Comment Admin consent workflow is flawed (Score 1) 11
It does not allow the option of the admin approving the permission but still requiring that the user must consent. By skipping the user consent step, that increases the risk of a "drive by" attack where an attacker tricks a signed-in user into visiting a web page that includes Javascript which invokes the application (as a single page app so there is no need to know the Client Secret), automatically authenticates via SSO, and downloads the user's files without triggering any pop-up warning.
Although it has no Refresh Token, that rogue site would have access to the files as long as the Access Token lasts (by default one hour).
Although it has no Refresh Token, that rogue site would have access to the files as long as the Access Token lasts (by default one hour).
You should not visit any untrusted web sites, or sites that load untrusted adverts, while signed in to Entra ID SSO.