Federation
If your org runs on Google Workspace instead of Microsoft 365, the federation story is actually simpler — no app registration, no SCIM bearer token, no enterprise app gallery. One OAuth consent as a Super Admin is enough for Apple to authenticate users and keep Managed Apple Accounts in sync. Here’s the end-to-end flow, including the OU scope picker and the 60-day personal Apple ID rename window.
In this guide
Why federate
Without federation, a Workspace-plus-Apple org drifts into identity sprawl: personal Apple IDs on work email, Apple ID passwords that users forget, Managed Apple Accounts created by hand, and no tie into Workspace’s 2‑Step Verification. Federation closes the gap in an afternoon.
Users enter their @yourcompany.com address at any Apple sign-in prompt
and the flow redirects to Google. Apple never sees the password — 2‑Step
Verification, WebAuthn keys, and session length all stay under Google’s
policies.
Pair federation with directory sync and every user in the selected OUs shows up as a Managed Apple Account without a CSV import. Renames and disables in Workspace flow into Apple Business. Nothing writes back.
Suspend the Workspace account and the Apple sign-in stops working. Offboarding becomes one step instead of two, and “we offboarded them in Workspace but their iCloud is still live” stops being a thing.
Once the domain is federated, users can’t spin up new personal Apple IDs on the work email. Apple treats the namespace as yours.
Concept
Two separate features, usually enabled together, but each solves a different problem. Keeping them straight saves debugging later.
OIDC handoff from Apple to Google. At Apple sign-in, the user is redirected to accounts.google.com, authenticates there, and Google returns an ID token. The account Apple issues is a Managed Apple Account.
Tells Apple Business which Workspace users should exist as Managed Apple Accounts in the first place. Apple reads from Google’s Admin SDK Directory API using the same OAuth consent granted during federation — no separate SCIM token.
Google Workspace, Microsoft Entra ID, or a Custom IdP — pick one. Switching later requires disconnecting the old IdP and waiting for any in-flight conflict resolution to finish.
Before you start
The federation wizard needs Administrator (or People Manager for limited actions). Apple Business admins on the federated domain will lose sign-in capability — keep a break-glass admin on a non-federated domain.
The OAuth consent screen needs a Super Admin. A Help Desk or User Management admin role isn’t enough.
Verify the custom domain in Google Workspace (TXT/MX) and separately in Apple Business → Preferences → Managed Apple Accounts → Domains. Apple’s TXT window is 14 days.
Any paid Google Workspace edition works — Business Starter, Standard, Plus, Enterprise, Education. Free legacy G Suite and Cloud Identity Free don’t expose the Admin SDK APIs this flow needs.
If Google Admin → Security → API controls is set to “allow only trusted apps,” the Apple OAuth client has to be explicitly trusted before consent will succeed. Check this before you start.
A one-week-ahead email about the personal Apple ID 60-day rename window. Saves the help-desk ticket flood that otherwise starts within 48 hours of flipping the switch.
Walkthrough 1
Sign in at business.apple.com. Click your name at the bottom of the sidebar → Preferences → Managed Apple Accounts.
Scroll to User sign in and directory sync and click Get Started. On the IdP picker, choose Google Workspace, then click Continue.
Click Sign in with Google. A new tab opens to accounts.google.com. Sign in with a Google Workspace Super Admin account and complete 2‑Step Verification.
After consent, control returns to Apple Business. In the domain list click Manage beside the target domain and toggle Turn on Sign in with Google Workspace. Confirm.
Under Directory Sync, turn on Google Workspace Sync. Tick the org units whose users should become Managed Apple Accounts. Users in unticked OUs are not synced and cannot sign in.
Walkthrough 2
There’s no Google-side project to create and no service account to authorize. Apple ships the OAuth client; you only grant the consent.
The consent screen header clearly names Apple as the requesting app. If it doesn’t, stop — don’t grant consent and verify you arrived via Apple Business.
openid, profile, email for sign-in;
admin.directory.user.readonly,
admin.directory.group.readonly, and
admin.directory.orgunit.readonly for directory sync. All three
directory scopes are read-only.
