Intro to directory syncing with Apple School Manager
You can use OpenID Connect (OIDC) with Apple School Manager to sync user accounts from the following:
Google Workspace
Microsoft Entra ID
Your identity provider (IdP)
Some IdPs can also use System for Cross-domain Identity Management (SCIM)
Note: You can sync to Google Workspace, Microsoft Entra ID, or your IdP, but only one at a time.
Before you begin
Before you sync to Google Workspace, Microsoft Entra ID, or your IdP, consider the following:
Syncing user groups isn’t supported.
Requirements
If necessary, manually verify a domain. See Add and verify a domain.
You must turn on federated authentication. See Intro to federated authentication.
Have on call an administrator with permissions to edit Google Workspace, Microsoft Entra ID, or another IdP’s settings.
Disconnect from your Student Information System (SIS) or stop uploads using SFTP.
Apple School Manager requires that the attribute used for the Managed Apple Account be unique. This is normally the user’s email address. If a user has an attribute that’s exactly the same as an existing Apple School Manager user with the role of Administrator, no syncing is performed and the source field remains unchanged.
When you configure the initial connection, you should use the email address of a user that has the role of Administrator, Site Manager, or People Manager so they can receive notifications from Google Workspace, Microsoft Entra ID, or another IdP you’re syncing with.
IdP-specific requirements
When linking to Microsoft Entra ID:
To use OIDC with Apple School Manager, your organization must not have the same Microsoft Entra ID tenant as any other Apple School Manager organization. If you want to use OIDC for your organization, contact your Microsoft Entra ID Global Administrator to ensure that no other organization is using your Entra ID tenant for OIDC.
If a user account has a User Principal Name (UPN) that is exactly the same as an existing user account that has the role of Administrator, Site Manager, or People Manager, no syncing is performed and the source field remains unchanged. This occurs regardless of the sync method originally used (SIS or SFTP).
When linking to an IdP that’s not Google Workspace or Microsoft Entra ID, have the following information:
Unique identifier field for users: The value of this attribute is normally the email address of the user. This is used to create the user’s Managed Apple Account. For example, it may be userName.
Authentication method: SAML 2.0.
Authentication mode: OAuth 2.
Single sign-on URL: Consult your IdP’s documentation.
Authorization callback URL: Consult your IdP’s documentation.
Automatic changes
Monitors for user account changes and automatically syncs them changes to Apple School Manager.
Note: File uploads to Apple School Manager using SFTP don’t support automatic syncing.
Automatically removes Managed Apple Accounts when the corresponding user accounts are removed in Google Workspace, Microsoft Entra ID, or your IdP.
When a user account is synced to Apple School Manager, the default role is Student. After the sync is complete, the following user account attributes can be edited:
Roles
Grade level
Student Information System (SIS) user name
These attributes are stored with the user account in Apple School Manager and aren’t written back to Google Workspace, Microsoft Entra ID, or your IdP.
The synced account information is added as read-only until you turn off syncing. At that time, the accounts become manual accounts, and attributes in these accounts (such as user names) can then be edited.
Note: The initial sync takes longer to perform than subsequent cycles do. Consult your IdP’s documentation to learn how often they sync users.
About the Person ID
To identify conflicting accounts, when a user account is initially synced using OIDC or SIS to Apple School Manager, a Person ID is automatically generated for that user account.
Important: The Person ID isn’t automatically generated for user accounts imported using SFTP because those IDs are created in the files that are uploaded to Apple School Manager. If you disconnect from Google Workspace, Microsoft Entra ID, or your IdP and upload users again, new users are created unless the Person ID in the SFTP upload files matches the Person ID that was initially assigned by the initial directory sync. See Upload Student Information System data.
If you modify the Person ID in Apple School Manager for a user account previously synced, that user account is no longer paired with Google Workspace, Microsoft Entra ID, or your IdP. If you want to reconnect the user account, you must resolve the Person ID conflict.