Important point by @wald0 re the MSFT breach:
The AppRoleAssignment.ReadWrite.All MS Graph app role BYPASSES the consent process. This is BY DESIGN. This app role is EXTRAORDINARILY dangerous.
https://winsmarts.com/how-to-grant-admin-consent-to-an-api-programmatically-e32f4a100e9d
One to hunt on. Looks like a really easy own goal.