Google’s consent screen shows each permission individually. Check them all, click Continue, then Done. The browser redirects back to Apple Business automatically.
Standard setup does not require a separate domain-wide delegation step in the Google Admin console. Granting consent as Super Admin authorizes Apple’s client across the tenant.
If the consent screen closes without error and Apple Business never flips to Federated, go to Google Admin → Security → Access and data control → API controls and trust the Apple app, then retry.
Read this before flipping the switch
Every user on the federated domain who previously created a personal Apple ID with their work email gets caught in a 60-day rename window. Handle it badly and you get tickets. Handle it well and it’s invisible.
When federation is enabled, Apple emails each matched user and posts in-product notifications offering 60 days to rename their personal Apple ID to a non-work address. The admin can review the conflict list under Preferences → Managed Apple Accounts → Account Conflicts.
Their personal iCloud, purchases, and Sign in with Apple tokens all stay intact
on the new address. The original @yourcompany.com address then
becomes eligible to be their Managed Apple Account.
At day 60, Apple automatically renames the personal account to
first.last@yourcompany.com.appleid.com. Password, purchases, iCloud
data, and history all carry over — only the username changes. Sign in with
Apple tied to the old email may need re-linking in third-party apps.
Federation can’t be disconnected while conflict resolution is in progress. Admins who try to back out hastily trip on this. Communicate ahead.
Testing
In Apple Business → People, the pilot user should appear with a “Synced from Google Workspace” badge after the first sync cycle, with role set to Staff and name/OU pulled from Workspace.
On a clean device (or after signing out of iCloud), start Setup Assistant and enter the user’s work email at the Apple Account prompt. The flow redirects to Google, the user completes 2‑Step Verification, and macOS/iOS returns signed in.
On macOS 26, Platform SSO in Setup Assistant lets the same Google credential create the local macOS account in one pass — eliminating the old three-prompt sign-in flow.
Settings → [Name] → Sign in & Security should show “Managed Apple Account — Signed in with Google Workspace.” Validate the same flow via iCloud.com in a browser.
When it breaks
If Google Admin → Security → API controls is set to “allow users to access only trusted apps,” the Apple OAuth client must be on the trusted list. Otherwise consent appears to succeed but nothing federates.
Directory sync only pulls from the OUs you tick in Apple Business’s scope
picker. Users in /Contractors or /Service Accounts that
weren’t selected will not become Managed Apple Accounts and cannot sign in.
Apple Business Administrators and People Managers cannot use federated sign-in.
Keep a break-glass admin on a non-federated domain or a throwaway
@yourcompany.onmicrosoft.com-style Managed Apple Account.
If the Super Admin enforces hardware-key-only 2‑Step Verification, make sure the browser supports WebAuthn during consent. Some kiosk or locked-down browsers fail silently here.
If the domain was federated to Entra or a Custom IdP, existing Managed Apple Account users must re-authenticate — cached IdP passwords won’t work. Disconnect the previous IdP first, let any conflict work finish, then federate to Google.
During the April 2026 rollout to the Apple Business UI, the domain management pane is briefly locked on some tenants. If the Federate button is greyed out for no reason, check the Apple Business status page and retry the next day.
Want this handled for you?
The OAuth consent, OU scope design, 60-day conflict communications, and break-glass admin are all part of how Arclion stands up a federated Apple environment on top of Google Workspace. If you want federation live without trial-and-error, Foundation includes it.
What to send
Keep reading
Same pattern, different IdP — the Microsoft 365 flow with SCIM or OIDC directory sync.
Read the guideThe account-type primer — what a Managed Apple Account is, what it can and can’t do, and how to manage the lifecycle in Apple Business.
Read the guideThe foundational setup walkthrough — verification, MDM selection, admin roles — before federation is on the table.
Read the guide