And, crucial to this exploit actually working to the extent it did, Microsoft's own developers failed to implement a secure authentication check on top of their own libraries and infrastructure.
Also completely failing to check the scope of the request before validating it!
> Microsoft provided an API to help validate the signatures cryptographically but did not update these libraries to perform this scope validation automatically