Microsoft Entra ID Flaw Let Attackers Hijack Company Tenants

A critical security flaw discovered in Microsoft’s identity management system could have granted attackers complete control over any organization’s Microsoft Entra ID tenant. This vulnerability stemmed from a dangerous combination of undocumented “actor tokens” and a weakness in the Azure AD Graph API, designated as CVE-2025-55241. The issue would have enabled threat actors to access highly sensitive corporate data while leaving virtually no trace of their initial intrusion in the target’s security logs.

Microsoft Entra ID, formerly Azure Active Directory, serves as the central cloud-based identity and access management service for countless organizations. It manages secure access to a vast array of applications, from Microsoft 365 to third-party services like Salesforce and Dropbox. Each company operates its own dedicated Entra ID instance, or tenant, which controls authentication for its entire digital ecosystem.

The flaw was uncovered by security researcher Dirk-jan Mollema, who found that a token validation issue could grant him Global Admin privileges in any Entra ID tenant worldwide. This level of access represents a total tenant compromise, allowing an attacker to impersonate any user and gain entry to every service authenticated through Entra ID. Mollema identified that the problem originated with “actor tokens,” which are issued by a legacy component known as the Access Control Service.

These actor tokens possess significant security shortcomings. They are unsigned, meaning they can be forged to impersonate any user within a tenant. Furthermore, they remain valid for a full 24 hours without any possibility of revocation. Critically, their issuance and use do not generate logs within Entra ID itself, and they completely bypass security policies set in Conditional Access. Mollema described the entire design as something that should never have existed due to its lack of fundamental security controls.

During his investigation, Mollema discovered that by manipulating an actor token from a tenant he controlled, changing the tenant ID to that of a target organization and using a valid user identifier from that victim tenant, he could successfully query the deprecated Azure AD Graph API. The API accepted the token as valid, returning data from the foreign tenant. This meant that with only publicly available information and the identifier of any regular user, an attacker could gain a foothold.

The exploitation process was straightforward. An attacker would first generate an actor token from their own controlled tenant. They would then find the public tenant ID of the target organization and identify a valid user ID within it. Using these pieces of information, they could craft an impersonation token, list all Global Administrators in the tenant, and then create a new token impersonating one of those admins. This would grant them the ability to perform any administrative action, such as creating new users, modifying configurations, or resetting passwords. Alarmingly, only the final actions taken with the stolen Global Admin privileges would be recorded in the victim’s audit logs.

It is worth noting that Microsoft had already begun deprecating the vulnerable Azure AD Graph API, with plans to disable it for most applications by early September 2025. Mollema reported the critical issues to Microsoft on July 14, and the company confirmed a resolution just nine days later. On September 4, Microsoft officially patched the vulnerability, classifying CVE-2025-55241 as a critical privilege escalation flaw in Azure Entra.

(Source: Bleeping Computer)