REST API - Sending emails on behalf of a user
Resolution Summary:
Investigated a report of unexpected calendar invites being sent on behalf of the user.
Queried Microsoft Purview audit logs and identified the activity as originating via REST API with the following ActorInfoString:
Client=REST;InternalCalendarSharing (ActiveSync)[AppId=1c06531d-b56d-4cfb-8ad0-53c87d70093e];
This indicated the use of the native iOS Mail/Calendar app through the “iOS Accounts” integration.
Access reviewed in Microsoft Entra Admin Center under user’s applications:
Located the iOS Accounts app
Verified delegated permissions (EAS.AccessAsUser.All, EWS.AccessAsUser.All, User.Read)
Confirmed the app and its permissions were consistent with REST-based calendar access
Based on findings, the “iOS Accounts” app integration was removed to prevent further unauthorized calendar actions from the native iOS app.
📌 Root Cause: Auto-response or calendar sync initiated by the native iOS app (via ActiveSync and REST API).
✅ Resolution: Integration revoked and mobile access cleaned up. No further action required unless recurrence observed.