Menu
Modern Workplace Blog
  • Home
  • About: Kenneth van Surksum
  • Cookie Policy
Modern Workplace Blog
February 8, 2022February 8, 2022

Setting up Apple Business Manager for use with Azure Active Directory

Apple Business Manager is a service provided by Apple which helps to deploy Apple devices and apps in your organization. By leveraging Apple Business Manager (ABM) you can automatically enroll devices in Microsoft Endpoint Manager by using Automated Device Enrollment (ADE). You could say it provides similar functionality as to what Windows Autopilot provides for enrolling Windows devices, but ABM (then still called Device Enrollment Program a.k.a. DEP) was available long before Windows Autopilot even existed.

In this article we will go through the steps to request access to Apple Business Manager, and how to setup and integrate ABM with Azure Active Directory, so that you can authenticate to ABM using your Azure AD account. We will also setup synchronization of our Azure AD accounts to ABM which from that point forward will be managed Apple IDs.

Doing this is a first step to take into fully integrating ABM with Microsoft Endpoint Manager/Intune, so that we can perform automatic enrollments of macOS/iOS/iPadOS devices. More on that in follow up articles to follow on this blog.

Enroll into Apple Business Manager program

Setting up ABM consists of the following steps detailed in the figure below, this article will go through all the steps

This blogpost contains the following sections:

  • Prepare
  • Enroll
  • Configure ABM
  • Configure account synchronization
  • Conclusion
  • References

Prepare

Before you enroll in to the ABM program, I advise to have some information available upfront. This information is your company’s D-U-N-S number (which I will explain below), and a contact person who can verify your company and has the authority to do so.

D-U-N-S number

D-U-N-S numbers are assigned to each business by a company called Dun & Bradstreet (D&B) which maintains a database. The D‑U‑N‑S Number is a unique nine-digit identifier for businesses. Apple cross-checks program enrollees with this database. You can verify whether your company is listed in the database by using the following URL: https://developer.apple.com/enroll/duns-lookup/

For this to work, you must login with an Apple ID, fill in the details of your business which will eventually result in the screen below, and a corresponding email sent to the email bound to the Apple ID with your D-U-N-S number attached.

Lookup D-U-N-S number

If your D-U-N-S number cannot be found in the database, you will have the option to submit your information so that it can be considered for inclusion into the database. Keep in mind that the total time of requesting the ABM access can take considerable longer in that case.

Request D-U-N-S number

Verification contact

Someone within your organization who can bind the ABM terms and conditions to your organization. This can be your CEO, CTO, CIO etc.. Apple will reach out to the person you specify by phone and will verify your request with this person.

Accounts

During the process you need the following accounts.

  • Apple Business Manager Administrator account
  • Azure AD admin account with one of the following (permanent/assignable) roles (Global -, Application – or Cloud Application Administrator)
  • Azure AD normal account with same UPN as domain to verify  (with temporary role) for verification

The enrollment process

If you want to use Apple Business Manager, you must enroll into the program first. You can enroll into the program by visiting https://business.apple.com and by clicking on the Enroll now text which will bring you to another page where you can fill in the details needed.

Apple Business Manager website

In the Enroll Your Organization form you can specify all the necessary information, you will need the D-U-N-S number there (1) and the contact details of your internal verification contact (2).

Enrollment information form

After filling in the information you just have to wait, the verification contact will be contacted by a representative from Apple to perform the verification.

Once this verification has taken place, and the Apple representative approves your enrollment request you will receive an email from Apple informing you that your enrollment has been approved.

Approval email

If you click the Get Started link, you will be redirected to an Apple website where you can create a new Apple ID, which you can use to access the Apple Business Manager environment.

Tip: I used a + address for ABM on my normal account, so that my account itself can still be synchronized later when we start syncing the Azure AD accounts to ABM.

Enabling Plus Addressing in Office 365 Exchange Online

Once enrolled, you have access to the ABM portal, and we can start configuring the Single Sign-On (called Federated Authentication in ABM) with Azure AD and configure account synchronization from Azure AD to ABM.

Apple Business Manager initial screen

Configure Apple Business Manager

Once we have access to ABM, we can turn on and test federated authentication. By configuring federated authentication Azure AD will be configured as the Identity Provider (IdP) that authenticates the user for Apple Business Manager and issues authentication tokens.

Because ABM supports Azure AD, other IdPs that connect to Azure AD—like Active Directory Federation Services (AD FS)—will also work with ABM. Federated authentication uses Security Assertion Markup Language (SAML) to connect Apple Business Manager to Azure AD.

Federated authentication can be configured in 3 steps:

  1. Verify the domain
  2. Configure the federated authentication process
  3. Test authentication with a single Azure AD domain account

Verify the domain

The first thing we are going to configure in ABM is to verify the domains which belong to our organization.

You can configure this setting from the Settings sections by selecting Accounts under “Organisation Settings”.

