Federated authentication for Managed Apple IDs

This week is all about federated authentication for Managed Apple IDs. When using Microsoft Intune for managing Apple devices, the use of Managed Apple IDs is adding more and more value to the solution. That value gets even more when those Managed Apple IDs are federated with Azure AD. That would provide the user with a single account to remember and to use. Together that brings a very nice experience to Apple devices that are using federated Managed Apple IDs and are managed with Microsoft Intune. In this post I’ll discuss and describe the following information regarding Managed Apple IDs:

What are Managed Apple IDs and why using them?

Managed Apple IDs are the business versions of personal Apple IDs and are the solution to prevent the use of personal Apple IDs for work. Managed Apple IDs are also unique to an organization and are owned and managed by that organization. That also means that that organization is responsible for everything around managing that account and its password. Apple Business Manager (ABM) can be used for managing everything around Managed Apple IDs.

Within Microsoft Intune, Managed Apple IDs are required for shared iPad devices and for user enrollment. In the first scenario a Managed Apple ID is used to actually sign in to the device, and in the second scenario a Managed Apple ID is used to differentiate between personal and work data and apps. The latter experience is similar to what might be known from a Work Profile on an Android device. The integration is just a bit prettier for the user, but more about that is for another post.

Besides the Microsoft Intune specific scenarios, in which Managed Apple IDs are required, Managed Apple IDs can also be used to sign in to devices and to access Apple services. That experience is similar to the use of personal Apple IDs. However, there is a big difference. The available services and features are limited to what is useful for businesses. That means that signing in to iCloud (including 5GB of storage) and collaborating in iWork and Notes is available, but other features like Apple Pay, Find My and Apple Homekit are not available. For a complete list of available features refer to the Apple docs.

Federated authentication for Managed Apple IDs

Managed Apple IDs can be created and associated with basically any email address. That includes the personal Apple ID of users. However, it might be a lot easier to create Managed Apple IDs based on the work email address, or, even better, automatically create them. To achieve that, organizations can use a federation with Azure AD for Managed Apple IDs, and automatically provision those Manage Apple IDs from Azure AD.

The first step in that process is to create the federation with Azure AD. That will enable users to also use their Azure AD work account for business purposes on their Apple devices. A single account for all business purposes in the Microsoft world and the Apple world. A very pleasant experience. To create that experience, an organization should to link their Apple Business Manager to their Azure AD tenant. That link will make Azure AD the identity provider that authenticates the users for Apple Business Manager.

Important: Apple Business Manager can only be linked to a single Azure AD tenant.

The following 11 steps walk through the different stages of configuring Azure AD as the identity provider for the Managed Apple IDs. During the configuration an Enterprise application – with the name Apple Business Manager – will be created in Azure AD. Keep that in mind for any Conditional Access policies.

1. Open Apple Business Manager and navigate to Settings > Accounts

Note: The account that is used should have the role of Administrator or People Manager.

2. In the Domains section, click Edit > Add Domain, add the required domain and click Continue (and the result is shown below in Figure 1)

• Figure 1: Domain is successfully added

3. Back in the Domains section, click Verify next to the added domain, copy the information for the TXT record and create a TXT record in the public DNS (and the result is shown below in Figure 2)

• Figure 2: Domain can be verified

4. Back in the Domains section, after the TXT record has been added, click Check Now next to the added domain (and the result is shown below in Figure 3)

• Figure 3: Domain is successfully verified

5. In the Federated Authentication section, click Edit > Connect
6. On the Connect to your Identity Provider dialog box, click Sign in to Microsoft Azure Active Directory Portal… and sign in with an account of the Azure AD tenant

Note: The account that is used should have the role of Global administrator, Application administrator, or Cloud application administrator.

7. On the Permissions requested dialog box, verify the information about the Apple Business Manager app and the requested permissions and click Accept
8. Back on the Connect to your Identity Provider dialog box, click Done (and the result is shown below in Figure 4)

• Figure 4: Federated authentication is successfully configured

Note: Once the federation is configured, the configuration cannot be undone via Apple Business Manager and requires contact with Apple.

9. Back in the Domains section, click Verify next to the added domain
10. On the Federated Domain dialog box, click Sign in to Microsoft Azure Active Directory Portal… and sign in with an account of the Azure AD tenant

Note: The account that is used should have the role of Global administrator, Application administrator, or Cloud application administrator and should have a UPN of the verified domain.

11. Back on the Federated Domain dialog box, click Done (and the result is shown below in Figure 5)

• Figure 5: Federated authentication is successfully tested

Important: When automatically provisioning of the Managed Apple IDs should also be configured, do not yet enabled the federation.

Note: Once the federation is tested, Apple will verify that no existing Apple IDs are using the verified domain name.

