Two great videos! I'm still a little confused about the claiming of emails. Is that done during verifying the domain part or when you want to start federation? I'd like to test some manually created IDs after verifying the domain, as shown in the first video. But I don't want to accidently reclaim all company emails!
on the MS side, you just need an Entra tenant with Entra ID Premium P1 and some users. You should probably use the Dev program to make that 0 cost. developer.microsoft.com/en-us/microsoft-365/dev-program From the Apple side - you need an actual registered business, with a number in Dun and Bradstreet, to use Business Manager. There is no way around that.
Hi @dean , i get this error when clicking on Directory Sync: Cannot turn on Microsoft Entra Connect Sync now. You must federate a domain to turn on Microsoft Entra Connect Sync. Further , the domain is verified but shows 11 user names conflicts , and when clicking manage , "Sign in with Entra ID" options is greyed out.
Federation between Apple business manager - EntraID Hi! i sat up Federation already in 2021 just for some testing, i remember having about 300 conflicts or something like that. Anyway i don't remember having to resolve those conflicts. As i see it the Enterprise app in EntraID (Apple Business Manager) can be scooped to a EntraID group, and should only have to resolve conflicts from the users in that group? not the whole tenant ? Anyway, i deleted that config and now in 2024 i'm trying to set up a limited federation, without "Convering" the whole org, is it possible? or do i have to notify and make all users change their appleID email adress? have about 370 conflicts now.
Thanks for the video, we are new to the ABM and some of our users (Approx 15) are having personal apple ID's using our company email address. So it's better I should ask them to change their apple ID's before going forward with federated authentication?
Thanks for the video, It's very clarify. Just a cuestion. Can I federate without resolve conflits? I have Entra Id ABM scope connection for a few users but I'm afraid about what happend if I to the federation withouth resolving conflicts first. The scope users have not apple personal ID. Thanks and great job
So if the user does nothing, is the AppleID and its data wiped and recreated as federated AppleID or does the User just have to re-login using federation? Does the Data stay? I mean, do we wipe the CEO's iPhone because he created his AppleID long time ago?
In the first video, you mentioned something about using conditional access to setup your Apple Device user group in Entra. Anything special there? I wasn't able to create that group correctly so I just selected my test group users individually (under provisioning). Is this effectively the same thing? Also thank you for these videos. They have lightened my burden immensely lol
So if the users changes the email address as requested by Apple they would need to wipe the device and then set it back up with the company email? Seems like you might just want to tell the users not to do anything and then wait 60 days for the account to be reclaimed. So long as they don’t have any personal data on it.
Brilliantly useful, as always. One q - in a situation where IT have told the user to create an apple ID for lastcoffee, and then we need them to change it - what would be the best way to get the data from the now 'unofficial' account to the official account? I'm assuming it would be some third-party tool to move data between iCloud accounts?
Good question! There are supported methods for doing that. From Apples perspective, the users “unofficial” lastcoffee AppleID was a personal one, so they won’t help you obtain that data as you can imagine. I haven’t heard of any tools that will help you do it unofficially, but I’ll ask around!
@@DeanEllerbyMVP +1 needing to know this, we have years of Apple IDs and only planning on Federating, so there will be lots of legitimate apps, purchases, backups that need to be "re-owned" back into the corp email ID. Pretty please? Your Mac focus is SOOOO appreciated!
Yeah. big mess. That is why IT should never do that. Some of the iCloud synced services will allow you leave the data behind on the device if you turn off the sync for that feature before removing it. This way, when the Managed Apple ID logs in, it can sync that data. For anything that doesn't do that, You will probably have to transfer manually.
I am in this situation: the company were I work has 11 accounts with microsoft 365, but they already use those email to log into apple to use their mac books and other apple devices. Now we need to federate entra Id and apple Business manager but all those accounts are in conflict. BUT if we need 11 new emails address we have 2 options: buy 11 new licenses in microsoft 365 (and this is a big problem) or change the email addresses of all the users (presuming it is possible to do, this is a much bigger problem). there is a way to solve this?
why not create an alias on each of those accounts so that any communication still arrives to the intended recipients but is under a different email address. You would need a second domain attached to your 365 tenant though.
So if Jenny doesn't change her mail adress in her icloud account, the conflict will not disappear ? I don't understood what is the good solution exactly
If Jenny doesn’t change the email address associated with the appleid within 60 days, it will be released to the ABM organisation anyway. At that point, I think, she will be forced to update it next time she signs in.