Domain verification

As you can see, in the figure above, the insight24.nl domain is not verified yet as it has a yellow icon in from of the domain name. We can start the verification by clicking on “Edit” which will show you the message that the domain is not verified. If you click on “Verify” you will be requested to create a TXT DNS record with a certain value, which will be used to prove that you are the owner of the domain (since you can create DNS records, which only the owner of the domain can do)

apple-domain-verification TXT record

Create the requested TXT record into your DNS configuration, below is a screenshot on how this looks if you manage your DNS using the Microsoft 365 Admin portal. Keep in mind that the TXT name must be “@” and the value should be the whole value as defined in the ABM portal

Create DNS records in Microsoft 365 Admin Center

Once the configured TXT records has been verified the shown record and Copy button should change to Verified ownership.

Verified ownership

Configure the federated authentication process

Once the domain has been verified, we can continue with setting up the federation by clicking on the “Edit” button next to Federated Authentication, and then click on “Connect”

Next to Federated Authentication, click Edit, then click Connect.

The first screen shown (1) will ask you to sign in to Azure Active Directory, you must do this with an account which has one of the following Azure AD roles active:

  • Microsoft Azure AD Global Administrator
  • Application Administrator
  • Cloud Application Administrator account

You will be provided with a “Consent request” (2) which must be accepted in order for an Azure AD Enterprise Application to be created.

Application consent

Once the necessary permissions are accepted, you will receive a notification that Azure AD is successfully connected (1). You will also notice that within Azure AD an Enterprise Application called “Apple Business Manager” is created (2).

Enterprise Application

Test authentication

After you successfully configured the federation, you must test the authentication with an Azure AD account. This account must have a UPN which ends with your domain, but must also have one of the earlier defined Azure AD roles (Global -, Application – or Cloud Application Administrator). For me this was challenging since all my admin accounts use the onmicrosoft.com UPNs and never one of my hosted domains. In order for this to succeed, I temporarily had to give my own account an Azure AD role.

Click on “Federate” next to the domain you want to validate, and then sign in to the Azure Portal using the account with the necessary UPN and Azure AD roles configured.

Test authentication

This task allows Apple Business Manager to trust Azure AD. After you have verified ownership of your domain and successfully tested authentication with a single Azure AD account, you can now create additional accounts and continue federating your domain.

After sign-in is successful, ABM checks for user name conflicts with this domain. User name conflicts arise when users created an Apple ID with the domain you want to federate before you enabled and configured ABM.

Username conflicts detected

As you can see in the screenshot above, within my domain we have 7 username conflicts. You will be notified that each user will be asked to choose a new email address for their personal Apple ID. Users will have 60 days to reconfigure their Apple ID. After 60 days, the conflicting Apple IDs become available for use in ABM.

Username conflicts

Enable Federation

Once the ownership verification has taken place, make sure that you enable the Federation by turning the button next to Federation not enabled to on.

Enable Federation

When federation is enabled, while there are still username conflicts, any username synchronized which has a conflict will not be added to ABM.

Username Conflicts

Apple IDs which have a conflict, will receive an email from Apple explaining that the Apple ID must be updated.

Update your Apple ID

Once the user signs-in on the Apple ID website, he/she will be presented with the following screens which allow the Apple ID to be changed.

Change Apple ID

Your users can also choose to delete their account instead, in order to do so, they need to go to the following URL: https://privacy.apple.com/account where under Manage your data the option to Delete your account is available.

Delete Apple ID

Configure Account Synchronization using SCIM

In order to synchronize your Azure AD account to ABM, you can configure System for Cross-domain Identity Management (SCIM), which is supported by Azure AD.

You can configure SCIM from the Data Source section by clicking on the “Connect” button. This will generate a token en URL which you need to configure the “Provisioning” section in the Azure AD Enterprise Application.

Configure SCIM

From the Apple Business Manager Enterprise Application in Azure AD, click on the Provisioning link, click on “Get Started” and set the provisioning mode to “Automatic”. Here you can provide the earlier generated URL and token and test the connection.

Provisioning configuration on Enterprise Application in Azure AD

On the Enterprise Application you can configure whether you only want assigned accounts (members of Users and Groups) or all users to be synchronized to ABM. By default only the members of Users and Groups will be synced, if you want to change this you can Edit the Provisioning settings. Make sure that if you add a group, to the users and Groups that group nesting is not used, since that is not supported.

Once configured an initial sync will be done, synchronization will be enabled every 40 minutes, so if you use a group, it can take up to 40 minutes for the Azure AD account to be added to ABM.

The result will be that after synchronization, you will see new accounts being added to ABM. In the figure below you can see that the source of this account is SCIM/Azure Active Directory. That the account is new, and hasn’t signed in yet.

Keep in mind, that accounts that still have username conflicts will not be created in ABM, so even though they are included in the scope from the Azure AD side, you have to wait to either the users change their Apple ID, or for the grace period to expire before those users can be provisioned into ABM.

