Setting up Managed Apple IDs through Apple Business Manager (ABM) using Microsoft Entra ID (formerly Azure AD) and utilizing SCIM (System for Cross-domain Identity Management) allows companies to automate the handling of user accounts, such as their creation, monitoring, and deactivation.
How Does the Process Work?
Microsoft Entra ID serves as the identity provider, managing user identities, while Apple Business Manager handles the administration of Managed Apple IDs. The SCIM protocol enables the synchronization of user attributes like names, email addresses, and roles from Entra ID to ABM, streamlining user provisioning processes.
Understanding SCIM
SCIM is a standardized protocol designed to simplify the exchange of user identity data across systems. It automates the processes of user provisioning and de-provisioning, guaranteeing that any changes to Entra ID (such as new users, updates, or deletions) are synchronized with ABM.
When a user is created or updated in Entra ID, the SCIM connector sends a provisioning request to ABM, which in turn creates or updates the related Managed Apple ID automatically. These Managed Apple IDs can be used to access various Apple services such as iCloud, App Store, and device management.
Prerequisites
Single Azure AD tenant is supported per Apple Business Manager.
An administrator privilege account is necessary to synchronize SCIM with ABM.
Application Administrator
Cloud Application Administrator
Global Administrator
Application Owner
Administrator role (or People Manager) in ABM
Note: An Apple Business Manager Azure AD app is created, during the Federated Authentication setup process in the ABM portal, including authentication testing.
Make sure you have completed the following steps before proceeding with the directory synchronization.
Add and Verify a domain
Fdedrate and enable domain
You can refer to this article for guidance on adding, verifying, and federating a domain in ABM. Visit https://www.cloudtekspace.com/post/federate-with-entra-and-apple-business-manager for more information.
Step 1: Access https://business.apple.com/ and click on the setup option located within the Directory sync section.
Step 2: Copy the URL for the tenant and click on Client Secret.
Step 3: Retrieve the Client Secret key and then select Done.
Step 4: Please log in to Microsoft Entra at https://entra.microsoft.com/ and go to Applications. Then, choose Enterprise applications and search for Apple Business Manager.
Step 5: Click on Provisioning to access the Provisioning setup page, then tap on Get Started and switch the provisioning mode from Manual to Automatic.
Step 6: Please input the tenant URL and Client Token copied from Apple Business Manager into the Admin Credentials section, then proceed to test the connection by clicking on the respective button.
Once the connection is successfully established, additional features such as Mapping and Settings will become available.
Provisioning Microsoft Entra ID users will be enabled, allowing them to view the source, destination, and attributes synchronized from Entra to ABM.
In the settings, you have the option to activate email notifications, prevent accidental deletions by setting the threshold value, and adjust the scope.
Send an email notification to the specified email address in the event of a failure.
If you have enabled the "Prevent accidental deletion" feature, you must specify a threshold value. For instance, I have set it to 10. If 10 users are deleted in a single action, the action will be quarantined. The administrator can then review the action and decide whether to allow or deny it.
The scope allows you to define whether all users in the tenant or just users in a specific group should be synchronized. If there are any subgroups within the specified group, only the user accounts in that group will be synchronized to ABM, and the subgroups will not be included in the sync process.
By default, only assigned users or groups will be selected in Sync, but you can modify them as needed.
Step 7: Before starting the sync, ensure that the initial synchronization has not begun. To add the group that requires syncing, go to provisioning, select users and groups, and then tap on "Add user/group."
Step 8: To synchronize a group, tap on "Users and groups," search for the group you need, select it, and then tap on "Select."
Once the group has been selected, click on "assign" to view the selected group.
Note: When you assign a group to an application, only users directly in the group will have access. The assignment does not cascade to nested groups.Return to the provisioning page and click on Start Provisioning to initiate the synchronization of users from the chosen group or individual users to Apple Business Manager.
Once the synchronization is finished, you will be able to view the users in ABM with the account source being Microsoft Entra Connect Sync and federated authentication.
Conclusion
To sum up, the integration of Apple Business Manager (ABM) and Microsoft Entra ID through SCIM allows businesses to effectively and automatically handle user accounts. This configuration streamlines the tasks of user account creation, monitoring, and deactivation for Managed Apple IDs, while also improving security and uniformity across different platforms. Through this integration, companies can save time, minimize administrative burdens, and guarantee efficient management of user access to Apple services at every stage of the user lifecycle.
Comentarios