Migrating personal Apple IDs to Apple Business Manager with Entra ID and Domain Capture

Users "should" be able to do this on their own. I recommend communication in advance. Everyone with a PAID using your domain will receive an email from Apple titled “Update your Apple Account by <date>.” This email will direct the users to "<Company Name> recently enabled Managed Apple IDs to reclaim Apple IDs that include <company’s domain> in the email address (for example, user@<companydomain>). If you are using the Apple ID for personal use, you may keep the account personal (requires updating the email address). However, if the account is used for <company’s name> business only, it can be transferred to a work account and the email will remain unchanged. You have 30 days to decide what to do with the ID." There will be a Get Started button that will send them to log into Apple's identity server. Once logged in, the user will be presented with two options: Transfer to a work account or Keep as a personal account.

Once a user completes the process, they will be guided to log out. I recommend waiting about 5 minutes before attemopting to log back in.

• Can data from users who say they have "Personal" accounts and switch out their emails still be recovered for company accounts? What about for users who fail to answer in the 30 day window?

Data. No. If a user opts to convert to a personal account, all information stays with the user. Remember, just because the ID started with your domain in the ID does not make it property of the company. The IDs you have now are personal IDs regardless of the domain in the ID. If a user opts to keep the ID, then will be forced to change the associated email. This will free up your domain ID and then it will become a new, empty managed Apple ID. Simple example. bob@yourcompany.com decided he wants everything in the Apple ID and he keeps it personal. He changes the associated email to bob@somepersonaldomain.com. Once this conversion is complete, then Bob will be able to log into bob@yourcompany.com using federated credentials. There will be no data in the account. But you, the business, cannot access that data, purchases, subscriptions, etc.

• What happens to the credentials of existing accounts when Entra ID sync is enabled? Are they completely overwritten with the Microsoft credentials, or do they create conflicts?

Not until your transfer to the work account. Again, the user has 30 days. They can continue to use the PAID without conversion... you know, to clean up :P. But once conversion is made, then the next login will redirect to your identity provider.

• If the user has a mix of company data and personal data on their apple ID, how can that be handled?

Carefully. Honestly, if there is truly personal content there, the user should keep as a personal ID. In my mind it is easier to more company data back to the company than it is to remove personal data from an Apple ID (or risk losing it if it is one of the sanctioned services). These are a few of the point I share with end users to help them make the decision:

·         If the Apple ID contains personal information (email, photos, personal credit card information, text messages, health data), Keep as a personal account

·         If the Apple ID has any subscriptions or you have purchased any Apps using the ID that are not provided by the company (especially in-app purchases), Keep as a personal account

• Are Entra ID users able to sign in and enroll into InTune directly in setup assistant once the domain is captured?

Ha! Fat chance. Yes, this was promised at WWDC. Does not work. Latest word on the street is Q1 2026. This is Platform SSO. If you have a Developer ID, check out the WWDC presentation titled "What's new in Apple device management." Sadly, it did not make the Tahoe release. Oh, and I should mention, this will require Tahoe to work. For older operating systems, you will still need to handle device registration after enrollment.

• Is there a way to test domain capture and Entra ID federation small scale before deploying to the entire organization?

Answered above.

Hope this is helpful. You've got this. I've done this with Microsoft and Google domains. It is INFINITELY better since early 2025 as Apple made a number of great improvements. Just giving us a list of IDs (even if it is incomplete) is a huge win. But the federation process is also streamlined and improved.

Good luck.

This is a bold step and you should be sure that you can make the move without significant impact to services, features, etc. Here are some items to be cautious about in advance.

• Review the accounts used by IT and make sure that none of them have made purchases. MAIDs cannot participate in any store.

• Don't make the change near the time of a Push cert renewal if the ID is an ID that is going to be converted to a managed ID. No sense in adding that stress.

• If you use Apple's eCommerce portal for purchasing make sure the users do not convert the IDs to personal IDs.

• Make friends with your email admin so he/she can run a mail trace after enabling domain capture. While Apple now tells you the number of existing accounts, the report will only show accounts ACTIVE in the last year. So you may see that there are 100 accounts using your domain, but the report may show 80. The other 20 are inactive and the only way to discover who gets the email is to run a mail log trace. This can help identify outliers or rarely used accounts (like that one your created 10 years ago and purchased apps on and haven't used since getting ABM...)

• Understand the limitations of Apple IDs. What can they and what can they not do. For example, on a recent EDU engagement, I was shocked that I could not use Journal with MAIDs - thought it would be a great educational tool. I understand the decision (private thoughts) but I will admit I was caught off guard since services like Google Classroom are mining student data for self harm, drugs, violence, etc.

Note, you can do some of the steps in stages. However, to your question, "Is there a way to test domain capture and Entra ID federation small scale before deploying to the entire organization?" ... No. It is all or nothing. Unless you claim a second domain, create Apple IDs and then go through the entire lock, federation, and sync process on the test domain. When I first did this years ago, I signed up for a 30 day Microsoft trial, created personal Apple IDs, created users in Microsoft, and then claimed the test domain and validated the entire process. If you have a second domain, it is worth the learning experience.

Ok, so back to stages. If you have not yet Locked your domain, you can take that step without impacting any existing accounts. Locking the domain will stop the flow. No new Apple IDs can be created using your domain. This is as simple as logging into ABM > Preferences > Managed Apple Accounts > press Domain Capture on the domain that you want to lock down > Toggle Lock Domain to On. Note, this assumes you are working on a verified domain already and you understand that to unlock you will need to delete the domain and reclaim it. That should not be needed as Locking will only prevent new IDs from being created in your domain.

Now to your questions.

• Do all Apple ID conflicts need to be resolved before Entra ID can be synced?

No. You can enable sync. Any conflicting accounts will have the 30 days to decide what to do. Any accounts that do not already have an Apple ID will be imported into ABM and be immediately available to users.

• Are users generally able to get their own account transferred during domain capture, or do admins typically need to assist with that?