Extreme TLDR: Microsoft and Google implement OAuth 2.0’s device code flow differently, affecting phishing attack vulnerabilities. Microsoft's setup allows attackers to gain significant access via device code phishing by utilizing legitimate API flows, leading to dangerous token generation. Google's implementation limits potential damages due to restricted scopes and client ID controls, making successful exploitation challenging.
https://www.bleepingcomputer.com/news/security/oauth-device-code-phishing-azure-vs-google-compared/

