Apple Internet accounts Azure Enterprise application

Question

Apple Internet accounts Azure Enterprise application

Lokesh K 30

Hi All, I would like to gather the inputs about "Apple Internet Accounts" on what it does as an Enterprise application. The below are the Permissions delegated

ResourceName	Scope
ResourceName	Scope
Microsoft Graph	Calendars.Read
Microsoft Graph	EAS.AccessAsUser.All
Microsoft Graph	EWS.AccessAsUser.All
Microsoft Graph	offline_access
Microsoft Graph	openid
Microsoft Graph	People.Read
Microsoft Graph	User.Read
Office 365 Exchange Online	EAS.AccessAsUser.All
Office 365 Exchange Online	EWS.AccessAsUser.All
Office 365 Exchange Online	full_access_as_user
Windows Azure Active Directory	User.Read

-> What will happen if we block this application in Enterprise app? Will the apple users still be able to access M365 services?

Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-11T11:33:11.6166667+00:00

Hello Lokesh K,

Just to followup on this thread, let us know if you get the answer for your query. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Lokesh K 30 Reputation points

2025-04-13T10:37:44.0433333+00:00

Hi @Venkata Jagadeep Thanks for the input, And Also I would like to clarify the below point,

-> User can able to access or use their personal accounts with the native Microsoft apps, and for the corporate data they can use the official Microsoft application?
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-15T08:55:28.6333333+00:00

Hello Lokesh K,

Application permissions are used in scenarios where the application acts on its own, without a signed-in user. These permissions allow the application to access resources directly. For example, an application with the Files.Read.All application permission can read all files in the organization.

Delegated permissions are used in scenarios where an application acts on behalf of a signed-in user. These permissions allow the application to access resources that the user has access to. For example, if an application has the Files.Read.All delegated permission, it can read all files that the signed-in user can access.

When user access Microsoft Apps with his personal account, only the data related to his personal account will be accessible, but not his corporate account data.

If he wants to use his corporate account data, he has to login with his work/school account to provide permissions to the application to access the data.

I suggest you refer the below document to understand Application Permissions and Delegated Permissions

https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview

Please let me know if you have further queries on this issue.
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-16T12:35:50.84+00:00

Hello Lokesh K,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-17T07:31:54.73+00:00

Hello Lokesh K,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
Lokesh K 30 Reputation points

2025-04-17T09:17:51.2033333+00:00

Hi @Venkata Jagadeep

For now I have a plan to test this to understand the behaviour, For now it's all set, will add comment if I need anything else in furure

1 answer

Your answer

Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-11T11:33:11.6166667+00:00

Hello Lokesh K,

Just to followup on this thread, let us know if you get the answer for your query. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Lokesh K 30 Reputation points

2025-04-13T10:37:44.0433333+00:00

Hi @Venkata Jagadeep Thanks for the input, And Also I would like to clarify the below point,

-> User can able to access or use their personal accounts with the native Microsoft apps, and for the corporate data they can use the official Microsoft application?
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-15T08:55:28.6333333+00:00

Hello Lokesh K,

Application permissions are used in scenarios where the application acts on its own, without a signed-in user. These permissions allow the application to access resources directly. For example, an application with the Files.Read.All application permission can read all files in the organization.

Delegated permissions are used in scenarios where an application acts on behalf of a signed-in user. These permissions allow the application to access resources that the user has access to. For example, if an application has the Files.Read.All delegated permission, it can read all files that the signed-in user can access.

When user access Microsoft Apps with his personal account, only the data related to his personal account will be accessible, but not his corporate account data.

If he wants to use his corporate account data, he has to login with his work/school account to provide permissions to the application to access the data.

I suggest you refer the below document to understand Application Permissions and Delegated Permissions

https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview

Please let me know if you have further queries on this issue.
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-16T12:35:50.84+00:00

Hello Lokesh K,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-04-17T07:31:54.73+00:00

Hello Lokesh K,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
Lokesh K 30 Reputation points

2025-04-17T09:17:51.2033333+00:00

Hi @Venkata Jagadeep

For now I have a plan to test this to understand the behaviour, For now it's all set, will add comment if I need anything else in furure

Answer 1

Hello Lokesh K,

As per the description, we understand that you want to know the capabilities of the application "Apple Internet Accounts" when you provide delegated permissions. And what will happen to apple users accessing M365 when you disable this application.

Delegated permissions are used in scenarios where an application acts on behalf of a signed-in user. These permissions allow the application to access resources that the user has access to.

So, even when application is disabled, user permissions will not change in M365.

The applications which are using Apple Internet Accounts will not be able to access these resources when you disable the application in Enterprise Applications in Entra ID.

For example, in your scenario, you have given calendars.read permision. This Allows the app to read events of all calendars with a signed-in user through MS Graph or Office 365 Exchange online or Windows Azure Active Directory.

EAS.AccessAsUser.All

Allows the app to have the same access to mailboxes as the signed-in user via Exchange ActiveSync.

EWS.AccessAsUser.All

Allows the app to have the same access to mailboxes as the signed-in user via Exchange Web Services.

offline_access

Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions.

openid

offline_access is an OpenID Connect (OIDC) scope.

You can use the OIDC scopes to specify artifacts that you want returned in Microsoft identity platform authorization and token requests. The Microsoft identity platform v1.0 and v2.0 endpoints support OIDC scopes differently.

People.Read

Allows the app to read a ranked list of relevant people of the signed-in user. The list includes local contacts, contacts from social networking, your organization's directory, and people from recent communications (such as email and Skype).

User.Read

Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

I suggest you refer the below document

https://learn.microsoft.com/en-us/graph/permissions-reference

Please let me now if you have any further questions.

Share via

Apple Internet accounts Azure Enterprise application

1 answer

Your answer