Microsoft, please, follow your own guidance please!
Hi, as partners and app publishers we need to make every part of customer facing app and services secured. And this is the right way. Mandate MFA, mandate App certifications and ISV verification. Require only secured endpoints for AAD apps and all this things.
But, Microsoft, please. Follow this same guidance for your own apps which you develop for partners. Like today I was ask to approve incentive CHIP app, Channel Incentives Program. And what you think?
App has no verified developer, not publisher name, nor Terms or Privacy links, runs on HTTP endpoints even localhost one. So please, go, and fix your own app to look secure, because it is easy to approve something what is not coming from you, because we cannot distinct between crap phishing OAuth illicit grant apps and your partner facing apps.
Thanks in advance!