Intro to federated authentication with Apple School Manager
You use federated authentication to link Apple School Manager to your instance of Microsoft Azure Active Directory (AD). As a result, your users can leverage their Microsoft Azure AD user names and passwords as Managed Apple IDs. They can then use their Microsoft Azure AD credentials to sign in to their assigned iPad or Mac and even iCloud on the web. Students can also use it to sign in on Shared iPad.
Only domains that haven’t been claimed by another institution can be added.
Important: Federated authentication requires that a user’s UserPrincipalName match their email address. UserPrincipalName aliases are not supported.
To use federated authentication with Apple School Manager, your Apple devices must meet the following requirements:
iOS 11.3 or later
iPadOS 13 or later
macOS 10.13.4 or later
Microsoft Azure AD is the Identity Provider (IdP), which contains the user names and passwords for the accounts you want to use with Apple School Manager. Federated authentication uses Security Assertion Markup Language (SAML) to connect Apple School Manager to Microsoft Azure AD.
There are three main scenarios where you might use federated authentication:
Federated authentication only
When you link to Microsoft Azure AD, Managed Apple IDs are created for users when they simply sign in with the same user name and password they use with Microsoft Azure AD services. If a user is removed from Microsoft Azure AD, that user can be removed from Apple School Manager.
Federated authentication with users from other sources
When you link to Microsoft Azure AD, Managed Apple IDs are automatically created for users, and they simply sign in with their current email address as their Managed Apple ID.
You then link to your SIS or upload files with SFTP. All information, such as classes and rosters, are matched against users from your Microsoft Azure AD service. If a user is removed from Microsoft Azure AD, that user must be deactivated in Apple School Manager by an account with permissions to change the status of users.
Important: If you’re connecting to a Student Information System (SIS) or importing users with Secure File Transfer Protocol (SFTP), and using federated authentication, the user’s email address in SIS must match their Microsoft Azure AD user name that they already use to sign in.
Federated authentication and Shared iPad
When you use federated authentication with Shared iPad, the sign-in process is different depending on whether the user already exists in Apple School Manager.
If the user already exists, you must reset their passcode. See Reset Shared iPad passcodes.
If the user doesn’t already exist, they’ll be redirected to sign in using the Microsoft Azure AD screen. Once the user successfully authenticates, they must create a Shared iPad passcode.
The default passcode policy is Standard (8 or more letter and numbers) and can be changed. See Password policy scenarios in Apple School Manager. If the user forgets their passcode, you must use the Reset Shared iPad Passcode in Apple School Manager.
Note: Users can’t sign in to icloud.com unless they first sign in on their Apple device associated with Apple School Manager.