Apple Business Manager Synchronisation Fails with "SystemForCrossDomainIdentityManagementCredentialValidationFailure"

Derek Williams 50 Reputation points
2023-07-05T07:23:54.68+00:00

Good morning

I've had a look through other questions but haven't been able to find an answer for this one.

Late last year we started using Apple Business Manager to sync accounts from AzureAD as our MDM Solution. Setup went fine and has been without issue since, until today.

This morning I received an e-mail with the following error:

"While attempting to validate our authorization to access your application, we received this unexpected response: Received response from Web resource. Resource: https://federation.apple.com/feeds/business/scim/Users?filter=userName+eq+"AzureAD_Test-d1611db6-092a-428e-baa7-807e673bbd36" Operation: GET Response Status Code: Forbidden Response Headers: Connection: keep-alive Pragma: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains X-Frame-Options: SAMEORIGIN Keep-Alive: timeout=30 Cache-Control: no-store Date: Wed, 05 Jul 2023 00:55:57 GMT Server: Apple Response Content: Token validation failed. Please check the service"

Since then I've checked ABM in AzureAD, which stated it was under quarantine - I've checked the logs and can find no reason for it being quarantined.

I logged into ABM itself which seems to be running fine. As a precaution based on 'Token Validation Failed' I recreated both the VPP and Directory Sync tokens in ABM and uploaded them to AzureAD. I also tested the connection under Admin Credentials in ABM > Provisioning in AzureAD - this also came back successfully.

The only other error I'm seeing is below. It would seem to suggest the tokens are wrong but as they've been freshly created I'm stumped. None of our credentials have changed either.

SCIM

Has anyone seen this issue before? If so, how did you resolve it?

UPDATE - I recreated the secret token again in ABM and copied it across to Enterprise Apps > ABM > Provisioning > Admin Credentials, saved and tested. It worked fine, I was even able to manually provision a new user.

I set the provisioning to start again, and after a few minutes it started to kick up the same error. Testing the credentials under ABM > Provisioning > Admin Credentials now fails with the same problem as before. Again, no quarantine activity has been logged.

Azure Managed Applications
Azure Managed Applications
An Azure service that enables managed service providers, independent software vendors, and enterprise IT teams to deliver turnkey solutions through the Azure Marketplace or service catalog.
142 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,797 questions
{count} votes

Accepted answer
  1. Danny Zollner 10,056 Reputation points Microsoft Employee
    2023-07-05T18:28:35.72+00:00

    I checked into this with our engineering team - appears to be/have been an issue with Apple's SCIM service.

    5 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Derek Williams 50 Reputation points
    2023-07-06T08:18:53.1466667+00:00

    Thanks Danny - looks to have been the case. I started provisioning off again this morning after pausing it due to the errors yesterday and it's passed the last couple of provisioning intervals without issue, I'll mark this one as resolved.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.