Microsoft Azure Told Me This Was No Big Deal, and by default users data from an organization you are part of is leaking in aad.portal.azure.com, the access in my report is not disabled by default and gives a general user the ability to create tenants, assign users to a tenant, assign roles, and invite external users. Most organizations do not even know these permissions exist. When I first found this data leak there were 100,000+ exposed PII points, and the organization immediately fixed it. When I reported this to Microsoft they said this is how it is supposed to work. Enjoy - Jonathan Scott
Step 1 Login to your organizations office365 mail
Go to https://aad.portal.azure.com/ See images for more information and read the pdf to see end points you can access