Authorization sprawl is a quiet, expensive risk: prove access to one system and, through implicit trust chains, you inherit reach into a dozen related ones you were never explicitly granted. Attackers exploit exactly these chains. The corrective is to make related access contingent on demonstrated, not assumed, primary access.
Microsoft Technology Licensing, LLC's US11765152B2, “Related asset access based on proven primary asset access” (issued September 19, 2023; CPC H04L 63/0815 — single sign-on, and H04L 63/102 — entity authentication for access), describes gating related-asset access on proven primary-asset access. Read it at US11765152B2.
Mechanically, the system requires evidence that a user genuinely has access to a primary asset before extending access to assets related to it, rather than inferring the secondary grant from role or membership alone. It tightens the join between resources so that lateral authorization does not flow for free — a zero-trust principle applied to the permission graph itself.
Why this is a business story: identity and access governance is the fastest-growing pillar of Microsoft's security business, which the company has said exceeds $20 billion in annual revenue. Reducing implicit trust between assets is core to the Entra and Defender story Microsoft sells against Okta and the standalone identity-governance vendors. Authorization-graph IP like this is what underpins the claim that the platform can contain blast radius, not just authenticate users.
The grounded read: proven-access authorization stops permissions from chaining for free by requiring demonstrated primary access before granting related access. Microsoft's 2023 grant names that mechanism — a zero-trust tightening at the heart of its multibillion-dollar identity business.