We recently initiated Federated Authentication in our environment and I have noticed a strange thing - if I am trying to add an account via Apple Business Manager and I I want to set it's "Role" to Administrator - it automatically selects Authentication: "Apple". Only if I select Staff it is added as "Federated". Does it mean that Administrator "Role" account on Business Apple Manager can only be authenticated via Apple? As it requires attaching a working phone number in such case... Any insight on this would be great!
This is the case for a lot of applications behind an identity provider or federated login. It makes sense if you think about it. It's so if there's an issue with federation, your admins can login to fix it. Avoiding all eggs in the federated basket.
I see your point, the issue is - admin Apple auth account requires attaching a personal phone and what if admin is out of country and there is something urgently needs to be done with admin rights?
"or add .appleid like Apple recommends" - could you point me please to the documentation where this is recommended?
Otherwise I think it answers my question: ABM admins can only have non-federated Apple ID accounts with personal phone MFA authentication, am I understanding this correctly?