Microsoft made a big boo-boo, by the look of it. They install a “secret” service on all Azure Linux instances - the user/owner of the instance doesn’t install it and isn’t informed that it has been installed. It has a fundamental flaw, if you remove the logon credentials header when contacting it, it falls back to the service account, which has a full bash shell and no password!
The best thing seems to be that Microsoft installs it as default on new images, but there is no way to update the package automatically, every admin of every instance must manually update, according to the researcher that found it.
Oh, you thought that I meant the story from @MaryJo about using an authenticator app to log onto Windows? Yes, that is passwordless as well.