@simon Both Azure APIs and Microsoft Graph use OAuth2 JWT tokens to enable a user to do things that cost money, but in both cases the token needs to be issued by Microsoft's identity provider. It might be possible to use a Federated Identity to incur those costs too, but there plenty of controls in place for the subscription owner.