I’ve said this one before prior too, but to reiterate - GraphAPI is a disaster in terms of cybersecurity.
Eg you can easily dump out the metadata of all Azure AD users with Graph, and none of the Defender products trigger an alert. Do it on prem AD? MDI alert. Try Graph Explorer for point and click queries: https://learn.microsoft.com/en-us/graph/graph-explorer/graph-explorer-overview
It’s not just that use case. Smart attackers are not thinking in graphs, they’re living off Microsoft Graph. You can avoid alerting. It’s not just Russia.