Forum Discussion
Did I accidentally provision Apple Internet Accounts with my own Azure AD user account
I was adding my O365 email account to my iPhone (Exchange Active-Sync) when I was prompted with the request below. I blindly tapped Accept (yes really should have read the fine print) and realised I probably should have lingered there a bit longer.
Sure enough in Azure AD user audit log is a Add app role assignment grant to user event followed by the following events from Apple Internet Accounts:
- Add app role assignment grant to user (my account now a member of Exchange Admin, Helpdesk admin, Service Support and a few others
- A Remove app role assignment from user event (not sure which one)
- Add a deletion-marked app role assignment grant to user as part of link removal
I'm not even sure I want to provision Apple Internet Accounts in my tenant and certainly not with any of its services tied to my current account which was set up for me as global admin. (I am converting it to a regular account and setting up a separate admin account - see my other post on this matter: O365 / Azure AD - two accounts for admins v. PIM).
Can I remove my user account from all those admin roles?
Do I want to use Apple Internet Accounts even? I would think not?? as we don't provision devices (BYOD).
Can I un provision Apple Internet Accounts for now?
Can they make that sign in page look less like a phishing attempt lol?
- Azure Basic has functionality to keep a tenant secure, but it is, well... basic
First of all, I would recommend turning off User Application consent (like mentioned in the blog I added previously).
Secondly, I would really recommend configuring Multifactor Authentication.
MFA can be configured through two ways: Conditional Access and Security Defaults.
Security Defaults are a free option, check out this blog for more information:
https://365bythijs.be/2019/11/26/what-is-azure-ad-security-defaults-should-you-be-using-it/
I wouldn't worry about MDM and PIM during this time.
If you have configured MFA, you have a good baseline
Hi madcat
You haven't created an Apple account.
The enterprise application 'Apple Internet Accounts' was created. This enables Apple to view your mailbox and utilize their native 'mail' app.
Check out this doc article for more information about applications.
You can remove this application from your tenant, but then you won't be able to utilize the Apple Mail app.
All in all, there is no harm done with having this application in your tenant. It just enables you to utilize the Apple Mail app.
Thanks for the reply Thijs Lecomte!
That sounds like it could be useful although it does add an additional security concern as our O365 deployment is purely cloud based at the moment and adding the macOS mail client to the ecosystem would increase our attack surface a little.
What would happen if I deleted the account I used to provision it or changed that account's role memberships? Would Apple Internet Accounts still work?
Also to the best of my knowledge we don't have or use Apple Business Manager. More to the point the only Apple ID on my iPhone is my personal one and I certainly don't have it so I wonder what triggered that prompt on my device?
- These application do have a security concern indeed. I blogged about it a while ago: https://365bythijs.be/2020/01/05/protecting-against-oauth-attacks-setting-up-admin-consent-workflow/
Nothing would happen if you made changes to the account.
An enterprise application is not dependent on a user account, it's an entity on it's own.
You received this prompt because you tried to configure the Apple Mail app on your iPhone.
- It should be noted that you cannot wipe company data off of an Iphone that uses the Apple Mail app through the use of this delegation.
- Would Apple retain the company data on their servers as well?
