A Vulnerability of Epic Proportions

A critical flaw in Microsoft's Entra ID has raised alarming concerns, as a combination of legacy components could have granted malicious actors unrestricted access to the cloud-based identity environments of companies worldwide.

What Went Wrong?

The heart of the issue lies in undocumented actor tokens and a troubling vulnerability in the Azure AD Graph API (CVE-2025-55241). This vulnerability allowed these tokens to bypass security measures and operate across various Entra ID environments.

A Buffer Against Detection

An attacker exploiting this flaw could’ve accessed massive amounts of sensitive data without leaving a trace in the usual security logs—except for their own actions. This means organizations could remain oblivious to breaches that compromise their security.

The Importance of Entra ID

Entra ID, previously known as Azure Active Directory, serves as Microsoft’s identity and access management tool. It plays an essential role in offering services like single sign-on and multi-factor authentication, ensuring secure access to apps ranging from Microsoft 365 to various custom and third-party services.

A Researcher's Discovery

Security expert Dirk-jan Mollema, founder of Outsider Security, uncovered this significant flaw that awarded him Global Administrator privileges across all Entra ID tenants. This level of access is the stuff of nightmares, allowing total control over any services authenticated through Entra ID.

How It Works: Impersonation and Evasion

In Mollema's technical blog post, he elaborates on how actor tokens work—issued by a legacy service intended for SharePoint. These tokens are unsigned, which means they can impersonate any user in the tenant for a 24-hour duration without being revocable.

A Recipe for Disaster

The attributes of actor tokens are especially alarming: - No logs are generated when these tokens are created or used, - They bypass Conditional Access restrictions, - They can be used without any authentication proof.

Exploiting the Flaw: A Step-by-Step Breakdown

Mollema demonstrated the vulnerability through a methodical process of exploitation: 1. Generate an actor token from an attacker-controlled tenant. 2. Identify the targeted tenant's ID using public APIs. 3. Locate a valid user ID in the victim tenant. 4. Create an impersonation token for the Global Administrator. 5. Execute any desired actions using the Azure AD Graph API, with only the final step leaving a log.

Microsoft's Response and Future Plans

In September 2022, Microsoft began to phase out the Azure AD Graph API and warned users about upcoming limitations. After Mollema reported the security issues on July 14, Microsoft confirmed they resolved the situation just nine days later. However, the implications of this vulnerability call for a broader reevaluation of security protocols within Microsoft services.

The Bottom Line: Heightened Awareness Needed

This revelation not only alerts organizations to the possibility of serious security breaches but also emphasizes the importance of ongoing vigilance in security practices. As technology evolves, so too do the tactics employed by malicious actors. Organizations must adapt accordingly to protect their sensitive data.