Obtaining Global Admin in Every Entra ID Tenant
6 hours ago
- #Microsoft
- #Security Vulnerability
- #Entra ID
- A critical vulnerability in Entra ID allowed global admin access across all tenants via 'Actor tokens'.
- Actor tokens are undocumented impersonation tokens used by Microsoft for service-to-service communication, bypassing security policies like Conditional Access.
- The vulnerability involved a flaw in the Azure AD Graph API that failed to validate the originating tenant, enabling cross-tenant access.
- Exploiting this flaw allowed attackers to impersonate any user, including Global Admins, in any tenant without generating logs.
- Microsoft fixed the vulnerability quickly after reporting, issuing CVE-2025-55241 and implementing further mitigations.
- The vulnerability could have been exploited to access sensitive data like user details, group info, tenant settings, and application permissions.
- Actor tokens lack essential security controls: no logs, no revocation within 24 hours, and bypass Conditional Access.
- Attackers could brute-force user 'netIds' or leverage B2B trust relationships to compromise tenants.
- Detection of abuse is challenging, but modifications via Actor tokens leave unique audit logs.
- Microsoft has since restricted Actor token issuance for the Azure AD Graph API to internal services only.