Tag
Adversaries may abuse the user_impersonation OAuth scope in Entra ID to gain unauthorized access to user accounts, especially when combined with single-factor authentication and unbound sign-in sessions, potentially indicating account compromise for users not seen in the last 10 days.