Federation
Federation is the difference between 50 employees with 50 forgotten Apple ID passwords and 50 employees who sign in to Apple with the same work credential they use for Outlook. Here’s the full end-to-end flow: verifying the domain in both consoles, flipping the OIDC trust, turning on directory sync, and navigating the 60-day personal Apple ID conflict window that every admin runs into on their first federation.
In this guide
Why federate
Without federation, an Apple-heavy org ends up with identity sprawl: Apple ID passwords users forget, help-desk tickets to reset them, Managed Apple Accounts created by hand, and no connection to Conditional Access or your MFA policy. Past about 20 seats, federation isn’t a nice-to-have.
Users sign in to Apple devices, iCloud.com, and Apple services with their Entra work credential. Apple never stores the password — the sign-in hops to login.microsoftonline.com, honors Conditional Access, number-matching MFA, and FIDO2.
Paired with directory sync, Entra group membership creates and maintains the Managed Apple Account. No more admin hand-creating accounts in Apple Business.
Disable a user in Entra and their Apple-side access follows. Federation closes the “we offboarded them in M365 but their iCloud is still live” gap that haunts small orgs.
Once a domain is federated, users on that domain can no longer create personal Apple Accounts with the work email. The org owns the namespace.
Concept
Two separate features, often enabled together, but each solves a different problem. Keeping them straight saves debugging later.
OIDC handoff from Apple to Entra’s global endpoint. At Apple sign-in, the user is redirected to Entra, authenticates there, and Entra returns an ID token. The account type Apple issues is a Managed Apple Account.
Tells Apple Business which Entra users and groups should exist as Managed Apple Accounts in the first place. Historically SCIM pushed from Entra; the current UI offers a newer OIDC-based sync option that avoids the hand-copied bearer token.
OIDC sync is a persistent OAuth connection — no token to renew, fewer moving parts. Go SCIM only if you have a specific reason (e.g., a third-party IdP proxying Entra).
Before you start
The federation wizard needs Administrator (or People Manager for limited actions). Apple Business admins on the federated domain will lose sign-in capability — keep a break-glass admin on a non-federated domain.
Global Administrator is simplest. Application Administrator plus User Administrator works too. You’ll grant consent to the Apple-published enterprise app on first run.
Verify the custom domain in Entra → Domain names (TXT/MX) and separately in Apple Business → Preferences → Managed Apple Accounts → Domains. Apple’s TXT window is 14 days.
One Entra tenant can back exactly one Apple Business organization over OIDC. MSPs discover this the hard way — plan around it.
Someone with a real mailbox and MFA set up in Entra, who isn’t an admin in Apple Business. Federation tests don’t work cleanly with admin-only accounts.
A one-week-ahead email about the personal Apple ID 60-day rename window. Saves the help-desk ticket flood that otherwise starts within 48 hours of flipping the switch.
Walkthrough 1
Sign in at business.apple.com. Click your name at the bottom of the sidebar → Preferences → Managed Apple Accounts.
Scroll to Domains. Beside the target domain, click Manage. Click Turn on Sign in with Microsoft Entra ID.
Click Sign in to Microsoft Entra ID Portal. A popup opens. Sign in with an Entra username on the federated domain. Grant consent to the Apple-published enterprise app.
Back in Apple Business, click Federate next to the domain. Apple scans for conflicts and shows a count of personal Apple IDs on the domain. Review, then proceed.
When the banner flips to Federated, open User sign in and directory sync (or the older Managed Apple Accounts → Federated Authentication label) to start provisioning.
Walkthrough 2
If you chose OIDC sync in the previous section, skip this. Apple handles that connection behind the scenes. Use this SCIM path when Apple’s UI requires it or when a third-party IdP is fronting Entra.
Entra admin center → Identity → Applications → Enterprise applications → New application. Search Apple Business Manager (not Apple School Manager). Add it.
