How does this relate, if at all, to @josecgomez 's comment on this thread saying:
Have you effectively mitigated what Jose is saying here? Or, have you allowed “a bumm of the street with access to excel and azure to be able to generate a valid token?”
I’m pretty sure you have mitigated that risk because you’re using Azure to authenticate the user and then authorize the user to connect… does that look right @Mark_Wonsil ?