The Gaming Boardroom

Critical Azure Entra ID Flaw Highlights Microsoft IAM Issues

Steve Tyler Leave a comment

Critical Azure Entra ID Flaw Highlights Microsoft IAM Issues

Summary

A high-severity elevation-of-privilege vulnerability (CVE-2025-55241) in Microsoft’s Azure AD Graph API could have allowed attackers to impersonate users — including global admins — across tenants. Discovered by Dirk-jan Mollema, the issue hinges on an authentication failure combined with undocumented, unsigned “Actor” tokens that bypass access controls, conditional access and logging. Microsoft mitigated the issue over the summer and pushed further mitigations after the research was publicised, but the flaw exposes deeper concerns about legacy authentication components and limited visibility for external researchers.

Key Points

  • CVE-2025-55241 is an elevation-of-privilege bug in the Azure AD Graph API; its CVSS score was raised from 9.0 to 10.0.
  • Undocumented “Actor” tokens, used for backend service-to-service calls, are unsigned, bypass access controls and are not logged when requested, creating a stealthy impersonation vector.
  • Mollema demonstrated cross-tenant access by creating and modifying Actor tokens and guessing incremental netIDs to impersonate users (including global admins) in other tenants.
  • Actor tokens cannot be revoked during their 24-hour lifetime and generate minimal telemetry, hampering detection and forensics.
  • Microsoft has implemented mitigations, including blocking customers from requesting Actor tokens via Azure AD Graph and additional fixes after public disclosure.
  • The incident revives criticism of Microsoft’s cloud IAM practices and echoes findings from the CSRB report on past systemic security shortcomings.

Why should I read this?

Short and blunt: this could’ve let attackers own other organisations’ Entra tenants without leaving a trail. If you run Azure, manage identity, or care about cloud security hygiene, you’re going to want the lowdown so you can check mitigations, token handling and logging in your estate.

Author take

Punchy and to the point: Mollema’s findings are a stark reminder that legacy auth code and undocumented token flows can be catastrophic. Microsoft fixed the immediate problem, but the root cause is a design and transparency issue — one that needs more than a hotfix.

Context and relevance

This story matters because it touches core identity infrastructure used by millions of cloud tenants. It highlights three ongoing trends: (1) risks from legacy/legacy-to-be-retired APIs that still see active use; (2) the danger of undocumented service tokens that bypass controls and logging; and (3) continued scrutiny of Microsoft’s cloud security posture following prior CSRB findings. Organisations should review token issuance, conditional access coverage, logging and mitigation status for Azure/Entra ID.

Source

Source: https://www.darkreading.com/cloud-security/critical-azure-entra-id-flaw-microsoft-iam-issues

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2026 The Gaming Boardroom. All rights reserved.