Sync user accounts from Microsoft Entra ID to Apple School Manager
You can use OpenID Connect (OIDC) to sync user accounts to Apple School Manager. Using this system, you can add Apple School Manager properties (such as grade level and roles) with user account data imported from Microsoft Entra ID. When you use OIDC to sync user accounts, the account information is added as read-only until you disconnect from Microsoft Entra ID. At that time, the user accounts become manual accounts, and attributes in these accounts can then be edited.
Before you begin
Before you sync to Microsoft Entra ID using an OIDC connection, you must do the following:
If necessary, configure and verify the domain you want to use. See Link to new domains. If you’ve already verified the domain you want to federate with Google Workspace, you can skip this process.
Disconnect from your Student Information System (SIS) or stop uploads using SFTP.
Configure, federate and enable a domain. See Use federated authentication with Microsoft Entra ID.
When you configure the connection, you should use the email address of a user that has the role of Administrator, Site Manager, or People Manager so they can receive notifications from Microsoft Entra ID.
Have on call a Microsoft Entra ID Global Administrator with permissions to edit Microsoft Entra ID settings.
Microsoft Entra ID user accounts and Apple School Manager
When a user account is synced from Microsoft Entra ID using OIDC to Apple School Manager, the default role is Student. After the sync is complete, the following user account attributes can be edited:
Roles
Year level
Student Information System (SIS) username
These attributes are stored with the user account in Apple School Manager and aren’t written back to Microsoft Entra ID.
Important: Don’t reuse a user name for 120 days in the Apple School Manager Entra ID app.
Sign-in attribute
Apple School Manager requires that the attribute used for the Managed Apple ID be unique. This is normally the user’s email address. If a user has an attribute that’s exactly the same as an existing Apple School Manager user with the role of Administrator, no syncing is performed and the source field remains unchanged.
User Principal Name
If a user account has a User Principal Name (UPN) that is exactly the same as an existing user account that has the role of Administrator, Site Manager or People Manager, no syncing is performed and the source field remains unchanged. This occurs regardless of the sync method originally used (SIS or SFTP).
Person ID
When a Microsoft Entra ID user account is synced to Apple School Manager, a Person ID is created for the Apple School Manager user account. The Person ID is used to identify conflicting user accounts. Also, the Person ID is automatically generated for users synced using OIDC or using SIS integration but not automatically generated for users imported using SFTP.
If Microsoft Entra ID is disconnected and SFTP is used to upload users again, new users are created unless the Person ID in the SFTP upload file matches the Person ID that was assigned by the OIDC sync. See Upload Student Information System data to Apple School Manager.
Important considerations if you modify the Person ID:
If you modify the Person ID for a user account previously imported from Microsoft Entra ID, that user account is no longer paired with Microsoft Entra ID.
If you modify the Person ID for a user account previously imported from Microsoft Entra ID and want to reconnect the user account, see Resolve Microsoft Entra ID OIDC user account conflicts.
Microsoft Entra ID tenants
To use OIDC with Apple School Manager, your organisation must not have the same Microsoft Entra ID tenant as any other Apple School Manager organisation. If you want to use OIDC for your organisation, contact your Microsoft Entra ID Global Administrator to ensure that no other organisation is using your Entra ID tenant for OIDC.
Microsoft Entra ID groups
In Microsoft Entra ID, the user interface allows you to sync group accounts, but only user accounts within those groups are supported for syncing.
If you have a group account configured in Microsoft Entra ID, you can add that group to the Apple School Manager Entra ID app instead of adding each user.
Note: Subgroups aren’t supported in the Apple School Manager Entra ID app.
OIDC user attribute mapping
When a user account is synced from Microsoft Entra ID using OIDC to Apple School Manager, the following user attributes are stored as read-only. The table also denotes whether the user attribute is required.
Important: Adding attributes not listed in the table may break the OIDC connection.
Microsoft Entra ID user attribute | Apple School Manager user attribute | Required |
---|---|---|
givenName | First Name | |
surname | Last Name | |
userPrincipalName | Managed Apple ID and email address | |
objectId | (Not shown in Apple School Manager. This attribute is used to identify conflicting accounts.) | |
Department | Department | |
Employee Id | Person Number | |
employeeOrgData.costCenter | Cost Center | |
employeeOrgData.division | Division |
Turn on Microsoft Entra Connect Sync
In Apple School Manager , sign in with a user that has the role of Administrator, Site Manager or People Manager.
Select your name at the bottom of the sidebar, select Preferences , then select Managed Apple IDs.
Turn on Microsoft Entra Connect Sync then select Sync Now.
Manually sync
You can manually sync Apple School Manager to Microsoft Entra ID to import any changes made in Microsoft Entra ID.
In Apple School Manager , sign in with a user that has the role of Administrator, Site Manager or People Manager.
Select your name at the bottom of the sidebar, select Preferences , then select Managed Apple IDs.
Select Sync Now under Microsoft Entra ID.