If You Are Using Managed Apple IDs, Microsoft Azure AD and not using Federated Authentication, You Are Missing Out.
In this article, we will explore Federated Authentication and Apple IDs. Ever since Apple released Apple School Manager (and later Business Manager) there have been regular updates and improvements to the platform. One of the standout features in the last 12 months has been Federation with Microsoft Azure AD.
Up until this point adding users to Apple School Manager (ASM) and creating Managed Apple IDs required Admins to take data from one source or directory, manipulate the data into 6 spreadsheets and import into ASM, effectively creating another directory to administrate. Third party tools and services like Salamander Soft took some of the manual task out of this or away from schools but ultimately they took data from one source, manipulated it and imported into ASM.
All in all a time consuming task.
What is Federated Authentication with Apple School Manager?
The first thing to point out here is that you must be using Microsoft Azure AD (AAD), not an On-Prem AD or hybrid solution. With a small amount of setup on the Admin side users can use their AAD usernames and passwords as Managed Apple IDs rather than giving the user another set of credentials. After putting in their AAD username they are presented with a familiar Microsoft Sign In window to enter their password.
Where this really shines through is that if the user has never signed into an Apple service (iPad, Mac, iCloud or Shared iPad) before with their Azure ADD identity, once authenticated an Apple ID is created on the fly. This means that Admins are no longer required import users into Apple School Manager before the user can use Apple services. On top of this only users who actually need a Managed Apple ID are created, again saving time an effort on the familiar response that is “we’re not sure who will want one so just give everybody one”
Federate Your Azure AD with Apple School Manager
To link your Azure AS and Apple School Manager you will need to know the credentials of a Microsoft Azure AD Global Administrator, Application Administrator or Cloud Application Administrator.
With these credentials in hand simply sign into Apple School Manager (https://school.apple.com) with an administrator account and navigate to the Settings -> Accounts window. Click edit in the ‘Federated Authentication’ section and hit connect. You will be asked to sign in with your Azure AD credentials a number of times to authorise Azure and ASM to trust each other.
If the sign in was successful Apple School Manager will start to process over verifying your domain and checking username conflicts. Username conflicts must be resolved before you can use federated authentication with your domain.
Username Conflicts
You might be in a position where members of your institution have used their school domain email address (the one that you are trying to federate) for a personal Apple ID in the past. Apple School Manager will check for any Apple IDs using your domain and then report these conflicts with ASM.
Although, for privacy reasons, you will not be able to see who has an Apple ID using your domain you will see the number of conflicts. If Apple IDs are found the user will get an email from ASM as well as a notification on their device(s) informing them that the must change the Apple ID username (the email part). The users data or password will not be affected.
The user will get multiple notifications while they are still using a username with your domain up to 60 days. After 60 days the user will be assigned a temporary random string iCloud username, for example, 3957dhah2347&weh@icloud.com and the Apple ID username is reclaimed by the institution.
After the username conflicts have been resolved federated authentication can be enable and tested.
User Passwords & Roles
Once federated authentication has been configured and enabled passwords can be reset in Azure AD but this will invalidates this users current session and they will need to sign in again using the updated password.
All users from your federated domain are assigned a ‘student’ roll as standard. This is something that you may wish to change in Apple School Manager by searching for the user and changing the role to Teacher, Content Manager or Device Manager.
Should the role of the user be changed to Administrator, Site Manager or People Manager the user no longer uses federated authentication and instead uses Apple (ASM) as the source of authentication. The users Managed Apple ID and email address will stay the same as it was when federation took place however when they log in they will not see the ‘Microsoft Login’ page but the standard Apple login.
Class Data from Manual or MIS imports
Although Federated Authentication is great for creating Managed Apple IDs and much easier for the user as there is a single credential, federation does not pull through any data that can be used to build classes within Apple School Manager.
If you wanted to also create classes through ASM (remember this can also be done through quality and robust MDM solutions such as Jamf School or Jamf Pro) you would still need a second source of data with this class information. Typically this would be done using Apple School Managers SFTP import. During this process users matching will occur between the CSV import and the AAD via the email address, so that users are not duplicated but instead amended. If a user is removed from Microsoft Azure AD, that user must be deactivated in Apple School Manager.
Further information
For further information about Federated Authentication using Azure AD and Apple School Manager please see this Apple support article or contact us at Sync
https://support.apple.com/en-gb/guide/apple-school-manager/apdb19317543/web