-1

I'm currently setting up Office 365 users in Apple School Manager (ASM). For this, I've enrolled all but 2 users to ASM through Azure AD. This is the issue:

User first.lastname@domain.onmicrosoft.com is the only user that wasn't created in ASM.

I tried creating first.lastname1@domain.onmicrosoft.com but it didn't sync.

This is the log entry on Azure AD:

1. urn:ietf:params:scim:schemas:extension:enterprise:2.0:User aus Azure Active Directory importieren ✅
2. Ermitteln, ob urn:ietf:params:scim:schemas:extension:enterprise:2.0:User sich im Bereich befindet ✅ 
3. urn:ietf:params:scim:schemas:extension:enterprise:2.0:User zwischen Azure Active Directory und AppleSchoolManager abgleichen ❎

EntrySynchronizationError

Ergebnis: Failure

Beschreibung: Failed to match an entry in the source and target systems User 'first.lastname@domain.onmicrosoft.com'

ErrorCode: SystemForCrossDomainIdentityManagementClientError

ErrorMessage:

Received response from Web resource. Resource: https://federation.apple.com/feeds/school/scim/Users? 
filter=userName+eq+"first.lastname%40domain.onmicrosoft.com" Operation: GET Response Status 
Code: Forbidden Response Headers: Connection: keep-alive Strict-Transport-Security: max-age=31536000; 
includeSubdomains X-Frame-Options: SAMEORIGIN Keep-Alive: timeout=30 Date: Thu, 22 Apr 2021 13:07:43 
GMT Server: Apple Response Content: <html> <head><title>403 Forbidden</title></head> <body> <center> 
<h1>403 Forbidden</h1></center> <hr><center>Apple</center> </body> </html> . This operation was 
retried 0 times. It will be retried again after this date: 2021-04-22T13:07:43.1354940Z UTC

ReportableIdentifier
first.lastname@domain.onmicrosoft.com

Sadly, Google didn't bring up many solutions for these Error codes. This is my last hope, that someone might know the solution to my issues.

Thanks for any advice in advance!

user3600163
  • 1
  • 1
  • 1
  • 2

1 Answers1

0

HTTP 403 Forbidden.

This was given from the Apple side? check your credentials on Apple side.

Prerequisites says that you need an Apple School Manager account with the role of Administrator, Site Manager, or People Manager.

Follow the steps here: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/apple-school-manager-provision-tutorial

Noor Khaldi
  • 3,829
  • 3
  • 18
  • 28
  • Thanks a lot for your answer! The ASM account is for setting up SCIM. I used the user which has the needed rights. It worked for 400+ other accounts, it just didn't for this one. I'm currently testing new users if they get sync'd between Azure AD and ASM. – user3600163 Apr 28 '21 at 17:50
  • New users are synchronised without any issues. I will delete the affected user and try creating a new user with the same name. Will update soon. – user3600163 Apr 28 '21 at 17:58
  • If it is only failing for a few users, then you need to check the logs more and see why it is failing with the HTTP 403 errors, this is a generic error it doesn't give the full picture at this point. I would suggest to check the logs from the Apple side of things too to see why the MS connect is being denied access to update those users. – Noor Khaldi Apr 28 '21 at 17:58
  • Ah nice we're making comments at the same time :) I've seen instances where some times an account is locked at the destination service like Apple or Google, sometimes for stupid reasons like the user haven't changed the default password or haven't claimed a license just yet, it's hard to troubleshoot those because each service works differently. Deleting/recreating the account could be the best way to go although we won't know why it didn't sync in the first place, but if it works then it works. – Noor Khaldi Apr 28 '21 at 18:00