We are in a private tenant. Starting this week our unit tests started failing. Previously, an invalid authorization code in the oauth/token request was returning 403, and is now returning 401.
401 is more correct, since 403 (Forbidden) is usually missing scopes.
Can someone confirm this change was intentional? When was it rolled out?
Is it uniform across all tenants (e.g. across all the tenants in our private instance)?