Want to run roadrecon, but a device compliance policy is getting in your way? You can use the Intune Company Portal client ID, which is a hardcoded and undocumented exclusion in CA for device compliance. It has user_impersonation rights on the AAD Graph 😃

I like the less obvious kinds, some objects in AD with SACLs that will trigger when AD enumeration is performed. A Kerberoastable account with a weak password. Access keys burried in the wiki or better, in the wiki versioning history.