Refer to https://support.apple.com/guide/apple-business-manager/use-federated-authentication-with-ms-azure-ad-axmb02f73f18/web for the latest version of instructions to set up Azure. A simplified workflow is documented in this article.
Requirements
- Microsoft Azure administrator account with Global Administrator role
- Apple Business Manager account with Administrator or People Manager role
- Access to DNS records for your organization to add a TXT record for domain ownership validation
Domain validation
Follow the instructions in https://support.apple.com/guide/apple-business-manager/link-to-new-domains-axm48c3280c0/1/web/1 to link your organization domain to Apple Business Manager.
DNS changes may take up to 36 hours to propagate to start the next step.
Federate authentication between your organization identity provider and Apple Business Manager
- Microsoft Azure: https://support.apple.com/guide/apple-business-manager/use-federated-authentication-with-ms-azure-ad-axmb02f73f18/web
- Google Workspace: https://support.apple.com/guide/apple-business-manager/federated-authentication-google-workspace-axma05ecb9d5/web
- Other identity provider: Establish a federation from your identity provider to Microsoft Azure then follow the instructions for Azure above.
Determine if SCIM, user sync, or on demand account creation is appropriate in your organization
Managed Apple IDs are generated in one of three ways:
- A user signs into an Apple device with a federated email account to an Apple service like iCloud, shared iPad, or Account Driven User Enrollment. An individual managed Apple ID is generated immediately.
- An administrator turns on user sync with Google Workspace. Individual accounts for each member of the workspace are created. (Reference: https://support.apple.com/guide/apple-business-manager/sync-users-from-google-workspace-axmfdbfe215b/web [apple.com])
- An administrator establishes a System for Cross-domain Identity Management (SCIM) connection between Microsoft Azure AD and Apple Business Manager. (Reference: https://support.apple.com/guide/apple-business-manager/azure-ad-sync-requirements-axmd88331cd6/web [apple.com]
If your organization has additional requirements like assigning applications to users in bulk, it may make sense to import your full organization directory of users into Apple Business Manager with SCIM or Google user sync. Actions like license assignment can be done in advance of a large scale deployment of devices and avoid taxing server resources.