Arbitrary 1-click Azure tenant takeover via MS application

This blog details a critical OAuth redirect/ reply-URL misconfiguration in Azure/Entra ID that allows an attacker who registers or controls an application reply domain to capture authorization codes and exchange them for access tokens — potentially enabling data exfiltration or full tenant takeover. The author demonstrates enumeration scripts, a proof‑of‑concept attack against a Microsoft first‑party app (scv.azureedge.net) that returned tenant-scoped tokens and an operational PoC adding an account to Global Admins, and describes disclosure and remediation steps with Microsoft.