clarification

Author: carlospolop

src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md

@@ -87,6 +87,9 @@ The attack involves several steps targeting a generic company. Here's how it mig
 
 <figure><img src="../../../images/image (3).png" alt=""><figcaption></figcaption></figure>
 
+>[!WARNING]
+> It's also possibel to request permissions to other APIs that are not Graph API, like `Azure Service Management API`, `Azure Vault`, `Azure Storage`, etc. For example, the scope `https://management.azure.com/user_impersonation` will allow the application to access the Azure Management API on behalf of the user.
+
 4. **Execute the web page (**[**azure_oauth_phishing_example**](https://github.com/carlospolop/azure_oauth_phishing_example)**)** that asks for the permissions:
 
 ```bash