I checked into this with our engineering team - appears to be/have been an issue with Apple's SCIM service.
Apple Business Manager Synchronisation Fails with "SystemForCrossDomainIdentityManagementCredentialValidationFailure"
Good morning
I've had a look through other questions but haven't been able to find an answer for this one.
Late last year we started using Apple Business Manager to sync accounts from AzureAD as our MDM Solution. Setup went fine and has been without issue since, until today.
This morning I received an e-mail with the following error:
"While attempting to validate our authorization to access your application, we received this unexpected response: Received response from Web resource. Resource: https://federation.apple.com/feeds/business/scim/Users?filter=userName+eq+"AzureAD_Test-d1611db6-092a-428e-baa7-807e673bbd36" Operation: GET Response Status Code: Forbidden Response Headers: Connection: keep-alive Pragma: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains X-Frame-Options: SAMEORIGIN Keep-Alive: timeout=30 Cache-Control: no-store Date: Wed, 05 Jul 2023 00:55:57 GMT Server: Apple Response Content: Token validation failed. Please check the service"
Since then I've checked ABM in AzureAD, which stated it was under quarantine - I've checked the logs and can find no reason for it being quarantined.
I logged into ABM itself which seems to be running fine. As a precaution based on 'Token Validation Failed' I recreated both the VPP and Directory Sync tokens in ABM and uploaded them to AzureAD. I also tested the connection under Admin Credentials in ABM > Provisioning in AzureAD - this also came back successfully.
The only other error I'm seeing is below. It would seem to suggest the tokens are wrong but as they've been freshly created I'm stumped. None of our credentials have changed either.
Has anyone seen this issue before? If so, how did you resolve it?
UPDATE - I recreated the secret token again in ABM and copied it across to Enterprise Apps > ABM > Provisioning > Admin Credentials, saved and tested. It worked fine, I was even able to manually provision a new user.
I set the provisioning to start again, and after a few minutes it started to kick up the same error. Testing the credentials under ABM > Provisioning > Admin Credentials now fails with the same problem as before. Again, no quarantine activity has been logged.
-
Danny Zollner 10,071 Reputation points Microsoft Employee
2023-07-05T18:28:35.72+00:00
1 additional answer
Sort by: Most helpful
-
Derek Williams 50 Reputation points
2023-07-06T08:18:53.1466667+00:00 Thanks Danny - looks to have been the case. I started provisioning off again this morning after pausing it due to the errors yesterday and it's passed the last couple of provisioning intervals without issue, I'll mark this one as resolved.