Azure Active Directory Support for Apple School Manager

Yesterday's announcement that Apple would now support Microsoft Azure AD in Federated Authentication barely made a ripple in the larger Apple world, especially with the trickle of exciting consumer updates that arrived this week. But this feature is a big deal to educational technologists and IT professionals who support school technology.

What is Federated Authentication?

There's a fair bit of jargon swirling around Single Sign On (SSO) and Federated Identity (FID). That's because verifying you are who you say you are, and that you are authorized to have access to something is one of the most critical and potentially dangerous segments of information technology. Precise language goes with the territory. The answer that makes the most sense to end-users is that these systems, policies and technology make it possible for one set of securely managed credentials to be used for multiple services or in different contexts.

Why do I need Federated Authentication?

There are multiple advantages to using Single Sign-On.

  1. It's easier. End-users don't have to keep track of many logins, and in the education context, IT staff don't have to create redundant accounts.
  2. It's seamless/flexible. Federated Authentication is one tool that IT professionals use to build up ecosystems of connected but discrete technology. Putting multiple best-in-class services from different vendors under one umbrella gives the best compromise between "done right" and "works well" for end-users. Shared authentication makes an integrated experience possible.
  3. It's more secure. Rather than many different services gaining access to a user's credentials, only the authentication service has access. That service is laser focused on security and validation. Nobody gets by the gatekeeper, and other vendors can focus on solutions to the problems they solve.
Graphic courtesy of

Why is Azure AD important for Apple School Manager?

Apple and Google are the two major platforms for education that schools choose between today, for both hardware and software. Google offers a comprehensive set of apps and email behind one Google login through its single-vendor cloud services.

Apple has always offered a best-in-class suite of tools for education, but has had some catching up to do on data management and cloud storage for shared devices. Apple also doesn't provide email and has no plans to. Integration with Azure AD is a big step toward achieving featureset parity with Google in a multi-user environment, and creates the link with Office 365 - Microsoft's market leading email service.

What can IT support do with Azure AD now?

Apple School Manager can be linked to an instance of Microsoft Azure Active Directory through Federated Authentication. Azure AD usernames and passwords become Managed Apple IDs automatically, saving IT staff hours upon hours of repetitive and error-prone work.

End users can then sign in to their iPad, Mac or iCloud on the web using their Azure AD credentials, and students can sign into shared iPads using their existing logins.

The future may hold more exciting improvements (at least we can dream)

When a student logs into a Chromebook with their Google account, they have access to their data, documents and email without any further authentication. Someday, if the Federated Authentication framework is extended for Apple devices and accounts, students may be able to have a similar experience on Apple devices.

But here's the exciting part. Apple has shown that it's open to collaboration, even with long-time rivals, in order to provide a better experience for students. That means the door is open for more apps and services, more choice and a more customized educational experience than Google will be able to provide with its exclusionary ecosystem.