G 
So, the issue Microsoft Security Response Center said “wasn’t a vulnerability” now appears to have been quietly mitigated.
The API examples no longer expose SAS URIs in the response body.
inputsLink / outputsLink no longer appear to be emitted in the API response.
And Az-Skywalker can no longer retrieve the secrets, even when run with Global Admin.
But sure… not a vuln.
To be clear: I’m glad it has been fixed. This makes customers safer, and that’s what actually matters - both as a researcher and as a Security MVP.
However, this is once again behaviour unbecoming of a major cloud provider and I’m far from the only one who’s experienced it.
No recognition. No acknowledgement. No bug bounty.
Just “by design” - as if that somehow makes it defensible.
