Sync user accounts from Microsoft Entra ID to Apple Business
Overview
You can use OpenID Connect (OIDC) to sync user accounts to Apple Business. Using this system, you can add Apple Business properties (such as roles) with user account data imported from Microsoft Entra ID. When you use OIDC to sync user accounts, the account information is added as read-only until you disconnect from Microsoft Entra ID. At that time, the user accounts become manual accounts, and attributes in these accounts can then be edited.
Note: The initial sync takes longer to perform than subsequent cycles do. Consult the Microsoft Entra ID documentation to learn how often users are synced.
How is federation data from Microsoft Entra ID used for directory syncing?
The following information is read by Apple Business when you link to Microsoft Entra ID for directory syncing:
Microsoft Entra ID user attribute | Apple Business user attribute | Required |
|---|---|---|
givenName | First Name |  |
surname | Last Name | |
userPrincipalName | Managed Apple Account and email address | |
displayName | User Name |  |
department | Department | |
costCenter | Cost Center | |
removed | For user removal | |
For more information, see the Microsoft support article Get a user.
OIDC user attribute mapping
When a user account is synced from Microsoft Entra ID using OIDC to Apple Business, the following user attributes are stored as read-only. The table also denotes whether the user attribute is required.
Important: Adding attributes not listed in the table may break the OIDC connection because Apple Business only processes the attributes listed above and unmapped attributes can cause token validation failures.
Microsoft Entra ID user attribute | Apple Business user attribute | Required |
|---|---|---|
givenName | First Name | |
surname | Last Name | |
userPrincipalName | Managed Apple Account and email address | |
objectId | (Not shown in Apple Business. This attribute is used to identify conflicting accounts.) | |
Department | Department | |
Employee Id | Person Number | |
employeeOrgData.costCenter | Cost Center | |
employeeOrgData.division | Division | |
Turn on Microsoft Entra Connect
Important: Review the following before you configure directory syncing.
In Apple Business, sign in with a user whose role has permissions to set up and configure federation and connect to an identity provider (IdP).
To view roles and permissions, see Intro to roles and permissions.
Under Directory Sync, select Set up next to the Microsoft Entra ID domain you want to sync with Apple Business.
Manually sync
You can manually sync Apple Business to Microsoft Entra ID to import any changes made in Microsoft Entra ID.
In Apple Business, sign in with a user whose role has permissions to set up and configure federation and connect to an identity provider (IdP).
To view roles and permissions, see Intro to roles and permissions.
Under Directory Sync, select the Microsoft Entra ID domain, then select Sync Now.