Apple Business Manager integration with Azure AD

I will begin with the premise that you have Apple Business Manager only, not Apple Business Essentials. If so, then your ABM is for chain of custody and identity only. It does not provide the capabilities of an MDM. Your statement suggests that you are using Intune as the MDM, negating the need to pursue Apple Business Essentials.

If that is true, then the "best" way to handle multi-user iPad is to Federate and Sync. This will automate the creation of managed Apple IDs and pass authentication to your identity provider. Ah, but there are some challenges and potential pitfalls that exist. And, if you only have 10 people that need to participate in the shared iPads, federation and sync may be overkill. Let's go step by step.

First, you want to Federate ABM to Azure/Entra. This is relatively straightforward. Go to Preferences > Accounts. On this view, you will see the initial placeholder domain (the one with *.appleid.com) and your domain in the domain section and the federation status below. Federation is two steps. You can link and then you can enable. Which does yours look like?

This is an example with Federation linked and enabled:

This is an example with Federation linked but NOT enabled

If you are seeing the amber bubble on your primary domain, it means that you have completed the link to Azure but have not yet enabled Federation. And, depending on your environment, you may not want to enable it.

In the Domains section, press the Edit button. I will assume it looks something like this:

Note the Enable toggle is not on. This is because there are existing Apple IDs using the domain. (if my domain was reid.com, there are Apple IDs like bob@reid.com, mary@reid.com, etc. that were created previously and are considered "personal" Apple IDs). If you enable Federation, those Apple IDs must be changed to use an email ID outside your domain. For some organization with deep roots into the Apple ID world (app purchases, Developer IDs, Push cert IDs, etc.), enabling Federation may be damaging to workflows. Understand how Apple IDs are currently used in your environment before toggling this on. Apple will not show you the IDs. You will only get a count. Toggling it on will email the IDs with directions on how to migrate the account. If you choose to enable, monitor your mail flow log to see who gets emailed.

That is the Federation step (link and enable). The next step is to configure directory sync. From the Preference view, choose Directory Sync. Completing this step will allow ABM to periodically sync with Azure to automatically create managed Apple IDs based on users in the Federated domain. This sync process ensures that new staff members in the federated domain will automatically be provided a managed Apple ID. There is no manual actions required in ABM.

Now, you are asking about the impact to Intune and managed devices. There is none. The MDM (Intune) will still implement device management. ABM keeps to its core roles of hard and soft asset chain of custody and adds identity trust for device login. If you enable shared iPad you will need to erase and re-enroll the iPads so they trigger shared mode. This cannot be enabled on active devices. It must happen at enrollment.

Hope this is helpful. Understand your legacy with Apple IDs before enabling Federation. If you don't want to fully enable Federation and sync (for example, you have a handful of users who need managed Apple IDs), you can always just manually create them in ABM. The challenge is that this is a manual process that needs periodic attention (add/remove of staff). We all like to simplify, but in some cases the path to simplicity adds complexity.

Reid

I may be able to provide additional guidance.

1: Yes. I have a lot of customers who I have brought to the brink of "enable" but because of existing Apple IDs (and their use), we could not risk the workflow disruption by forcing everyone to change the email associated to the ID. We have a bunch of education customers that before, business.apple.com, and before vpp and dep.apple.com, they used a single Apple ID to purchase software. While this clearly is not beneficial to developers, back in the day you either used one Apple ID for all devices or you created individuals and managed payment options all over the place. Because of this, none of my EDU customers have "enabled." And, I has some with synced and local IDs (on the apple placeholder domain).

A quick tip however. Once you claim the domain, no one should be able to create an Apple ID on your domain that is not a managed Apple ID. So, even without enabling, you are protecting against the problem getting worse.

2: If you have shared iPad, I am assuming you are already using managed Apple IDs so they appear on the login window. Did you mean "which do need this Shared functionality." If you are not allowing directory sync, then you must create the Apple ID manually and the users will be maintaining two passwords. One for the domain account and one for the managed Apple ID. The legacy of Apple IDs and how they have evolved over the years is like an anchor around our necks. So many companies that have a long history with Apple are using Apple IDs in way that made sense years ago but don't make sense today. However, because of the purchases or features attached to those IDs, they are very hard to let go.

3: No. Federation between ABM and Azure/Entra is all about identity trust between ABM and the domain. It does not impact the way the MDM operates. Even if you require authenticated enrollment for example, that has nothing to do with ABM as it is the MDM and the domain talking to each other. Power on a device, it seeks the MDM and prompts to enroll. If you are doing authenticated enrollment, then your users are entering domain credentials (not managed Apple ID) to enroll and associating device to person at time of login.

And yes, you can disable sync and federation. These are not carved in stone. There is one oddity that I've seen. If you have a domain that is federated and sync enabled, and then the domain is released from Azure, ABM will not fail. The synced users will disappear but all the bubbles remain green. This is an edge case but we did have a company spin off a division so we witnessed this.

Hi Reid,

Thank you very much for sharing the information. We are basically looking how we can integrate this feature in order to achieve this milestone of using Shared iPad Functionality and how it is impacting the end users.

Sorry, this is absolutely new to me, hence I am clearing up my doubts, So what I understood, please correct me if I am wrong:

1. We can enable the federation, Our company domain- xxxx.com will go back in green after we link it with Azure. In this case, the current Apple ID's(Our Company Ones- regardless of iPad/iPhone enrolled in Intune) they will be impacted by turning into managed Apple ID. If yes, the impact would be?
2. The federation and sync can be disabled in case we encounter any major issue. If yes, then what will happen to the impacted devices?
3. How does this integration differentiates which one can be used as a Shared iPad and which one to be used as a Single dedicated one?

Hi Reid,

Thanks a lot for sharing the information.

I have few questions, if you can help us, that would be much appreciated.

1- If we only link and do not enable( as with enabling ON, the Apple ID creation for our Company domain-xxxx.com will be done automatically), then our current company Apple ID's will be affected in this case?

2- We have many Shared iPads enrolled in Intune, which do not need this Shared functionality. How we can control such things?

3- All in all, we want to know if integrating the federation will not impact our current ABM device registration(that happens globally) and MDM enrollment in Intune?

Also, this cannot be rollback in case of any issues, is that correct?