Onboard Apple Users

1. The following steps will add the user to the appropriate groups and roles in Microsoft Entra ID (formerly Azure AD) so that the user is automatically provisioned on the Apple Business account with an Apple ID.

2. Open PowerShell and authenticate using the Microsoft Graph module:

   • Install the Microsoft Graph module if needed: Install-Module Microsoft.Graph -Scope CurrentUser
   • Import the required modules: Import-Module Microsoft.Graph.Groups, Microsoft.Graph.Users, Microsoft.Graph.Applications
   • Connect to Microsoft Graph with the required scopes:

   Connect-MgGraph -Scopes "Group.ReadWrite.All", "User.Read.All", "Application.Read.All", "AppRoleAssignment.ReadWrite.All"

3. Find the info for the Apple Business security group: Get-MgGroup -Filter "displayName eq 'Apple Business'"

4. Add the user to the Apple Business security group:

   $userUPN = "user.name@xentermd.com"
   $groupName = "Apple Business"
   $user = Get-MgUser -Filter "userPrincipalName eq '$userUPN'"
   $group = Get-MgGroup -Filter "displayName eq '$groupName'"
   New-MgGroupMember -GroupId $group.Id -DirectoryObjectId $user.Id

5. Get the Enterprise Application info for Apple Business Manager: Get-MgServicePrincipal -Filter "displayName eq 'Apple Business Manager'"

6. Check list of current members using the object id from the previous step. This will return a list of users with their relative ObjectId’s.

   $sp = Get-MgServicePrincipal -Filter "displayName eq 'Apple Business Manager'"
   Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $sp.Id

7. You will need the following ID’s in order to add a user to the Apple Business application.

   • ServicePrincipalId: The Id of the app’s service principal.
   • ResourceId: The Id of the app’s service principal.
   • AppRoleId: The Id of the AppRole (defined in the app’s service principal).
   • PrincipalId: The Id of the user.

8. The ServicePrincipalId and ResourceId will be the Id from step 5/6.

9. Obtain the AppRoleId. Check if the application has custom roles defined:

   $sp = Get-MgServicePrincipal -Filter "displayName eq 'Apple Business Manager'"
   $sp.AppRoles | Format-Table DisplayName, Id, Value

   If AppRoles is empty (no output), use the default user access role: 00000000-0000-0000-0000-000000000000

   If roles are listed, use the Id for the user role (not msiam_access).

10. Add the user to the Apple Business Enterprise Application in Microsoft Entra ID:

    $userUPN = "user.name@xentermd.com"
    $user = Get-MgUser -Filter "userPrincipalName eq '$userUPN'"
    $sp = Get-MgServicePrincipal -Filter "displayName eq 'Apple Business Manager'"
    
    $params = @{
        PrincipalId = $user.Id
        ResourceId = $sp.Id
        AppRoleId = "00000000-0000-0000-0000-000000000000"  # Default role if AppRoles is empty
    }
    New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id -BodyParameter $params

11. Provide the user with their Microsoft Entra ID joined Apple device and have them login using the new user.name@xentermd.com Apple ID.