As part of a security compliancy, we had our application (deployed in Azure ), scanned with a Pentest by an external company. I just received the Scan Reports , and I was surprised to see issues that I was sure we fixed (such as OWASP XSS (Cross Site Scripting) just to name one.. Well, after a quick analysis of the reports, it turns out that most of those issues belong to Azure resources! By having our API s behind Azure API Management , its Developer Portal was scanned as well, and resulted in a few issues (between Low and Medium , nothing critical). The AAD login page , has a few of those issues as well, and because of the automatic redirect they seem caused by our app during the scan.. Obviously those resources are out of our control, and we can't do anything to fix those issues, maybe Microsoft will. At the same time it is nice to find out that the hard work to secure our app paid off, and only a few minor issues were found that actually belong t...