This session will look at some of the caveats with AAD Graph API. My research found that if you have a token for these APIs, you have pretty much unhindered access for reading and exporting anything that uses AAD Graph.

Including, reading Conditional Access Policies as an end user.

The session will go through how this is possible, how to do it and demoing the toolkit I created for exporting all of this data as an end user.