Security concerns with "B-Path" Labs #94
Description
The "B Path" labs are overly simplistic and even if the fake "bespoke" IdP was secure, the account linking would not be secure as implemented here. Specifically, instead of linking the Azure AD user to the bespoke app's Employee ID, it should link to a secure token for the original app's identity provider.
See this article for an improved solution.
This lab should be updated accordingly. In addition, it should use Azure AD, not the bespoke IdP, to validate requests when the app is running in Teams. This would allow downstream calls (such as Microsoft Graph) and help students understand Azure AD token validation.