SOLVED

Use federated authentication with MS Azure AD in Apple Business Manager

Occasional Contributor

Hello Everyone :smile:,

 

iOS Migration Airwatch to Intune

Existing: I have users added in the ABM who already have a device managed in Airwatch and Intune.

 

Today I want to set up a federated authentication, link between Apple Business manager and Azure AD.

 

Will I have a significant impact if I enable federated authentication and is it transparent to the user?

 

Thanks

6 Replies
For users who already have a normal iCloud account registered at the work domain name, they will have to change the email-address on that iCloud account to something else (They will get a email from Apple telling them to change it in x amount of days otherwise they will change it for them) If you enable Federation, there will be a message telling you how many users will receive that email.. But it won't tell you who those users are :(

@Harm_Veenstra 

Thank you for your reply

So the user will receive an email, but no significant impact if I understand correctly.

 

In my current situation I create an Apple id managed account
from the Apple business manager console.
I create an Azure AD account identical to the managed Apple id account.

 

example :

ABM
- Apple ID Managed: Email address removed
- Email address: Email address removed

AZURE AD
- Azure AD: Email address removed
- Email address: Email address removed

 

Tomorrow I will have to set up federated authentication
the questions I have are :

1- can there be a login conflict?
2- Will there be a duplicate Apple id Managed login name?
3- Will the production be blocked?
4- Will this have a big impact on users already registered?

 

Thank you in advance.

best response confirmed by david972 (Occasional Contributor)
Solution
1. Yes, when creating the Federation the Apple ID will get a notification telling it to change it to another email domain within x days
2. No, the Apple ID with the maildomain which was the same as the Azure user must be renamed
3. No, I don't think so but you will have to communicate (and test this yourself)
4. If they registered an iCloud address which is the same as the Azure AD userprincipalname, then yes. They will have to login again on their device with the renamed account, all apps and settings will still be there

But.. There are downsides to having Managed Apple ID's:

What is the downside of using Managed Apple IDs?
You may be reading the above section and thinking to yourself, “All of that is perfect, why wouldn’t everyone be using these?” It’s a fair question to ask, and to summarize an answer for you, Apple stresses that because Managed Apple IDs help protect your business, there are services that are automatically disabled.

These disabled services include:

App Store purchasing
iTunes Store purchasing
Book Store purchasing
HomeKit connected devices
Apple Pay
Find My iPhone
Find My Mac
Find My Friends
iCloud Mail
iCloud Keychain (although, keychain items are saved and restored on Shared iPad devices)
iCloud Family Sharing
FaceTime (this is off by default, but your institution can turn it on)
iMessage (this is off by default, but your institution can turn it on)

https://www.jamf.com/blog/managed-apple-ids-in-business/
Was this enough information for you?
Hello,
yes thanks for that information who helped me
No problem, glad to help. Please mark my answer as solution to mark it as solved