Azure AD sync requirements with Apple School Manager
You can use the System for Cross-domain Identity Management (SCIM) to import users into Apple School Manager. Using this system, you merge Apple School Manager properties (such as grade level and roles) with user account data imported from Microsoft Azure Active Directory (Azure AD). When you use SCIM to import users, the account information is added as read-only until you disconnect from SCIM. At that time, the accounts become manual accounts and the attributes for these accounts can then be edited. The initial sync takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. See Provisioning tips at the Microsoft Azure documentation website.
Azure AD privileges
The following roles in Azure AD can use SCIM to sync accounts to Apple School Manager:
Application Administrator
Cloud Application Administrator
Application Owner
Global Administrator
See Azure AD built-in roles at the Microsoft Azure AD website.
Azure AD tenants
To use SCIM with Apple School Manager, your organisation must not have the same Azure AD tenant as any other Apple School Manager organisation. If you want to use SCIM for your organisation, contact your Azure AD administrator to ensure that no other organisation is using your Azure AD tenant for SCIM.
Azure AD groups
In Azure AD, both sync methods use the word Groups, but only user accounts are synced. You can add Azure AD groups to the Apple School Manager Azure AD app. For example, if you have groups in Azure AD named Staff, Instructors and Students, you can add those three groups to the Apple School Manager Azure AD app. When you connect using SCIM, only accounts in those groups are synced to Apple School Manager.
Note: Subgroups aren’t supported in the Apple School Manager Azure AD app.
Provisioning scope
There are two ways you can sync accounts from Azure AD to Apple School Manager.
Sync only assigned users and groups: This option syncs only the accounts that appear in the Apple School Manager Azure AD app to Apple School Manager. When using this method to sync, Azure AD accounts must have the role of user to sync to Apple School Manager.
Sync all users and groups: This option syncs all accounts (syncing groups isn’t supported) that appear in the Azure AD User tab to Apple School Manager and creates Managed Apple IDs for all federated Azure AD accounts, even if you intend to use only a specific number of accounts.
See the Microsoft Support articles What is automated SaaS app user provisioning in Azure AD? and Attribute-based application provisioning with scoping filters.
Provisioning notifications
When you configure provisioning, you should use the email address of a user that has the role of Administrator, Site Manager or People Manager so they can receive notifications from Azure AD.
SCIM and federated authentication
If federation is already turned on when Azure AD accounts are sent to Apple School Manager, you won’t see an activity but accounts will still sync from the federated domain.
Azure AD is the Identity Provider (IdP) that authenticates the user for Apple School Manager and issues authentication tokens. Because Apple School Manager supports Azure AD, other IdPs that connect to Azure AD like Active Directory Federated Services (ADFS) will also work. Federated authentication uses Security Assertion Markup Language (SAML) to connect Apple School Manager to Azure AD.
Azure AD user accounts and Apple School Manager
When a user is copied from Azure AD using SCIM to Apple School Manager, the default role is Student. After the sync is complete, the following user attributes can be edited:
Roles
Year level
Student Information System (SIS) username
These attributes are stored with the user account in Apple School Manager and aren’t written back to Azure AD.
SCIM user attribute mapping
When an account is copied from Azure AD using SCIM to Apple School Manager, the following user attributes are stored as read-only. The table also denotes whether the user attribute is required.
Important: Adding attributes not listed in the table breaks the SCIM connection.
Azure AD user attribute | Apple School Manager user attribute | Required |
---|---|---|
First Name | First Name | |
Last Name | Last Name | |
User Principal Name | Managed Apple ID and email address | |
Object ID | (Not shown in Apple School Manager. This attribute is used to identify conflicting accounts.) | |
Department | Department | |
Employee ID | Person Number | |
Custom attribute (must be created in the Apple School Manager Azure AD app) | Cost Centre | |
Custom attribute (must be created in the Apple School Manager Azure AD app) | Division |
User Principal Name
If a user has a User Principal Name (UPN) that is exactly the same as an existing Apple School Manager user that has the role of Administrator, Site Manager or People Manager, no syncing is performed and the source field remains unchanged. This occurs regardless of the sync method originally used (SIS or SFTP).
Person ID
When an Azure AD user is synced to Apple School Manager, a Person ID is created for the Apple School Manager user account. Person ID and Object ID are used to identify conflicting user accounts.
The Person ID is automatically generated for users imported using SCIM or using SIS integration but not automatically generated from users imported using SFTP.
If SCIM is disconnected and SFTP is used to upload users again, new users are created unless the Person ID in the SFTP upload file matches the Person ID that was assigned by SCIM. See Import accounts using SFTP.
If you modify the Person ID for an account previously imported from SCIM, that account is no longer paired with Azure AD. If you modified the Person ID for an account previously imported from SCIM and want to reconnect the account to SCIM, see Resolve SCIM user account conflicts.
Recommendations
You should use only the Apple School Manager Azure AD app when connecting with SCIM.
If you have a verified domain but haven’t turned on federated authentication, you should wait to turn on federation until after you’ve verified that the Azure AD users have been sent to Apple School Manager. Do this by reviewing the Azure AD provisioning logs. After verifying that the Azure AD users have been sent, when you turn on federation, you’ll be notified by an activity when Azure AD users are provisioned. If federation is already turned on when the Azure AD users are sent, you won’t see an activity but users still sync.
If you have a group configured in Azure AD, you can add that group to the Apple School Manager Azure AD app instead of adding each user.
Important: Don’t reuse a username for 120 days in the Apple School Manager Azure AD app.
Before you begin
Before you begin, you must do the following:
Disconnect from your Student Information System (SIS) or stop uploads using SFTP.
Configure and verify the domain you want to use. See Link to new domains.
Configure (but don’t turn on) federated authentication. See Turn on and test federated authentication.
Note: If federated authentication is already turned on, you can still proceed. See the recommendations in the previous section.
Determine the type of syncing in Azure AD, and if necessary, create groups for syncing only assigned accounts to the Apple School Manager Azure AD app:
Sync only assigned users.
Sync all users.
Have on call an Azure AD administrator with permissions to edit enterprise applications. When both of you are ready, see Use SCIM to import users.