Thank you, wish I saw this first before I started with ABM. :) One last question and one you probably can't answer but if you created apple MDM push certificate with an Apple ID, then claimed/federated that apple ID I'm guessing cert stays with the original apple user ID with a new email. So you may not be able to renew the cert? Guess will find out in a year when the cert expires. lol Same with any purchased apps, guess they need to re-purchase them.
Great video, but I’m a little confused. Don’t we want our users to sign-in to our corporate owned Apple devices with an Apple ID associated to the corporate email? Why is it prompting them to change it to a non-corporate email?
That IS what they will be doing. The video describes the process to create that ability when there has already been a personal Apple ID created before the corperate Managed Apple ID is created. The reason it is prompting the user to change their Apple ID to a non-corporate email is because personal Apple IDs can not be controlled by the corporation, and there can not be two Apple IDs that use the same email address. When the user changes their personal Apple ID to a personal email address or when the 60 day waiting period elapses, then the Corporate email address is released back to the corporation's control so that they can re-issue it in the form of a Managed Apple ID. Then the user will log out of their personal AppleID and log in with their new managed Apple ID which now sports the corperate owned and controlled email address.
You skipped over what happens if you _don't_ reclaim it. Does it not do federation at all at that point? If you leave at that state, does it prevent new Apple IDs from being created with that domain name? (The use case I'm curious about, is if a company doesn _not_ want people to use the company email for Apple IDs, would like to prevent it in the future, but does _not_ want to create a huge helpdesk storm of all existing Apple IDs being changed)
Ok, but what if the user still wants to use their corporate account as an apple ID but already has it registered as personal? He has to change the email on the existing account to release the email, log out on the iPhone with the apple ID and log in again with the same company email and sync everything to iCloud again?
Very happy to see a very quick response to feedback on a previous video - this was great! :)
Ran into this today unexpectedly and this was super helpful. Thanks Dean!
Glad it helped!
That's exactly where I was, and I was concerned about moving forward. thank you!
in the latest apple business manager , i am unable to see which devices have usernames conflict , we are a huge enterprise and its getting tough.
Two great videos! I'm still a little confused about the claiming of emails. Is that done during verifying the domain part or when you want to start federation? I'd like to test some manually created IDs after verifying the domain, as shown in the first video. But I don't want to accidently reclaim all company emails!
OK So I reached out to Apple about this. The reclaiming of emails starts when you federate.
Hello and thank you for putting this together. If I wanted to setup something like this in a lab setting, what would be required on the MS side?
on the MS side, you just need an Entra tenant with Entra ID Premium P1 and some users. You should probably use the Dev program to make that 0 cost. developer.microsoft.com/en-us/microsoft-365/dev-program
From the Apple side - you need an actual registered business, with a number in Dun and Bradstreet, to use Business Manager. There is no way around that.
Thanks!
🤯
Hi Dean, is it possible that the option "Directory Sync" has been removed from Apple Business Manager? Can't find the option.
Hello! It’s now shown under Managed Apple Account. I’ll do an updated video in a few weeks 😅
Hi @dean , i get this error when clicking on Directory Sync: Cannot turn on Microsoft Entra Connect Sync now.
You must federate a domain to turn on Microsoft Entra Connect Sync.
Further , the domain is verified but shows 11 user names conflicts , and when clicking manage , "Sign in with Entra ID" options is greyed out.
Federation between Apple business manager - EntraID
Hi! i sat up Federation already in 2021 just for some testing, i remember having about 300 conflicts or something like that. Anyway i don't remember having to resolve those conflicts. As i see it the Enterprise app in EntraID (Apple Business Manager) can be scooped to a EntraID group, and should only have to resolve conflicts from the users in that group? not the whole tenant ? Anyway, i deleted that config and now in 2024 i'm trying to set up a limited federation, without "Convering" the whole org, is it possible? or do i have to notify and make all users change their appleID email adress? have about 370 conflicts now.
Thanks for the video, we are new to the ABM and some of our users (Approx 15) are having personal apple ID's using our company email address. So it's better I should ask them to change their apple ID's before going forward with federated authentication?
Many Thanks for this information 🙏🏻
Very helpful, now to figure out what to tell our 400+ conflicting users....
Hi what will happen for there storage is that will we convert to new id or it will be deleted ?
Thanks for the video, It's very clarify. Just a cuestion. Can I federate without resolve conflits? I have Entra Id ABM scope connection for a few users but I'm afraid about what happend if I to the federation withouth resolving conflicts first. The scope users have not apple personal ID. Thanks and great job
So if the user does nothing, is the AppleID and its data wiped and recreated as federated AppleID or does the User just have to re-login using federation? Does the Data stay? I mean, do we wipe the CEO's iPhone because he created his AppleID long time ago?
