Change a user’s domain information using Apple Business
In Apple Business, changes to a user’s domain information account require the user to sign out and sign in again.
Important: If a user’s password is changed in Google Workspace, Microsoft Entra ID, or your IdP, Apple Business also invalidates the current session with that user. The user needs to sign in again with their new password to continue using federated authentication for access.
Change a federated user’s role
When you successfully complete your federated authentication, all users from your domain have the role of Staff. You may want to change roles for certain users. If you change to a role that has permissions to set up and configure federation and connect to an identity provider, that user’s authentication changes from Federated (they use their Google Workspace, Microsoft Entra ID, or IdP password) to Apple. They still retain the Managed Apple Account and email address they had when federated authentication was completed.
In Apple Business, sign in with a user whose role has permissions to create, edit, and delete Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
If necessary, search for the user in the search field. See How to search.
Select the user from the list.
Select Edit
, select a role.If you want to add a second role for this user, select Add next to the initial role, then enter a different role, organizational unit, and optionally, a brand.
Select Save.
Change a user’s email to a federated domain
If you’ve successfully linked Apple Business to your Google Workspace, Microsoft Entra ID, or IdP domain, you can change an existing account so that its email address and Managed Apple Account are identical. An exception is that a user whose role has permissions to set up and configure federation and connect to an IdP can’t use the same address for both.
In Apple Business, sign in with a user whose role has permissions to create, edit, and delete Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
If necessary, search for the user in the search field. See How to search.
Select the user from the list.
Select Edit, change the email address, select OK to also change the Managed Apple Account to match the email address, then select Save.
That user can now sign in with their Managed Apple Account and their domain password.
Edit Managed Apple Account information for a single user
If you’ve successfully linked Apple Business to your Google Workspace, Microsoft Entra ID, or IdP domain, you can change a nonfederated account so that its Managed Apple Account and email address are identical. An exception is that a user whose role has permissions to set up and configure federation and connect to an IdP can’t use the same address for both.
In Apple Business, sign in with a user whose role has permissions to create, edit, and delete Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
If necessary, search for the user in the search field. See How to search.
Select the user from the list.
Select Edit, change the Managed Apple Account, select OK to also change the email address to match the Managed Apple Account, then select Save.
Edit Managed Apple Account information for multiple users
Important: Users aren’t notified when their Managed Apple Account is changed, so you need to notify them as soon as you make the change.
In Apple Business, sign in with a user whose role has permissions to create, edit, and delete Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
If necessary, search for the users in the search field. See How to search.
Select the users from the list.
Select Edit next to Update Managed Apple Accounts, then do one of the following:
Change the Managed Apple Account’s unique user name structure.
Change the domain name structure.
Change both.
Change the Managed Apple Account, select OK to also change the email address to match the Managed Apple Account.
Select Save.
A new activity is created.
Choose one of the following:
Stop the activity.
View the activity.
Select Close.
Wait for the activity to complete, then select Done.
Change a user’s email to an unfederated domain
If you want users to use an email address different from the one in their Google Workspace, Microsoft Entra ID, or IdP domain account, you can change it. Unlike federated accounts, unfederated accounts can have an email address different from the Managed Apple Account. An exception is that a user whose role has permissions to set up and configure federation and connect to an IdP can’t use the same address for both.
In Apple Business, sign in with a user whose role has permissions to create, edit, and delete Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
If necessary, search for the user in the search field. See How to search.
Select the user from the list.
Select Edit, change the email address, then select Save.
Notify the user that they have a new Managed Apple Account.
Edit the Managed Apple Account to an unfederated domain for a single user
If you don’t want users to use the Managed Apple Account in their Google Workspace, Microsoft Entra ID, or IdP domain account, you can change it. Unlike federated accounts, unfederated accounts can have a Managed Apple Account different from the email address. An exception is that a user whose role has permissions to set up and configure federation and connect to an IdP can’t use the same address for both.
In Apple Business, sign in with a user whose role has permissions to create, edit, and delete Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
If necessary, search for the user in the search field. See How to search.
Select the user from the list.
Select Edit, change the domain for the Managed Apple Account to an unfederated domain or the reserved domain, then select Save.
Notify the user that they have a new Managed Apple Account.
Edit the Managed Apple Account to an unfederated domain for multiple users
Important: Users aren’t notified when their Managed Apple Account is changed, so you need to notify them as soon as you make the change.
In Apple Business, sign in with a user whose role has permissions to create, edit, and delete Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
If necessary, search for the users in the search field. See How to search.
Select the users from the list.
Select Edit next to Update Managed Apple Accounts, then do one of the following:
Change the Managed Apple Account’s unique user name structure.
Change the domain name structure.
Change both.
Change the domain for the Managed Apple Account to an unfederated domain or the reserved domain.
Select Save.
A new activity is created.
Choose one of the following:
Stop the activity.
View the activity.
Select Close.
Wait for the activity to complete, then select Done.