Sync users from Microsoft Entra ID into Apple School Manager
You can use Directory Sync to sync users from Microsoft Entra ID to Apple School Manager. After you’ve read the requirements for using OIDC and have a Microsoft Entra ID administrator with permissions to edit enterprise applications standing by, you can proceed with the following tasks.
Important: You have only 4 calendar days to complete the token transfer to Microsoft Entra ID and successfully establish a connection, or you must begin the process again.
Prepare Microsoft Entra ID to accept the token
Sign in to the Microsoft Entra ID web portal (https://login.microsoftonline.com/), then select Microsoft Entra ID in the sidebar
If necessary, select Custom domain names, then enter your verified domain name in the upper right and select Add domain.
Important: The domain name must be verified before you add it.
Select Home, select Microsoft Entra ID from the services list, then select Users from the Manage sidebar.
If necessary, select All applications in the sidebar, then select the Apple School Manager Entra ID app (you’ll see the Apple School Manager icon ).
See the Microsoft Support article Add an enterprise application.
Note: You should use only the Apple School Manager Entra ID app when connecting with OIDC.
Select Provisioning in the sidebar, select Get Started, then select Automatic (provisioning mode).
If you’re reconnecting, you may not see Get Started. If you don’t see it, select Edit Provisioning.
Copy the Apple School Manager SCIM token
In Apple School Manager , sign in with a user that has the role of Administrator, Site Manager, or People Manager.
Select your name at the bottom of the sidebar, select Preferences , then select Directory Sync .
Select Connect next to OIDC, carefully read the warning, select Copy, then select Close.
Leave this window open to copy the tenant URL from Apple School Manager to Microsoft Entra ID.
Important: The secret token should be shared only with the Microsoft Entra ID administrator.
Paste the token and tenant URL into the Entra ID app
In Apple School Manager, copy the tenant URL:
https://federation.apple.com/feeds/school/scim
In the Apple School Manager Entra ID app, delete any content in the Tenant URL field, then paste in the tenant URL from Apple School Manager.
Select Save, then select Test Connection.
If the connection is successful, Apple School Manager shows the OIDC connection as active. It can take up to 60 seconds to reflect the latest connection status.
In the Settings section, enter the email address of an Apple School Manager Administrator, Site Manager, or People Manager, then select the “Send an email notification when a failure occurs” checkbox so they receive any provisioning error notifications.
If necessary, select Mappings and edit custom attributes.
Important: Don’t add more attribute mappings or the OIDC process will fail. See the mappings table in Microsoft Entra ID OIDC sync requirements.
Select the type of syncing and test the connection
Note: Federated authentication must be turned on for the domain before you do this task.
Specify whether you want only users assigned to the Apple School Manager Entra ID app to sync using OIDC, or all users in Microsoft Entra ID to sync using OIDC. If you’re unsure which to use, see Provisioning scope.
Turn on Provisioning Status, then select Save.
Important: If you change the provisioning scope, you must clear the current state and restart synchronization. Contact your Microsoft Entra ID administrator before you make any changes to the OIDC connection.
Check the provisioning logs to make sure the connection was successful.
Sign out of the Microsoft Entra ID web portal.