Student Information System (SIS) or uploaded using Secure File Transfer Protocol (SFTP) use the new Managed Apple ID format.
There are three main steps to link Apple School Manager to Azure AD and use federated authentication:
Add and verify a domain. See Configure new domains.
Configure the federated authentication process.
Test authentication with a single Azure AD domain account.
Configure the federated authentication process
This task allows Azure AD to trust Apple School Manager.
In Apple School Manager
, sign in with an account that has the role of Administrator, Site Manager or People Manager.Click Settings at the bottom of the sidebar, then click Accounts
below Organisation Settings.Next to Federated Authentication, click Edit, then click Connect.
Click “Sign in to Microsoft Azure Portal”, enter a Microsoft Azure AD Global Administrator, Application Administrator or Cloud Application Administrator account, then click Next.
Enter the password for the account, then click Sign In.
Carefully read the application agreement, then click Accept.
You are consenting to Microsoft giving Apple access to information found in Azure AD.
Click Done.
In some cases you may not be able to add your domain. Common reasons are:
The Microsoft Azure AD Global Administrator, Application Administrator or Cloud Application Administrator account used does not have permission to add domains in Azure AD.
The username or password from the account in step 4 is incorrect.
Test authentication with a single Azure AD account
This task allows Apple School Manager to trust Azure AD. After you have verified ownership of your domain and successfully tested authentication with a single Azure AD account, you can create additional accounts and continue federating your domain.
Click Federate next to the domain you want to federate.
Click “Sign in to Microsoft Azure Portal”, then enter your username and password.
Enter a Microsoft Azure AD Global Administrator, Application Administrator or Cloud Application Administrator account that exists in the domain, then click Next.
Enter the password for the account, click Sign In, click Done, then click Done.
In some cases you may not be able to sign in to your domain. Here are some common reasons:
The username or password from the domain that you chose to federate is incorrect.
The account is not in the domain that you chose to federate.
When sign-in is successful, Apple School Manager checks for username conflicts with this domain. The check for username conflicts must be complete before you can use federated authentication with this domain.
Note: After you successfully link Apple School Manager to Azure AD, you can change the role of an account to another role. For example, you may want to change the role of an account to an Instructor role.
Turn on federated authentication
Note: If you are planning on connecting to Azure AD using SCIM, you should wait to turn on federated authentication until after the SCIM connection is successful.
You must complete the steps to add and verify a domain and complete the federated authentication configuration process before you turn on federated authentication.
In Apple School Manager
, sign in with an account that has the role of Administrator, Site Manager or People Manager.Click Settings at the bottom of the sidebar, then click Accounts
below Organisation Settings.Click Edit in the Domains section, then turn on federated authentication for the domains that have been successfully added to Apple School Manager.
It may take a while to update all accounts.
Test federated authentication
You can test the federated authentication connection after you have performed the following tasks:
You have completed a successful connection and verification to your domain.
The check for username conflicts is complete.
The Managed Apple ID default format is updated.
Note: Accounts with the Administrator role cannot sign in using federated authentication; they can only manage the federation process.
In Apple School Manager
, sign in with an account that does not have a Staff or Student role.If the username is found, a new screen indicates that you are signing in with an account in your domain.
Click Continue, enter the password for the user, then click Sign In.
Sign out of Apple School Manager.