Intro to directory syncing with Apple Business Manager
Directory syncing helps to keep the data in Apple Business Manager up to date with your identity provider (IdP). Using directory sync, Apple Business Manager is automatically informed by your IdP and can update its information when the following occurs:
A new user account is created
User account information changed
A user account is deleted
You can use OpenID Connect (OIDC) with Apple Business Manager to sync user accounts from the following (but only one at a time):
Google Workspace
Microsoft Entra ID
Your IdP
Some IdPs can also use System for Cross-domain Identity Management (SCIM)
Before you begin
Before you sync to Google Workspace, Microsoft Entra ID, or your IdP, consider the following:
Syncing user groups isn’t supported.
The initial sync takes longer to perform than subsequent cycles do. Consult your IdP’s documentation to learn how often they sync users.
Requirements
If necessary, manually verify a domain. See Add and verify a domain.
You need to turn on federated authentication. See Intro to federated authentication.
Have on call an administrator with permissions to edit Google Workspace, Microsoft Entra ID, or another IdP’s settings.
Apple Business Manager requires that the attribute used for the Managed Apple Account be unique. This is normally the user’s email address. If a user has an attribute that’s exactly the same as an existing Apple Business Manager user with the role of Administrator, no syncing is performed and the source field remains unchanged.
When you configure the initial connection, you need to use the email address of a user with the role of Administrator or People Manager so they can receive notifications from Google Workspace, Microsoft Entra ID, or another IdP you’re syncing with.
IdP-specific requirements
When linking to Microsoft Entra ID:
To use OIDC with Apple Business Manager, your organization can’t have the same Microsoft Entra ID tenant as any other Apple Business Manager organization. If you want to use OIDC for your organization, contact your Microsoft Entra ID Global Administrator to ensure that no other organization is using your Entra ID tenant for OIDC.
If a user account has a User Principal Name (UPN) that is exactly the same as an existing user account that has the role of Administrator or People Manager, no syncing is performed and the source field remains unchanged.
When linking to an IdP that’s not Google Workspace or Microsoft Entra ID, have the following information:
Unique identifier field for users: The value of this attribute is normally the email address of the user. This is used to create the user’s Managed Apple Account. For example, it may be userName.
Authentication method: SAML 2.0.
Authentication mode: OAuth 2.
Single sign-on URL: Consult your IdP’s documentation.
Authorization callback URL: Consult your IdP’s documentation.
Automatic changes
Account creation
When directory sync is configured, user accounts are synced to Apple Business Manager and assigned the role of Staff. The synced account information is added as read-only, but the Roles attribute of a user account can be edited. This attribute is stored with the user account in Apple Business Manager and isn’t written back to Google Workspace, Microsoft Entra ID, or your IdP.
When federated authentication is turned off, accounts become manual accounts, and attributes in these accounts (such as user names) can then be edited.
Account modification
Directory sync monitors changes to the synced attributes and automatically updates them in Apple Business Manager. The interval at which those changes are being synced depends on the IdP.
Account removal
When a user account is removed in Google Workspace, Microsoft Entra ID, or your IdP, the corresponding account in Apple Business Manager is deactivated and flagged for deletion. A deactivated account is signed out of devices and can’t be signed back in. Unless the account is synced again within the next 30 days, it automatically gets removed.
About the Person ID
To identify conflicting accounts, when a user account is initially synced using OIDC to Apple Business Manager, a Person ID is automatically generated for that user account.
If you modify the Person ID in Apple Business Manager for a user account previously synced, that user account is no longer paired with Google Workspace, Microsoft Entra ID, or your IdP. If you want to reconnect the user account, you need to resolve the Person ID conflict.