One would assume that absence of credentials would necessarily = auth failure.

Like, the basic flow would check the validity and, implicitly, the presence of the auth header. To bypass auth in the case of the absence of the header itself would need to be an explicit conditional. IF no header, then authenticated. Right? That’s crazy.

I suppose I could look at the code.

On the other hand MS enforced strict auth policies to access their Office APIs in a ridiculous fashion. When I needed to register my applications at MS, I just dropped integration into their services and I never looked back.

That's the kind of thing where a unit test would be useful and easy..

I'd probably forget to write it... but it would be useful and easy.

The basic firewall (Network Security Groups) blocks network access by default. So you have to grant the attacker access to the port and IP.

Does it block access within the same group by default for the lateral motion case? That would definitely help somewhat, although it's certainly too common for people to have allow-all rules for internal traffic.

has no one replied that any VM that handles HTTP(s) traffic MUST open ports to start functioning, and is therefore fully vulnerable? what am I missing here

Opening http(s) ports != opening all ports, or even the ones that the management services run on

Open ports to webservers like Apache,nginx etc. aren't affected by this issue.