Manage verified domains in Apple Business Essentials
After a domain has been verified, there are three options available, all of which can be enabled for each domain:
Option 1. Lock a domain: This option requires that all new Apple Accounts created on the domain be only Managed Apple Accounts.
For more information, see Lock a domain.
Option 2. Domain capture: This option allows you to use domain capture to ensure any account using your domain is a Managed Apple Account. This includes the possibility to convert existing Apple Accounts (which may have been created previously using the organization’s domain) into Managed Apple Accounts.
For more information, see Show unmanaged accounts using your domain.
Note: Turning on domain capture also locks a domain if it wasn’t previously locked.
Option 3. Federated authentication: If there are no unmanaged Apple Accounts conflicts or after the domain capture process has started, users with the role of Administrator and People Manager can optionally continue to turn on federated authentication with an IdP. As a result, users can leverage their Google Workspace, Microsoft Entra ID, or IdP user name (generally their email address) and password as their Managed Apple Account. When federated authentication is turned on, Managed Apple Accounts are automatically created for new users the first time they sign in.
After the domain capture and federated authentication processes have been completed, users with the role of Administrator and People Manager can also turn on directory syncing with their IdP. Directory syncing:
Imports user account information from the IdP
Monitors for changes and automatically syncs these changes to Apple Business Essentials
Automatically removes Managed Apple Accounts when the corresponding user accounts are deleted in the IdP
Note: Turning on federated authentication also locks a domain if it wasn’t previously locked.
This allows an organization to lock one specific domain in their list of verified domains, perform the domain capture process on another domain, and federate a third domain.
For more information, see Intro to federated authentication.