Wow. It's hard to say which is worse "our internal apps to control 1P MS properties were marked multi-tenant and did no real AuthZ"... or... "we leaked an MSA signing key and had our token validation so f**ked that (presumably) any signing key was valid for any key-under-test, regardless of expected configuration".

Just stunningly bad and would make me reconsider how much MSFT I hold, except that no one seems to care.