Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Did I accidentally provision Apple Internet Accounts with my own Azure AD user account

Copper Contributor

I was adding my O365 email account to my iPhone (Exchange Active-Sync) when I was prompted with the request below. I blindly tapped Accept (yes really should have read the fine print) and realised I probably should have lingered there a bit longer.

 

Sure enough in Azure AD user audit log is a Add app role assignment grant to user event followed by the following events from Apple Internet Accounts:

 

  • Add app role assignment grant to user (my account now a member of Exchange Admin, Helpdesk admin, Service Support and a few others
  • A Remove app role assignment from user event (not sure which one)
  • Add a deletion-marked app role assignment grant to user as part of link removal

I'm not even sure I want to provision Apple Internet Accounts in my tenant and certainly not with any of its services tied to my current account which was set up for me as global admin. (I am converting it to a regular account and setting up a separate admin account - see my other post on this matter: O365 / Azure AD - two accounts for admins v. PIM).

 

Can I remove my user account from all those admin roles?

Do I want to use Apple Internet Accounts even? I would think not?? as we don't provision devices (BYOD).

Can I un provision Apple Internet Accounts for now?

Can they make that sign in page look less like a phishing attempt lol?

 

IMG_0584.PNG

11 Replies

Hi @madcat 

 

You haven't created an Apple account.

The enterprise application 'Apple Internet Accounts' was created. This enables Apple to view your mailbox and utilize their native 'mail' app.

Check out this doc article for more information about applications.

 

You can remove this application from your tenant, but then you won't be able to utilize the Apple Mail app.

 

All in all, there is no harm done with having this application in your tenant. It just enables you to utilize the Apple Mail app.

Thanks for the reply @Thijs Lecomte:smile:

 

That sounds like it could be useful although it does add an additional security concern as our O365 deployment is purely cloud based at the moment and adding the macOS mail client to the ecosystem would increase our attack surface a little.

 

What would happen if I deleted the account I used to provision it or changed that account's role memberships? Would Apple Internet Accounts still work?

 

Also to the best of my knowledge we don't have or use Apple Business Manager. More to the point the only Apple ID on my iPhone is my personal one and I certainly don't have it so I wonder what triggered that prompt on my device?

These application do have a security concern indeed. I blogged about it a while ago: https://365bythijs.be/2020/01/05/protecting-against-oauth-attacks-setting-up-admin-consent-workflow/

Nothing would happen if you made changes to the account.
An enterprise application is not dependent on a user account, it's an entity on it's own.

You received this prompt because you tried to configure the Apple Mail app on your iPhone.

Thank you so much for your response and the blog links.

 

Do you think Azure Basic has sufficient functionality to secure our tenant against such threats?

 

We are only on Office 365 Essentials and trying to minimise costs at this difficult time (COVID) but I keep coming across documentation about elements such as conditional access policies, MDM, PIM etc. and wonder if they are necessary even for a small business.

best response confirmed by madcat (Copper Contributor)
Solution
Azure Basic has functionality to keep a tenant secure, but it is, well... basic

First of all, I would recommend turning off User Application consent (like mentioned in the blog I added previously).

Secondly, I would really recommend configuring Multifactor Authentication.
MFA can be configured through two ways: Conditional Access and Security Defaults.

Security Defaults are a free option, check out this blog for more information:
https://365bythijs.be/2019/11/26/what-is-azure-ad-security-defaults-should-you-be-using-it/

I wouldn't worry about MDM and PIM during this time.

If you have configured MFA, you have a good baseline

Thank you so much for your time your responses have been invaluable. :smile:

@Thijs Lecomte, a user told me that they got the prompt when they tried to configure email on a Mac. Is this possible on a Mac and ipad as well? I may have misunderstood the user, but I would love to know the difference.

@Kdships 

 

It's possible. I don't know exactly how the Mail app on MacOS works.

Most third party apps that integrate with Office 365 (like reading emails) will provide these pop-ups

So a GA user granted consent (admin consent) but the app isn’t showing under enterprise apps (or app registration), any ideas?
Can we allow certain users or groups to be able to do that?
It should be noted that you cannot wipe company data off of an Iphone that uses the Apple Mail app through the use of this delegation.
Would Apple retain the company data on their servers as well?
1 best response

Accepted Solutions
best response confirmed by madcat (Copper Contributor)
Solution
Azure Basic has functionality to keep a tenant secure, but it is, well... basic

First of all, I would recommend turning off User Application consent (like mentioned in the blog I added previously).

Secondly, I would really recommend configuring Multifactor Authentication.
MFA can be configured through two ways: Conditional Access and Security Defaults.

Security Defaults are a free option, check out this blog for more information:
https://365bythijs.be/2019/11/26/what-is-azure-ad-security-defaults-should-you-be-using-it/

I wouldn't worry about MDM and PIM during this time.

If you have configured MFA, you have a good baseline

View solution in original post