A wonderfully detailed writeup about being diligent in not only finding a flaw, but figuring out how to exploit it. This takes a deep dive into the postMessage() method, for which both that Mozilla documentation and the spec itself give warnings about the potential for XSS from hostile data.
Azure in fact had a lot of security recommendations in place, such as CSP and checking message origins against an allow list. But two endpoints were misconfigured, which the researchers took advantage of.
Another article noted a good practice in Microsoft's response, where they "updated their internal rules to improve scanning for this class of bug across all of Microsoft’s products and services."