Hey DMoenks,
I think I can provide an opinion on the topic. Note, all organizations differ and I have no insight into your operations and the decisions made in the past that have led you to this moment in time. However, what I can offer is the approach I use when consulting with businesses of all sizes.
Now, before I get into the weeds on this, I am going to assume you are talking about administrative roles, not Managed Apple IDs. If you are talking Managed Apple IDs, and you have a use case for them, then Federate, sync, and call it a day (well, then call it a day the day after you spend a month assisting people migrate pre-existing Apple IDs that were setup using your domain...).
Ok, the rules of Apple Business Manager. ABM establishes chain of custody trust between your business and Apple. When first established, someone with legal binding authority completed the setup and verification. This trust allows the linking of hard and soft assets. These assets can then be assigned to DEP Tokens (your MDM server) and VPP tokens (apps and books). These tokens are then distributed to the regional MDM servers. And then MDM administrators can work independently of ABM.
My guess is that you have multiple MDMs and that hardware class auto-assignment is not possible. This means there is someone who must log into ABM and assign the hardware as it is purchased (I also assume you have multiple resellers numbers for your various countries of operations - no one want to pay VAT.).
This is your opportunity to use roles in ABM. Remember, you can only have 5 administrators in ABM. This role is the god role and is able to do everything. Now, technically you can share credentials and add cell numbers to the MFA list to allow more than 5 people to access the admin accounts. But, sharing credentials? In 2025? That is a no no. If your organization does any type of annual compliance review, sharing credentials will be a red flag and I am sure you, like me, hate writing justification documents. Try not to share credentials.
Instead, use roles, found under Access Management. Roles include: Administrator, People Manager, Device Enrollment Manager, Content Manager, and Staff. Users can be assigned multiple roles.
Here may be a scenario that will work for you. Let's say you are the main admin. You signed the paperwork and you are god. But, you have offices in the US, Germany, France, and Japan. Each of these locations has a local reseller or Apple sales channel and each buys equipment that is automatically assigned to the single ABM. Likewise, these locations have different business roles, and thus, different application needs. Someone with local knowledge needs to be able to assign hardware to an MDM and software to VPP.
I would structure the accounts so each location has a user who gets the Device Enrollment manager role, allowing the person to assign new hardware assets to their MDM server. Then, determine who the content manager is and give that person the role of Content Manager. This will allow that person to license/purchase software and assign it to the correct location. If the person is one in the same, assign them both roles.
By doing this, you comply with a couple of good rules of thumb. 1: You are providing a unique account for each person. If the person leaves the organization, shutting down the account impacts one and only one person... the one that left. Remember, sharing credentials is a no no as you must change password every time there is an HR stir up. 2: You are using delegated rights to ensure no edge user is god. 3: You are providing the regional admins the appropriate level of access, not more than they need.
Ok, hope this helps in thinking this through. Always avoid sharing credentials. It is a nightmare that will come back to haunt.
