Use federated authentication with Microsoft Entra ID in Apple School Manager
As a result, your users can leverage their Google Workspace credentials as a Managed Apple Account. They can then use those credentials to sign in to their assigned iPhone, iPad, Mac, Apple Vision Pro, and to Shared iPad. After they’ve signed in to one of those devices, they can then also sign in to iCloud on the web.
In Apple School Manager, you can link to Microsoft Entra ID using federated authentication to allow users to sign in to Apple devices with their Microsoft Entra ID user name (generally their email address) and password.
As a result, your users can leverage their Microsoft Entra ID credentials as a Managed Apple Account. They can then use those credentials to sign in to their assigned iPhone, iPad, Mac, Apple Vision Pro, and to Shared iPad. After they’ve signed in to one of those devices, they can then also sign in to iCloud on the web on a Mac (iCloud for Windows doesn’t support Managed Apple Accounts).
Microsoft Entra ID is the identity provider (IdP) that authenticates the user for Apple School Manager and issues authentication tokens. This authentication supports certificate authentication and two-factor authentication (2FA).
Microsoft default roles that support domains, directory sync, and domain read
After the initial Approve federated authentication task is successful, if you want to change roles, you have 2 options to edit the account with the current role of Microsoft Entra ID Global Administrator.
Change the account to one of the following roles:
Global Reader
Application Administrator
Cloud Application Administrator
Change the account so it has the following 2 roles: Directory Reader and Reports Reader.
Both options allow the following access, which is required by Apple School Manager:
Read the list of all domains: microsoft.directory/domains/standard/read
Read the directory of all users: microsoft.directory/users/standard/read
Read Security Events audit logs: microsoft.directory/auditLogs/allProperties/read
Federated authentication process
This process involves three main steps:
Approve federated authentication.
Test federated authentication with a single Microsoft Entra ID user account.
Turn on federated authentication.
Important: Review the following before you configure federated authentication.
Step 1: Approve federated authentication
The first step is to establish a trust relationship between Microsoft Entra ID and Apple School Manager. This task must be done by a user with the role of Global Administrator in Microsoft Entra ID.
Note: After you complete this step, users can’t create new personal Apple Accounts on the domain you configure. This could affect other Apple services your users access. See Transfer Apple services to a Managed Apple Account.
In Apple School Manager
, sign in with a user that has the role of Administrator, Site Manager, or People Manager.Select your name at the bottom of the sidebar, select Preferences
, select Managed Apple Accounts 
, then select Get Started under “User sign in and directory sync.”Select Microsoft Entra ID, then select Continue.
Select “Sign in with Microsoft,” enter a Microsoft Entra ID Global Administrator user name, then select Next.
Enter the password for the account, then select Sign In.
Carefully read the application agreement, select “Consent on behalf of your organization,” then select Accept.
You are consenting to Microsoft giving Apple access to information found in Microsoft Entra ID.
If necessary, review the verified and conflicted domains.
Select Done.
If necessary, you can change the user’s role in Microsoft Entra ID from Global Administrator to a supported role with the required privileges. For more information, see Microsoft default roles that support domains, directory sync, and domain read.
In some cases you may not be able to add your domain. Common reasons are:
The user name or password from the account in step 4 is incorrect.
Step 2: Test authentication with a single Microsoft Entra ID user account
Important: The federated authentication test also changes your default Managed Apple Account format. New accounts created in your Student Information System (SIS) or uploaded using Secure File Transfer Protocol (SFTP) use the new Managed Apple Account format.
You can test the federated authentication connection after you’ve performed the following tasks:
The check for user name conflicts is complete.
The Managed Apple Account default format is updated.
After you successfully link Apple School Manager to Microsoft Entra ID, you can change the role of a user account to another role. For example, you may want to change the role of a user account to an Instructor role.
Note: User accounts with the role of Administrator, Site Manager, or People Manager can’t sign in using federated authentication; they can only manage the federation process.
Select Federate next to the domain you want to federate.
Select “Sign in to Microsoft Entra ID Portal,” enter a Microsoft Entra ID user name of an account that exists in the domain, then select Next.
Enter the password for the account, select Sign In, select Done, then select Done.
In some cases you may not be able to sign in to your domain. Here are some common reasons:
The user name or password from the domain that you chose to federate is incorrect.
The account isn’t in the domain that you chose to federate.
Step 3: Turn on federated authentication
In Apple School Manager
, sign in with a user that has the role of Administrator, Site Manager, or People Manager.Select your name at the bottom of the sidebar, select Preferences
, then select Managed Apple Accounts .In the Domains section, select Manage next to the domain you want to federate, then select “Turn on Sign in with Microsoft Entra ID.”
Turn on “Sign in with Microsoft Entra ID.”
If necessary, you can now sync user accounts to Apple School Manager. See Sync user accounts from Microsoft Entra ID.