Microsoft Entra ID Flaw: The Critical Security Risk You Can’t Ignore
▼ Summary
– A security researcher discovered two critical vulnerabilities in Microsoft Azure’s Entra ID platform that could have allowed global administrator access across all customer accounts.
– The flaws would have enabled an attacker to impersonate any user, modify configurations, create admin accounts, and compromise nearly every Entra ID tenant worldwide.
– Both vulnerabilities stemmed from legacy systems: one involving special “Actor Tokens” and another from improper tenant validation in the Azure Active Directory Graph API.
– Microsoft was notified on July 14 and implemented a global fix by July 17, with full remediation confirmed by July 23 and additional measures added in August.
– Microsoft stated there was no evidence of the vulnerabilities being exploited and accelerated efforts to retire the legacy protocols involved.
The shift from on-premise servers to cloud infrastructure has brought undeniable benefits, but it also introduces new security complexities that organizations must navigate. When vulnerabilities emerge within core identity and access management systems, the potential impact can be staggering. A recent discovery by security researcher Dirk-jan Mollema revealed two critical flaws in Microsoft Entra ID, formerly Azure Active Directory, which could have allowed an attacker to seize global administrator privileges across nearly every customer tenant.
While preparing for a presentation at the Black Hat security conference, Mollema identified vulnerabilities that, when chained together, could grant an attacker what he describes as “god mode” access. This would enable complete control over any Entra ID directory, including the ability to modify configurations, create new administrative users, and access sensitive data across organizations worldwide. The only potential exceptions might have been some government cloud environments.
Mollema, founder of the Dutch cybersecurity firm Outsider Security, expressed shock at the severity of the issue. From a test or trial tenant, he explained, an attacker could request specific tokens and impersonate any user in any other tenant. The implications were severe, allowing unauthorized changes to system settings and full administrative takeover without legitimate credentials.
Recognizing the gravity of the situation, Mollema reported his findings to the Microsoft Security Response Center on the same day he made the discovery. Microsoft acted swiftly, initiating an investigation immediately and deploying a global fix within just three days. By late July, the company confirmed the vulnerability was resolved, with additional protective measures implemented in August. A formal CVE was issued in early September.
According to Tom Gallagher, Vice President of Engineering at Microsoft’s Security Response Center, the company mitigated the issue rapidly as part of its Secure Future Initiative. A code change was applied to the vulnerable validation logic, tested thoroughly, and rolled out across Microsoft’s cloud ecosystem. Gallagher emphasized that Microsoft found no evidence of the flaw being exploited in the wild.
The vulnerabilities stemmed from legacy components still active within Entra ID. One involved a little-known Azure mechanism called the “Access Control Service,” which issues special authentication tokens known as Actor Tokens. These tokens possess unique system properties that became dangerous when combined with a second flaw in the aging Azure Active Directory Graph API.
This historic API, which Microsoft is in the process of retiring, failed to properly validate tenant origins for access requests. Attackers could manipulate the system into accepting an Actor Token from an unauthorized tenant, bypassing critical security checks. The transition to Microsoft Graph, the modern successor designed for Entra ID, is part of the ongoing effort to eliminate such legacy risks.
(Source: Wired)
