Use federated authentication with MS Azure AD in Apple Business Manager
After completing a successful administrator account sign-in and checking for username conflicts, you must turn on and test federated authentication.
There is a three-step process to link Apple Business Manager to Azure AD and use federated authentication:
1. Add and verify a domain. See Link to new domains.
2. Configure the federated authentication process.
3. Test authentication with a single Azure AD domain account.
Configure the federated authentication process
This task allows Azure AD to trust Apple Business Manager.
In Apple Business Manager
, sign in as a user that has the role of Administrator or People Manager.Tap your name at the bottom of the sidebar, tap Preferences
, then tap Accounts 
.Next to Federated Authentication, tap Edit, then tap Connect.
Tap “Sign in with Microsoft”, enter a Microsoft Azure AD Global Administrator, Application Administrator or Cloud Application Administrator account, then tap Next.
Enter the password for the account, then tap Sign In.
Carefully read the application agreement, then tap Accept.
You are consenting to Microsoft giving Apple access to information found in Azure AD.
Tap Done.
Note: After you complete this step, users cannot create new personal Apple IDs on the domain you configure. This could affect other Apple services you use. See Transfer Apple services when federating.
In some cases you may not be able to add your domain. Common reasons are:
The Microsoft Azure AD Global Administrator, Application Administrator or Cloud Application Administrator account used does not have permission to add domains in Azure AD.
The username or password from the account in step 4 is incorrect.
Test authentication with a single Azure AD account
This task allows Apple Business Manager to trust Azure AD. After you have verified ownership of your domain and successfully tested authentication with a single Azure AD account, you can then create additional accounts and continue federating your domain.
Tap Federate next to the domain you want to federate.
Tap “Sign in to Microsoft Azure Portal”, then enter your username and password.
Enter a Microsoft Azure AD Global Administrator, Application Administrator or Cloud Application Administrator account that exists in the domain, then tap Next.
Enter the password for the account, tap Sign In, tap Done, then tap Done.
In some cases you may not be able to sign in to your domain. Here are some common reasons:
The username or password from the domain that you chose to federate is incorrect.
The account is not in the domain that you chose to federate.
After sign-in is successful, Apple Business Manager checks for username conflicts with this domain. The check for username conflicts must be complete before you can use federated authentication with this domain.
Note: After you successfully link Apple Business Manager to Azure AD, you can change the role of an account to another role. For example, you may wish to change the role of an account to a Staff role.
Turn on federated authentication
Before you turn on federated authentication, make sure you have linked to a new domain and verified it and turned on and tested federated authentication.
Note: If you are planning on connecting to Azure AD using SCIM, you should wait to turn on federated authentication until after the SCIM connection is successful.
In Apple Business Manager
, sign in as a user that has the role of Administrator or People Manager.Tap your name at the bottom of the sidebar, tap Preferences
, then tap Accounts .Tap Edit in the Domains section, then turn on federated authentication for the domains that have been successfully added to Apple Business Manager.
It may take a while to update all accounts.
Test federated authentication
You can test the federated authentication connection after you have performed the following tasks:
You have completed a successful connection and verification to your domain.
The check for username conflicts is complete.
The Managed Apple ID default format is updated.
Note: Users with the role of Administrator or People Manager cannot sign in using federated authentication; they can only manage the federation process.
In Apple Business Manager
, sign in as a user that does not have an Administrator role.If the username you signed in with is found, a new screen indicates that you are signing in as a user in your domain.
Tap Continue, enter the password for the user, then tap Sign In.
Sign out of Apple Business Manager.
Note: Users cannot sign in to iCloud.com unless they have first signed in with their Managed Apple ID on another Apple device.