Automatically provisioned users from Azure AD

After creating the federation with Azure AD, the second step is to automatically provision the user in Apple Business Manager. That enables an organization to have a single place to maintain the identity of the users. Users created in Azure AD (or AD) are automatically created in Apple Business Manager, after the next synchronization. The same is applicable for disabling and removing accounts in Azure AD. After the next synchronization, the Managed Apple IDs will be updated in Apple Business Manager.

Note: When an account is disabled or removed in Azure AD, it will be deactivated in Apple Business Manager and it will be removed after 30 days.

There are also alternatives to automatically provisioning users from Azure AD. An alternative is manually creating Managed Apple IDs and another alternative is letting Apple Business Manager automatically create Managed Apple IDs once their used for the first tine. However, in both cases there is administrative effort required for managing those Managed Apple IDs in Apple Business Manager. If possible, use automatic provisioning of users from Azure AD.

To facilitate the automatic provisioning of users from Azure AD in Apple Business Manager, Azure AD and Apple Business Manager can rely on System for Cross-Domain Identity Management (SCIM). SCIM is an open standard for automating the exchange of user identity information between identity domains and IT systems. That standard is focused on exchanging user and group information. However, Apple Business Manager doesn’t know the concept of groups and is only focused on user information. The following number of steps walk through the different stages of configuring a SCIM synchronization between Azure AD and Apple Business Manager.

1. Open Apple Business Manager and navigate to Settings > Data Source
2. In the SCIM section, click Connect, copy the Token and click Close
3. Open the Azure portal and navigate to Azure Active Directory > Enterprise applications > Apple Business Manager

Note: The Apple Business Manager app is created during the configuration of de federation.

4. Select the Provisioning tab, click Get started and set Provisioning Mode to Automatic
5. In the Admin Credentials section, specify the following information (as shown below in Figure 6) and click Test Connection

• Tenant URL: Specify https://federation.apple.com/feeds/business/scim as value
• Secret Token: Specify the earlier copied Token as value

• Figure 6: Admin credentials are successfully tested

6. In the Mappings section, specify any additional (or adjust any default) Azure AD attributes that should be mapped with Apple Business Manager attributes (as shown below in Figure 7)

• Figure 7: Mappings are default configured

Important: Only use the Apple Business Manager attributes as documented here, or the SCIM synchronization will break.

Note: By default the following Azure AD attributes are mapped to Apple Business Manager attributes – with the target object actions of Create, Update and Delete – userPrincipalName, Not([IsSoftDeleted]), givenName, surname, objectId, department and employeeId.

7. In the Settings section, specify the following information (as shown below in Figure 8) and click Save

• Notification Email: Specify the email address of an administrator that should be notified for synchronization failures (when Send an email notification when a failure occurs is also checken)
• Scope: Select Sync only assigned users and groups as value

• Figure 8: Settings are successfully configured

Note: This configured scope will make sure that the provisioning can be scoped to specific users accounts.

8. Select the Users and groups tab and click Add user/group to specify the users that should be part of the automatic provisioning in to Apple Business Manager

Note: This assignment doesn’t allow an administrator to configure a default assigned role yet. Every synchronized user account will created in Apple Business Manager with the role Staff.

9. Back in Apple Business Manager, navigate to Settings > Accounts
10. In the Domains section, click Edit and move the slider to enable federation with the added domain (and the result is shown below in Figure 9)

• Figure 9: Federation successfully enabled

Note: After enabling the federation, the user accounts will start coming to Apple Business Manager.

Provisioned user with federated authentication in Apple Business Manager

There are many places to look for a successful configuration of the SCIM synchronization and the federation of Managed Apple IDs. The Provisioning tab, of the Apple Business Manager app in Azure AD, provides a nice status overview and the provisioning interval (by default every 40 minutes), and the Provisioning logs tab, of the Apple Business Manager app in Azure AD, provides a nice overview of the actions that are performed during the synchronization. However, a successfully synchronized user is the best example. Below, in Figure 10, is an example of a synchronized user account with a snippet and short description of the most important information of that user account.

1. Name: Based on the givenName attribute is Azure AD
2. Managed Apple ID: Based on the userPrincipleName attribute in Azure AD
3. Email address: Also based on the userPrincipleName attribute in Azure AD

Note: As both, the Managed Apple ID and the email address, are based on the UPN in Azure AD, it’s important that the email address and the UPN are the same.

4. Account status: Based on the status and the usage of the user account and will change when the user account is used to log in, or when the user account is disabled or removed in Azure AD
5. Authentication: Based on the identity provider of the user account and is set to Federated for synchronized and federated user accounts
6. Role/location: Set to a default value and can be edited in Apple Business Manager
7. Source: Based on how the user account was created

• Figure 10: User successfully provisioned and configured for federation

More information

For more information about the federated authentication and Managed Apple IDs, refer to the following docs.

Related