Intro to directory syncing with Apple Business Manager
You can use OpenID Connect (OIDC) with Apple Business Manager to sync user accounts from the following:
Google Workspace
Microsoft Entra ID
Your identity provider (IdP)
Some IdPs can also use System for Cross-domain Identity Management (SCIM)
Note: You can sync to Google Workspace, Microsoft Entra ID, or your IdP, but only one at a time.
Before you begin
Before you sync to Google Workspace, Microsoft Entra ID, or your IdP, consider the following:
Syncing user groups isn’t supported.
Requirements
If necessary, manually verify a domain. See Add and verify a domain.
You must turn on federated authentication. See Intro to federated authentication.
Have on call an administrator with permissions to edit Google Workspace, Microsoft Entra ID, or another IdP’s settings.
Apple Business Manager requires that the attribute used for the Managed Apple Account be unique. This is normally the user’s email address. If a user has an attribute that’s exactly the same as an existing Apple Business Manager user with the role of Administrator, no syncing is performed and the source field remains unchanged.
When you configure initial connection, you should use the email address of user that has the role of Administrator or People Manager so they can receive notifications from Google Workspace, Microsoft Entra ID, or another IdP you’re syncing with.
IdP-specific requirements
When linking to Microsoft Entra ID:
To use OIDC with Apple Business Manager, your organization must not have the same Microsoft Entra ID tenant as any other Apple Business Manager organization. If you want to use OIDC for your organization, contact your Microsoft Entra ID Global Administrator to ensure that no other organization is using your Entra ID tenant for OIDC.
If a user account has a User Principal Name (UPN) that is exactly the same as an existing user account that has the role of Administrator or People Manager, no syncing is performed and the source field remains unchanged.
When linking to an IdP that’s not Google Workspace or Microsoft Entra ID, have the following information:
Unique identifier field for users: The value of this attribute is normally the email address of the user. This is used to create the user’s Managed Apple Account. For example, it may be userName.
Authentication method: SAML 2.0.
Authentication mode: OAuth 2.
Single sign-on URL: Consult your IdP’s documentation.
Authorization callback URL: Consult your IdP’s documentation.
Automatic changes
Monitors for user account changes and automatically syncs them changes to Apple Business Manager.
Automatically removes Managed Apple Accounts when the corresponding user accounts are removed in Google Workspace, Microsoft Entra ID, or your IdP.
When a user account is synced to Apple Business Manager, the default role is Staff. After the sync is complete, only the Roles user account attribute can be edited. This attribute is stored with the user account in Apple Business Manager and isn’t written back to Google Workspace, Microsoft Entra ID, or your IdP.
The synced account information is added as read-only until you turn off syncing. At that time, the accounts become manual accounts, and attributes in these accounts (such as user names) can then be edited.
Note: The initial sync takes longer to perform than subsequent cycles do. Consult your IdP’s documentation to learn how often they sync users.
About the Person ID
To identify conflicting accounts, when a user account is initially synced using OIDC to Apple Business Manager, a Person ID is automatically generated for that user account.
If you modify the Person ID in Apple Business Manager for a user account previously synced, that user account is no longer paired with Google Workspace, Microsoft Entra ID, or your IdP. If you want to reconnect the user account, you must resolve the Person ID conflict.