That's some exceptionally shallow thinking on their part. I think may people would agree that part of the vulnerability is the authentication configuration options do not map well onto real world use cases, the documentation surrounding this is absent or confusing, and even internal teams that should know better are creating insecure services an alarming percentage of the time.

This is what I like about actual safety culture, like you would find in aviation, _all causes_ are to be investigated, all the way back to the shape, size and position of the switches on the flight deck.

It's difficult to take Microsoft's stance seriously. It makes the prices for their "service" seem completely unjustifiable.