Microsoft Entra ID sync requirements with Apple School Manager
You can use the System for Cross-domain Identity Management (SCIM) to import users into Apple School Manager. Using this system, you merge Apple School Manager properties (such as grade level and roles) with user account data imported from Microsoft Entra ID. When you use SCIM to import users, the account information is added as read-only until you disconnect from SCIM. At that time, the accounts become manual accounts, and attributes in these accounts can then be edited. The initial sync takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Entra ID provisioning service is running. See Provisioning tips at the Microsoft Entra ID documentation website.
Microsoft Entra ID privileges
The following roles in Microsoft Entra ID can use SCIM to sync accounts to Apple School Manager:
Application Administrator
Cloud Application Administrator
Application Owner
Global Administrator
See Microsoft Entra built-in roles at the Microsoft Entra ID website.
Microsoft Entra ID tenants
To use SCIM with Apple School Manager, your organization must not have the same Microsoft Entra ID tenant as any other Apple School Manager organization. If you want to use SCIM for your organization, contact your Entra ID administrator to ensure that no other organization is using your Entra ID tenant for SCIM.
Microsoft Entra ID groups
In Microsoft Entra ID, both sync methods use the word Groups, but only user accounts are synced. You can add Entra ID groups to the Apple School Manager Entra ID app. For example, if you have groups in Entra ID named Staff, Instructors, and Students, you can add those three groups to the Apple School Manager Entra ID app. When you connect using SCIM, only accounts in those groups are synced to Apple School Manager.
Note: Subgroups aren’t supported in the Apple School Manager Entra ID app.
Provisioning scope
There are two ways you can sync accounts from Microsoft Entra ID to Apple School Manager.
Sync only assigned users and groups: This option syncs only the accounts that appear in the Apple School Manager Entra ID app to Apple School Manager. When using this method to sync, Microsoft Entra ID accounts must have the role of user to sync to Apple School Manager.
Sync all users and groups: This option syncs all accounts (syncing groups isn’t supported) that appear in the Microsoft Entra ID User tab to Apple School Manager and creates Managed Apple IDs for all federated Microsoft Entra ID accounts, even if you intend to use only a specific number of accounts.
See the Microsoft Support articles What is app provisioning in Microsoft Entra ID? and Scoping users or groups to be provisioned with scoping filters.
Provisioning notifications
When you configure provisioning, you should use the email address of a user that has the role of Administrator, Site Manager, or People Manager so they can receive notifications from Microsoft Entra ID.
SCIM and federated authentication
If federation is already turned on when the Microsoft Entra ID accounts are sent to Apple School Manager, you won’t see an activity, but accounts will still sync from the federated domain.
Microsoft Entra ID user accounts and Apple School Manager
When a user is copied from Microsoft Entra ID using SCIM to Apple School Manager, the default role is Student. After the sync is complete, the following user attributes can be edited:
Roles
Grade level
Student Information System (SIS) user name
These attributes are stored with the user account in Apple School Manager and aren’t written back to Microsoft Entra ID.
SCIM user attribute mapping
When an account is copied from Microsoft Entra ID using SCIM to Apple School Manager, the following user attributes are stored as read-only. The table also denotes whether the user attribute is required.
Important: Adding attributes not listed in the table breaks the SCIM connection.
Microsoft Entra ID user attribute | Apple School Manager user attribute | Required |
---|---|---|
First Name | First Name | |
Last Name | Last Name | |
User Principal Name | Managed Apple ID and email address | |
Object ID | (Not shown in Apple School Manager. This attribute is used to identify conflicting accounts.) | |
Department | Department | |
Employee ID | Person Number | |
Custom attribute (must be created in the Apple School Manager Entra ID app) | Cost Center | |
Custom attribute (must be created in the Apple School Manager Entra ID app) | Division |
User Principal Name
If a user has a User Principal Name (UPN) that is exactly the same as an existing Apple School Manager user that has the role of Administrator, Site Manager, or People Manager, no syncing is performed and the source field remains unchanged. This occurs regardless of the sync method originally used (SIS or SFTP).
Person ID
When a Microsoft Entra ID user is synced to Apple School Manager, a Person ID is created for the Apple School Manager user account. Person ID and Object ID are used to identify conflicting user accounts. Also, the Person ID is automatically generated for users imported using SCIM or using SIS integration but not automatically generated for users imported using SFTP.
If SCIM is disconnected and SFTP is used to upload users again, new users are created unless the Person ID in the SFTP upload file matches the Person ID that was assigned by SCIM. See Import accounts using SFTP.
Important considerations if you modify the Person ID:
If you modify the Person ID for an account previously imported from SCIM, that account is no longer paired with Microsoft Entra ID.
If you modify the Person ID for an account previously imported from SCIM and want to reconnect the account, see Resolve SCIM user account conflicts.
Recommendations
You should use only the Apple School Manager Entra ID app when connecting with SCIM.
If you have a verified domain but haven’t turned on federated authentication, you should wait to turn on federation until after you’ve verified that the Microsoft Entra ID users have been sent to Apple School Manager. Do this by viewing the Entra ID provisioning logs. After verifying that the Entra ID users have been sent, when you turn on federation, you’ll be notified by an activity when Entra ID users are provisioned. If federation is already turned on when the Entra ID users are sent, you won’t see an activity but users still sync.
If you have a group configured in Microsoft Entra ID, you can add that group to the Apple School Manager Entra ID app instead of adding each user.
Important: Don’t reuse a user name for 120 days in the Apple School Manager Entra ID app.
Before you begin
Before you begin, you must do the following:
Disconnect from your Student Information System (SIS) or stop uploads using SFTP.
Configure and verify the domain you want to use. See Link to new domains.
Configure (but don’t turn on) federated authentication. See Configure the federated authentication process.
Note: If federated authentication is already turned on, you can still proceed. See the recommendations in the previous section.
Determine the type of syncing in Microsoft Entra ID, and if necessary, create groups for syncing only assigned accounts to the Apple School Manager Entra ID app:
Sync only assigned users.
Sync all users.
Have on call a Microsoft Entra ID administrator with permissions to edit enterprise applications. When both of you are ready, see Use SCIM to import users.