What Are the Security Risks of Creating Unlicensed Accounts in Azure AD?

Make sure these accounts aren't just classified as guest users. You might also want to disable the option for non-admins to create users in Active Directory to improve security. Seems like a small change, but it could prevent unintended user creation.

This kind of setup reminds me of some security vulnerabilities that were documented in CVE-2025-55241. You might want to look into those risks further. Always better to be safe than sorry!

It's important to consider who created the flow. If it was set up by an admin, it could have more privileges than if an end user made it. Although you mentioned users don’t have access to the flow, the context of the flow is crucial. If your flow runs under an admin context, it may open up more risks than you anticipate.

Not a lot of details here, but it’s a valid concern. What kind of permissions or roles does the new user account have? Are these accounts disabled by default? Also, how are you verifying who is behind the account when the credentials are sent out? And have you thought about the potential for abuse, like someone flooding the system with requests to create accounts?

I think the biggest worry might be that these unmonitored accounts could be used to access AI tools. Consider the implications of having accounts that can ask questions and retrieve information without oversight!