Automatic user provisioning using SCIM with Azure AD

Managed Apple IDs are special work-created and work-owned accounts that provide access to Apple services. Apple Business Manager can connect to your Microsoft Azure Active Directory to simplify integration and provide access using existing credentials. Managed Apple IDs are designed to meet the privacy and security needs of work, including limitations on purchasing and communications, and role-based administration.


There are key differences between Managed Apple IDs and standard Apple IDs. If an org chooses to permit standard Apple IDs in their environment, the org must understand that the account terms and conditions differ from Managed Apple IDs, which are designed specifically for a work environment. The use of a standard Apple ID is governed by consumer terms of service, including privacy policy. Org should review those policies governing data collection and use.


Employees can use Apple services including iCloud and collaboration with iWork and Notes, but because Managed Apple IDs are for business purposes only, certain features are disabled to protect each organization. Managed Apple IDs also include 5GB of iCloud storage.


Because Managed Apple IDs can't make purchases, administrators may assign content to your Managed Apple ID or assigned devices.


Apple added support for Federated Authentication with Microsoft Azure Active Directory in September 2019. As a result of federated authentication, Managed Apple ID accounts can be created with Azure Active Directory. Logging on with an account that contains the federated domain will redirect you to Azure for authentication. With the August 2020 update of Apple Business Manager, SCIM was added to support app user provisioning in Azure AD


Important: Federated authentication requires that a user’s User Principal Name (UPN) match their email address. User Principal Name aliases and Alternate IDs are not supported.

To use federated authentication with Apple Business Manager, your Apple devices must meet the following requirements:

  • iOS 11.3 or later

  • iPadOS 13.1 or later

  • macOS 10.13.4 or later


Azure AD is the Identity Provider (IdP) that authenticates the user for Apple Business Manager and issues authentication tokens. Because Apple Business Manager supports Azure AD, other IdPs that connect to Azure AD — such as Active Directory Federation Services (AD FS) — will also work with Apple Business Manager. Federated authentication uses Security Assertion Markup Language (SAML) to connect Apple Business Manager to Azure AD.

Note: Users cannot sign in to iCloud.com unless they have first signed in with their Managed Apple ID on another Apple device


There are currently two ways to configure federated authentication with Apple Business Manager:

  • Just In Time (JIT)

  • System for Cross-domain Identity Management (SCIM)


Just In Time (JIT)

With Federated Authentication, the Managed Apple IDs are created whenever a user authenticates to Azure AD (UPN, email), which is also referred to as Just-in-Time (JIT) provisioning.


System for Cross-domain Identity Management (SCIM)

Apple Business Manager can import users from System from Cross-domain Identity Management systems (SCIM). This system combines Apple Business Manager properties (such as roles) with account data imported from Microsoft Azure Active Directory (Azure AD). After importing users with SCIM, Apple Business Manager will add the account information as read-only until you stop using SCIM.




Setup

Below steps need to be performed to complete the setup process. ( Few Sensitive Information removed in screenshots)

1. Add domain

2. Verify domain

3. Connect with Azure AD

4. Test federation for conflicts

5. Enable federation

6. Configure SCIM



Add domain

First step is to login to ABM portal, go to settings and click on Accounts



Second Add your domain in accounts by clicking on Edit and Add domain


Verify domain

Adding the text record to public DNS is required after you add your domain. After adding record, click the Verify button on the ABM portal


Connect with Azure AD

This step involves registering Apple Business Manager in Azure AD, which will allow Apple Business Manager to sign into Azure AD and read user profiles.


Press Edit to start the process and post than click "Connect"


When the popup "Connect to your Identity Provider" appears, click "Sign in to Microsoft Azure Active Directory Portal"



Ensure the account you are using has consent rights. An example would be a global administrator.





You will be prompted to accept to register Apple Business Manager as a company in the Azure Active Directory, allowing it to access user profiles in the Azure Active Directory.



Microsoft Azure Active Directory is now connected to Apple Business Manager.




As soon as Azure AD has been successfully linked with Apple Business Manager, the federation test can begin. Press "Federate" in ABM portal



You will need to log into the portal with either the Global Administrator, Application Administrator, or Cloud Application Administrator account of Microsoft Azure AD.


In order to check for user name conflicts (such as personal accounts linked to a federated domain), this step may take some time; press "Done" to move on.


ABM will send notifications to users who are already using domain IDs as Apple IDs in case of conflicts



Click "ok"




Configure SCIM


Go to Settings - Data Source, then press Connect next to SCIM



Take note of the secret SCIM Token and the public Tenant URL

Note: You have only 4 days to complete the Token transfer to Azure AD or the process has to be started again.


Go to the Azure AD portal (aad.portal.azure.com), select All applications and locate the Apple Business Manager Azure AD app (created during the Federated Authentication process).


Go to the Provisioning tab, click Get Started




Set the “Provisioning Mode” to “Automatic”



Provide the following details and Test connection:

  • Tenant URL: https://federation.apple.com/feeds/business/scim

  • Secret Token (SCIM Token from Apple Business Manager)



Check the Testing connection, it should be successful.



Optionally, you can put an email address in the Notification Email field of the Settings page for people who should receive provisioning error notifications.

Next, create a provisioning scope


To synchronize only assigned users and groups (only Users are available and will be synced from Groups), select Users and Groups.


Add specific User / Group


Validate the provisioning results

Azure AD syncs are triggered every 20-40 minutes (interval),



Back in Apple Business Manager, navigate to Settings > Accounts


In the Domains section, click Edit and move the slider to enable federation with the added domain


Finally Also verify the SCIM status in ABM



Go to Accounts and validate the account created via SCIM



2,515 views