Open the app → Provisioning → Get Started → Mode = Automatic. In a second tab, in Apple Business go to Managed Apple Accounts → Directory Sync → Get Started. Apple shows a Tenant URL and a one-time Secret Token.
Paste both into Entra’s provisioning screen. Click Test Connection, then Save. Under Mappings, keep the gallery-app defaults — custom attribute mappings are the #1 cause of silent provisioning failure.
Under Settings, set scope to Sync only assigned users and groups. On Users and groups, assign the Entra groups that should receive Managed Apple Accounts.
Back on Provisioning, set Provisioning Status = On. Initial sync runs within about 40 minutes. Watch Provisioning logs for per-user results — silent skips live there.
Read this before flipping the switch
Every user on the federated domain who previously created a personal Apple ID with their work email gets caught in a 60-day rename window. Handle it badly and you get tickets. Handle it well and it’s invisible.
When you click Federate, Apple scans the domain and emails each matched user offering 60 days to rename their personal account to a non-work address. The admin can download the conflict list from Preferences → Managed Apple Accounts → Account Conflicts.
Their personal iCloud, purchases, and Sign in with Apple tokens all stay intact on the new address. Clean outcome.
At day 60, Apple automatically renames the personal Apple ID to a temporary Apple-assigned address. The account isn’t deleted, but the user has to sign in and accept the rename before iCloud/App Store work again. Sign in with Apple tied to the old email may break for third-party apps.
Federation cannot be disconnected while unresolved conflicts exist or during the initial 60-day window. Admins who try to back out hastily trip on this. Communicate ahead.
Testing
In Apple Business → Users, confirm the pilot user appears after the first sync cycle. In Entra → Enterprise applications → Apple Business Manager → Provisioning logs, confirm a green Create entry.
On a clean Mac or iPhone, start Setup Assistant (or sign out of iCloud first). Enter the user’s work email at the Apple Account prompt. Apple detects the federated domain and redirects to Microsoft sign-in. User enters Entra password, completes MFA.
After sign-in, Settings → [Name] → Sign in & Security should read “Managed Apple Account — Signed in with Microsoft Entra ID.” Validate the same flow via iCloud.com in a browser.
In Entra → Sign-in logs, the authentication event for Apple Business Manager should show success with your Conditional Access policies applied. This is the proof that Entra is genuinely in the loop.
When it breaks
The wizard blocks with no useful error. Verify in Entra first, then in Apple Business. Both TXT records have to land before the Federate button becomes meaningful.
Administrators and People Managers can’t use federated sign-in. Create a
break-glass admin on a non-federated domain (a
@yourcompany.onmicrosoft.com Managed Apple Account is the usual
move).
Always open Entra’s Provisioning logs. A failing mapping shows “provisioned 0, skipped N” without raising an alert. Remove any custom attribute mappings you added.
SCIM tokens expire. Apple emails admins 60 days out. Renew via Apple Business → Directory Sync → Edit, then paste the new token into the Entra app. If you skipped SCIM and picked OIDC sync, this risk disappears.
Not supported. One Entra tenant = one Apple Business org over OIDC. MSPs managing multiple Apple Business tenants need one Entra tenant per org.
Third-party apps that used the old personal Apple ID email for Sign in with Apple don’t auto-transfer after rename. Warn users during the 60-day window so they update relationships themselves.
Want this handled for you?
The Entra app registration, the SCIM or OIDC sync, the 60-day conflict communications, and the break-glass admin design are all part of how Arclion stands up a federated Apple environment. If you want federation live without trial-and-error, Foundation includes it.
What to send
Keep reading
Same pattern, different IdP — the Google Workspace flow for orgs that aren’t on Microsoft 365.
Read the guideThe account-type primer — what a Managed Apple Account is, what it can and can’t do, and how to manage the lifecycle in Apple Business.
Read the guideThe foundational setup walkthrough — verification, MDM selection, admin roles — before federation is on the table.
Read the guide