APPLE ID
Having a single username and password for your Apple ID and Microsoft 365 subscriptions is a must have. Here are some tips and tricks for integrating Apple Business Manager (ABM) and Microsoft 365.
Setting up Apple Business Manager
If you havent setup ABM, then this is the first thing that must be done. You can also read our article on why you should be using ABM here.
Follow these easy steps to setup ABM.
- Head over to Apple Business Manager.
- Select Enroll Now shown below in yellow highlight.
- Fill in all your details and keep the following in mind when filling out the application. Your DUNS Number can be found here and the Organisation name must be exactly the same as that in the Email you receive with your DUNS number. There are two contacts required and the second contact provided will be contacted to verify the information you have provided.
- Once you application is approved by Apple, you will recive an email confirming your enrolment is approved. The email will be similar to the one below.Click on Get Started to begin.
- First of all it is important to understand that you are creating a Tenant Account once you select Get Started in the acceptance email you will receive. This is the account that controls everything in ABM. It is also very much like a Microsoft 365 Tenant Account. Its a good idea to create an account name that makes it obvious it is a Tenant Account.
- Having sucessfully created a Tenant Account you will now be logged into ABM and you will have to now customise ABM for your organisation First up is adding the domain name your organisation uses to ABM. SETTINGS in the bottom left hand corner will provide you with Organization Settings where this is done.
- Select Accounts under Organization Settings, then Domains. Add a domain name here and take note of the TXT record provided to you. This TXT record will need to be added to the DNS entries for your domain.
- You will also receive an Email from Apple asking you to verify your domain. Once you have added the TXT record, select the Verify Ownership button in the email.
- Once the domain has been successfully verified, you are able to start creating Apple ID’s using your organisations domain name.
Next Steps
At this point in time you have ABM setup to use your organisations domain and you now need to add user accounts or more to the point, APPLE ID’s that your users will use.
You can create these individually and assign them or you can use the accounts you already may have setup in Microsoft 365 through Azure Active Directory. This article covers using the Microsoft 365 accounts as most organisations these days are using the Microsoft ecosystem for email and all the other services it provides. If you are a Microsoft 365 user, you already have the accounts setup so there is no need to set them up again.
Federated Authentication
Federated authentication is a link between Apple Business Manager and your instance of Microsoft Azure Active Directory (Azure AD). Once setup, your users can leverage their Azure AD username and password as Managed Apple IDs. They can then use their Azure AD credentials to sign in to their assigned iPad or Mac, and even to iCloud on the web. Users can also use it to sign in on Shared iPad.
Follow these steps to set up federated authentication.
- SETTINGS in the bottom left hand corner of ABM will provide you with Organization Settings where this is done.
- Under Accounts, choose the domain you want to federate. This is typically the same domain you use for email in your organisation.
- Select Federated Authentication and you will be prompted to login with your Microsoft Credentials to kick off the setup.
- Login to your Microsoft Tenant with an account that has Global Administrator, Application Administrator or Cloud Application Administrator privileges. Note that the account should have the same domain name as the one you are federating.
Once you have successfully logged on to your Microsoft Tenant you may get the screen below if you have email addresses that are currently being used as APPLE ID’s.
It is best to choose continue here as your users will be notified of the need to change their current APPLE ID to something else. ABM will also show the screen below until all conflicts have been resolved.
Your users have 60 days before the APPLE ID’s with the conflict will be owned by your organisation if they do not take action and change their APPLE ID to something that is not using your organisations domain name.
Your users who have a conflicting APPLE ID will receive the email below and will also receive a message on any devices that are using the APPLE ID in question.
Any existing APPLE ID’s that are using your organisations domain name before you added it to ABM were personal or private APPLE ID’s. Now that you have registered your domain with ABM, any APPLE ID with your domain name in becomes a managed Business APPLE ID which cannot be used for personal or private purposes.
This caused some grief within our organisation so we made some enquiries with Apple regarding transferring all purchases and data from the personal APPLE ID to the new managed Business APPLE ID. This cannot be done. All purchases and associated data will move to the new personal APPLE ID once its created. The old APPLE ID will be owned and managed by your organisation.