Microsoft's core values in regard to software development could be described as "more stuff, less clicks," is always better. If they built cars, they'd enable it to sprout wings or an outboard engine at the push of a button.
This is the way they've always perceived technology, often not even developing those wings, just buying someone else's and gluing them on. Conceptually, that is admirable creativity. A lot of times, they've pulled it off, but there is a fundamental risk that keeps manifesting in their desire to build an "ecosystem" rather just a really good OS (or application).
That part of my rant over, yes, these "zero days" require authentication. Quite honestly, I am not sure that qualifies as zero day. If can impersonate someone in an online system, there's a lot of novel stuff I can attempt. If I use someone's SMTP credentials to send a never-seen-before phishing email, does that email become a zero day?
Act II of rant over, I'll close with pondering how many times does corporate and government America need to have their thumbs smashed by the Microsoft hammer to think either "I need a new hammer" or "I should really learn how to use thing better."