Sure, but Azure also exposes an extremely large array of knobs and buttons that put the tenant admin squarely in control of what "login" means in the first place: the kinds of authentication allowed or required, by whom, under what risk profiles, for which applications, etc. If you feel like it is screwed up there is, as likely as not, action that it is the tenant admin's — not MS's — responsibility to take, to fix it. I don't know what to tell you about refreshes, that's just how Oauth works mostly. I'm tempted to take a video of myself logging into the Azure portal right now just to ask what about it is so weird.