Comment by oaiey

Well, the consent item is "sync" and that translates in your sample more to "you consent to let them take pictures of your house whenever they want". And for that, a key property is the username (or your house key). Otherwise, "sync"/"taking photos any time" would not work. You could argue that "sync" could be considered 1-time sync or permanent sync ... but honestly we talk about IMAP and a permanent connection to fetch Emails. Let us not assume we talk about a one time "sync".

And yes, I agree that Microsoft buried the nasty password detail with the purpose of not disengaging the users. I also think that anything data privacy related, normal users are completely overwhelmed with no chance to ever understand the situation.

I share your thought about replicating passwords. Not to the concrete worry you express but that it is a really bad practice compared to industry practice (see OAuth2 refresh token).