In the first video, you mentioned something about using conditional access to setup your Apple Device user group in Entra. Anything special there? I wasn't able to create that group correctly so I just selected my test group users individually (under provisioning). Is this effectively the same thing? Also thank you for these videos. They have lightened my burden immensely lol
So if the users changes the email address as requested by Apple they would need to wipe the device and then set it back up with the company email? Seems like you might just want to tell the users not to do anything and then wait 60 days for the account to be reclaimed. So long as they don’t have any personal data on it.
I think the outcome would be the same? Except if the user changes the email address they are in control of when that happens?
Brilliantly useful, as always. One q - in a situation where IT have told the user to create an apple ID for lastcoffee, and then we need them to change it - what would be the best way to get the data from the now 'unofficial' account to the official account? I'm assuming it would be some third-party tool to move data between iCloud accounts?
Good question!
There are supported methods for doing that. From Apples perspective, the users “unofficial” lastcoffee AppleID was a personal one, so they won’t help you obtain that data as you can imagine.
I haven’t heard of any tools that will help you do it unofficially, but I’ll ask around!
Thank you! Thought that might be the case. @@DeanEllerbyMVP
@@DeanEllerbyMVP +1 needing to know this, we have years of Apple IDs and only planning on Federating, so there will be lots of legitimate apps, purchases, backups that need to be "re-owned" back into the corp email ID. Pretty please? Your Mac focus is SOOOO appreciated!
Yeah. big mess. That is why IT should never do that. Some of the iCloud synced services will allow you leave the data behind on the device if you turn off the sync for that feature before removing it. This way, when the Managed Apple ID logs in, it can sync that data. For anything that doesn't do that, You will probably have to transfer manually.
I am in this situation: the company were I work has 11 accounts with microsoft 365, but they already use those email to log into apple to use their mac books and other apple devices. Now we need to federate entra Id and apple Business manager but all those accounts are in conflict. BUT if we need 11 new emails address we have 2 options: buy 11 new licenses in microsoft 365 (and this is a big problem) or change the email addresses of all the users (presuming it is possible to do, this is a much bigger problem). there is a way to solve this?
why not create an alias on each of those accounts so that any communication still arrives to the intended recipients but is under a different email address. You would need a second domain attached to your 365 tenant though.
So if Jenny doesn't change her mail adress in her icloud account, the conflict will not disappear ?
I don't understood what is the good solution exactly
If Jenny doesn’t change the email address associated with the appleid within 60 days, it will be released to the ABM organisation anyway. At that point, I think, she will be forced to update it next time she signs in.
Thank you, wish I saw this first before I started with ABM. :) One last question and one you probably can't answer but if you created apple MDM push certificate with an Apple ID, then claimed/federated that apple ID I'm guessing cert stays with the original apple user ID with a new email. So you may not be able to renew the cert? Guess will find out in a year when the cert expires. lol Same with any purchased apps, guess they need to re-purchase them.
very good questions! I'll look at this and let you know what I find!
Great video, but I’m a little confused. Don’t we want our users to sign-in to our corporate owned Apple devices with an Apple ID associated to the corporate email? Why is it prompting them to change it to a non-corporate email?
That IS what they will be doing. The video describes the process to create that ability when there has already been a personal Apple ID created before the corperate Managed Apple ID is created. The reason it is prompting the user to change their Apple ID to a non-corporate email is because personal Apple IDs can not be controlled by the corporation, and there can not be two Apple IDs that use the same email address. When the user changes their personal Apple ID to a personal email address or when the 60 day waiting period elapses, then the Corporate email address is released back to the corporation's control so that they can re-issue it in the form of a Managed Apple ID. Then the user will log out of their personal AppleID and log in with their new managed Apple ID which now sports the corperate owned and controlled email address.
@@wmuelver Perfect! Thanks for the reply and clarification, really appreciate it. 😊
You skipped over what happens if you _don't_ reclaim it. Does it not do federation at all at that point? If you leave at that state, does it prevent new Apple IDs from being created with that domain name? (The use case I'm curious about, is if a company doesn _not_ want people to use the company email for Apple IDs, would like to prevent it in the future, but does _not_ want to create a huge helpdesk storm of all existing Apple IDs being changed)
In my experience, once the domain is verified in ABM, no further "personal" Apple ID's can be created with the business domain address.
Ok, but what if the user still wants to use their corporate account as an apple ID but already has it registered as personal? He has to change the email on the existing account to release the email, log out on the iPhone with the apple ID and log in again with the same company email and sync everything to iCloud again?
Correct.