"He reported the issue to Microsoft but was told that it was documented behaviour and therefore not a vulnerability"
Yes, yes, I have documented that anyone can gain access to AD as a Domain admin by doing this, as I have documented it, its not a vulnerability so don't need to fix it.
Easy way to get around fixing bugs, document them, then they are features. But, documentation, hmmmm, doing real work, or documentation.......
Biting the hand that feeds IT
