Comment by andix

Every oauth application needs to be registered individually, togther with a client secret or certificate. In case of Microsoft via the Azure portal. That registration can (technically) be revoked by the oauth provider.

I have no idea if Microsoft would react to such a report, and what's the correct channel to submit it. But bug reports or abuse reports they usually take seriously.