VPN software pretty much searches to ensure your computer is safe, has AV software, etc. Gathers IP address history, among other basic info from registry.
If you're unwilling to install the VPN application, along with any other required applications then you're not allowed to connect.
Then if a connecting computer is suspect, it isn't difficult for the company and/or law enforcement to add other code/apps to get nearly anything from an intruder's computer--particularly if this person is using an account with elevated privileges--which most likely they will be.
I don't think you've ever used a VPN in your life, mate. The name gives it away: Virtual Private Networks only allow you to tunnel your connection through a secure channel to appear like you're part of another LAN (Local Area Network, i.e. sharing a subnet behind a local device like a router). If you've ever used Hamachi to play local LAN multiplayer it's the same concept: it tunnels a client WAN (Wide Area Network) IP to make it appear to the host system that the IP is part of a local network, allowing for LAN-only games/applications to see and use the connection. It can also be used to get past firewalls that would prevent plaing Internet-connected games with others, which is one of the primary reasons so many kids use it.
VPN software in no way is required to do any of what you mentioned; basic VPN software only facilitates IP tunneling. Some corporate applications like Cisco AnyConnect may support the functionality to allow the host server to enforce specific policies—eg., to deny connections to systems not joined to an Active Directory domain, or to run shell commands on the client—but it is not required to set it up like that. You will find most VPN software either does not have such functionality, or allows the user to disable it, see: OpenVPN. Anyway, even if these requirements were necessary in this specific instance to allow the dude to connect to Microsoft servers, it is more likely he simply logged into a web-based interface and scraped data from the site. Even if he did have to use some kind of aggressive, system-controlling VPN to connect, there are trivial ways to avoid the reprocussions, like running it in a virtual machine or sandbox. Or just not allowing any system changes and faking out the host server to think you're compliant when you really aren't, but that's a little harder to pull off.