In Apple Business Manager (ABM) or Apple School Manager (ASM), you can link to your identity provider (IdP) to ABM and ASM. This allows folks to sign in to Apple devices with the same username and password that they use to log into systems used at their company, school or institution. Apple refers to this as federated authentication and supports this by creating Managed Apple Accounts (MAA) with the username and email address of the user in question, where that information is being provided by that company, school or institution’s IdP. Once this federation process is completed, when someone tries to use their MAA to log into an Apple system, they’ll be provided with the login screen for that company, school or institution’s IdP, in place of using Apple’s own authentication system for Apple Accounts.

However, prior to the federation process happening, a company, school or institution may have manually created MAAs in ABM / ASM for various purposes and want them to keep using Apple’s own authentication system for Apple Accounts in place of authentication using their company, school or institution’s IdP.

This usually applies to MAAs which are used as service accounts in ABM / ASM, where there may only an email alias set up in place of an actual user account set up in the IdP for that MAA. In those scenarios, if there’s no actual user account in the IdP for that MAA, authentication becomes impossible if ABM or ASM is forwarding authentication requests to the IdP.

The best practice in this case is to assign the MAAs in question to a domain which is different from the one being federated. So if you’re planning to federate accounts in the company.com domain, you would set up a different domain in ABM or ASM which is not company.com and assign those MAAs to that different domain. However, there’s an additional step to take as part of this domain re-assignment process. In addition to assigning the MAA to a different domain, you also need to make sure that the associated email address used with the MAA is also not part of the domain you’re planning to federate.

Why is this? As part of the documentation Apple provides for the federation process , there’s this note in the Before you begin section:

For existing users with an email address in the federated domain, their Managed Apple ID is automatically changed to match that email address.

What’s this mean? It means that the existing MAA may be set up with the following username and email:

• Username: something@outside_domain_being_federated.com
• Email: something@domain_being_federated.com

However, once the initial federation process has happened the MAA username and email will now look like this:

• Username: something@domain_being_federated.com
• Email: something@domain_being_federated.com

Now the previously outside-of-federation-scope MAA ( something@outside_domain_being_federated.com ) is in scope for being federated by having its MAA changed to something@domain_being_federated.com. In turn, this change means that authentication requests for the something@domain_being_federated.com MAA are being sent on to the company, school or institution’s IdP. That IdP may not actually have a user account for the something@domain_being_federated.com MAA or be able to authenticate it, which means you can’t log into that MAA.

How do you address this? My recommendation is that prior to federation, you identify all the MAAs you want to remain outside of scope and assign them an email address which is explicitly outside of the domain you’re planning to federate. For example, if your MAA is currently like this:

• Username: something@outside_domain_being_federated.com
• Email: something@domain_being_federated.com

Change it to something like this:

• Username: something@outside_domain_being_federated.com
• Email: something@work_email_domain_which_is_not_the_domain_being_federated.com

As far as I know, this is a one-time change which is made by the initial ABM / ASM federation process. But I do not know that for 100% certainty, so please make sure to ask the folks at Apple about this issue if you’re planning an ABM / ASM federation process and have existing MAAs which may be affected by this.