Newly provisioned account

Conclusion

Setting up Apple Business Manager (ABM) is a process which requires careful planning and not something which you can finish in a short timeframe. Some steps in the process can take some time to complete, so if you want to use the ABM functionality make sure that you plan accordantly.

I hope this article, can help you if you want to configure ABM for your own organization. I hope I succeeded in giving a good idea of what you can expect when you do so.

In a next article I will go through integrating ABM with Microsoft Endpoint Manager/Intune, so that we can integrate the ABM functionality into our Endpoint Manager environment.

References

Apple Business Manager User Guide – https://support.apple.com/en-gb/guide/apple-business-manager/welcome/web

Introduction to federated authentication with Apple Business Manager – https://support.apple.com/en-gb/guide/apple-business-manager/axmb19317543/1/web/1

Review SCIM requirements for Apple Business Manager – https://support.apple.com/en-gb/guide/apple-business-manager/axmd88331cd6/1/web/1

Automatically enroll iOS/iPadOS devices by using Apple’s Automated Device Enrollment – https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-program-enroll-ios

Tweet
Follow me
Tweet #WPNinjasNL

3 thoughts on “Setting up Apple Business Manager for use with Azure Active Directory”

  1. Pingback: Connecting Microsoft Endpoint Manager to Apple Business Manager | Modern Workplace Blog
  2. Pingback: Apple Business Manager device import options for later use within Microsoft Endpoint Manager | Modern Workplace Blog
  3. Govi says:
    November 18, 2022 at 6:40 am

    Many thanks for your detailed instructions.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Founding member of:

Recent Posts

  • Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management
  • December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • Conditional Access public preview functionality reviewed (22H2) – Part 3: Granular control for external user types
  • Conditional Access public preview functionality reviewed (22H2) – Part 2: Conditional Access filters for Apps and Workload Identities
  • Conditional Access public preview functionality reviewed (22H2) – Part 1: Authentication Strength

Books

System Center 2012 Service Manager Unleashed
Amazon
System Center 2012 R2 Configuration Manager Unleashed: Supplement to System Center 2012 Configuration Manager
Amazon
System Center Configuration Manager Current Branch Unleashed
Amazon
Mastering Windows 7 Deployment
Amazon
System Center 2012 Configuration Manager (SCCM) Unleashed
Amazon

Archives

  • February 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • May 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • July 2019
  • November 2016
  • November 2015
  • June 2015
  • May 2015
  • November 2014
  • July 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • November 2013
  • August 2013
  • April 2013
  • March 2013
  • January 2013
  • December 2012
  • November 2012
  • August 2012
  • July 2012
  • June 2012

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Categories

  • ABM (3)
  • Advanced Threat Protection (4)
  • Announcement (42)
  • Azure (3)
  • AzureAD (65)
  • Certification (2)
  • Cloud App Security (3)
  • Conditional Access (50)
  • Configuration Manager (24)
  • Events (11)
  • Exchange Online (7)
  • Identity Protection (3)
  • Intune (17)
  • Licensing (2)
  • Microsoft Endpoint Manager (35)
  • Mobile Application Management (1)
  • Modern Workplace (65)
  • Office 365 (10)
  • Overview (10)
  • Power Platform (1)
  • PowerShell (2)
  • Presentations (7)
  • Privileged Identity Management (5)
  • Role Based Access Control (2)
  • Security (50)
  • Service Manager (4)
  • Speaking (22)
  • Troubleshooting (4)
  • Uncategorized (11)
  • Windows 10 (14)
  • Windows 11 (4)
  • Windows Update for Business (3)
  • WMUG.nl (16)
  • WPNinjasNL (30)

Tags

#AzureAD #community #conditionalaccess #ConfigMgr #IAM #Intune #m365 #MEM #MEMCM #microsoft365 #modernworkplace #office365 #security #webinar #wmug_nl ATP AzureAD Branding Community Conditional Access ConfigMgr ConfigMgr 2012 Configuration Manager Email EXO Identity Intune Licensing M365 MCAS Modern Workplace Office 365 OSD PIM Policy Sets Presentation RBAC roles Security Service Manager SSP System Center troubleshooting webinar Windows 10

Recent Comments

  • Kenneth on December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • John Barnes on December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • Intune Newsletter - 24th February 2023 - Andrew Taylor on Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management
  • Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management | Modern Workplace Blog on A first look at Azure AD Conditional Access authentication context
  • Kenneth on Intune: Choosing whether to assign to User or Device Groups

This information is provided “AS IS” with no warranties, confers no rights and is not supported by the author.

Copyright © 2021 by Kenneth van Surksum. All rights reserved. No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

Shorthand: Don’t pass off my work as yours, it’s not nice.

©2023 Modern Workplace Blog | Powered by WordPress and Superb Themes!
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT