I don't think its scope is limited, a user was able to request a token of a user on a specific tenant and then delete an instance.
I don't think its scope is limited, a user was able to request a token of a user on a specific tenant and then delete an instance.