NHI Foundation Level Training Course Launched

Microsoft Entra ID Flaw Exposed: How Attackers Could Hijack Any Company Tenant

In September 2025, a critical vulnerability was disclosed in Microsoft’s Entra ID (formerly Azure Active Directory) that could allow adversaries to gain Global Administrator access across any organization’s tenant. The flaw from a combination of legacy token misuse and a loophole in the Azure AD Graph API, is tracked as CVE-2025-55241 and rated 10.0 (Critical).

Security researcher Dirk-jan Mollema uncovered a weakness in “actor tokens,” an undocumented legacy token type, enabling attackers to impersonate users, including admins, without leaving logs in the target tenant. Microsoft confirmed the issue, patched it, and initiated removal of the vulnerable legacy component shortly thereafter.

What Happened?

A recent investigation revealed that actor tokens, which Microsoft’s internal Access Control Service issues for legacy service-to-service interaction, were being accepted by Entra ID in a way that bypassed the usual security checks. These tokens are unsigned, non-revocable for 24 hours, and not logged when issued or used, making them potent stealth tools.

Because actor tokens lacked tenant-specific signatures, an attacker could request one from a tenant they control, then reuse it against any other tenant by substituting the target tenant’s ID and a valid user’s netId. When sent to the Azure AD Graph API, the token was accepted, impersonating that user in the other tenant, even if no direct link existed.

From there, attackers could escalate privileges by impersonating Global Administrators and carry out any operations (user creation, password resets, configuration changes, directory read/write) without leaving traces in the victim’s logs. Only the activity in the final step, API calls made within the compromised tenant, would appear in logs.

How It Happened

  • Legacy Token Design Flaw – The root issue lay in actor tokens, intended for internal Microsoft services, but usable broadly by the Graph API. Because they weren’t cryptographically signed or audited, they could be abused across tenant boundaries.
  • Unsigned Token Acceptance – Entra ID accepted the actor token crafted by attackers even when the token’s original issuing tenant didn’t match the target tenant.
  • Lack of Logging & Revocation Mechanisms – Actor token issuance and usage generated zero logs in the victim tenant, and the tokens were valid for a full 24 hours with no way to revoke mid-lifespan.
  • Use of Deprecated API – The exploit relied on the Azure AD Graph API (graph.windows.net), which Microsoft was in the process of deprecating. The deviant actor tokens sidestepped many newer controls applied to Microsoft Graph.
  • Attack Path
    1. Attacker generates actor token in a tenant they control.
    2. They substitute the target tenant’s ID, and a valid user’s netId.
    3. They send that token to Azure AD Graph.
    4. The API accepts it, treating the attacker as that user.
    5. They escalate to Global Admin and perform unrestricted actions.

Possible Impact

If exploited before Microsoft’s patch, this flaw could have resulted in severe cross-tenant compromise scenarios. Because Entra ID is the backbone of Microsoft 365 and Azure access control, the potential blast radius was massive.

Potential consequences include

  • Full tenant takeover – Attackers could impersonate any user, including Global Administrators.
  • Invisible persistence – Since the exploit left almost no logs, attackers could maintain undetected access for up to 24 hours per token.
  • Data exfiltration – Sensitive business data, emails, files, and configurations could be stolen from Microsoft 365 and Azure environments.
  • Service disruption – Malicious actors could modify or delete critical resources or users, impacting business operations.
  • Cross-organization attacks – Compromised tenants could be used as stepping stones to target partner or supplier tenants within connected ecosystems.

Recommendations

Organizations using Microsoft Entra ID (Azure AD) should act immediately to ensure they’re protected:

  1. Confirm patch application – Verify that Microsoft’s security updates addressing CVE-2025-55241 are applied in all tenants.
  2. Disable deprecated APIs – Block or restrict access to the Azure AD Graph API (graph.windows.net) and migrate to Microsoft Graph API, which has stronger token validation.
  3. Review service principals and app registrations – Audit for abnormal service-to-service tokens or unused app credentials that could signal prior misuse.
  4. Enable advanced logging and monitoring – Use Microsoft Entra ID logs, Defender for Cloud Apps, and conditional access insights to detect unusual privilege escalations.
  5. Implement least privilege and zero trust – Restrict global admin roles, enforce MFA, and adopt continuous verification for high-privilege actions.
  6. Educate identity and cloud teams – Ensure internal staff understand how legacy token mechanisms differ from modern standards and why strict token hygiene is vital.

How NHI Management Group Can Help

At NHI Mgmt Group, we specialize in helping organizations secure their non-human and machine identities, the very identities that underpin systems like Microsoft Entra ID. Incidents like this highlight why identity security isn’t just a configuration issue, it’s an architectural one.

Our consulting services help enterprises assess their identity posture, uncover hidden vulnerabilities in tokens, secrets, and API connections, and build a resilient defense model aligned with modern identity frameworks. We bring deep expertise in Zero Trust, workload identity, and machine-to-machine, ensuring your environments stay secure even when core platforms face vulnerabilities.

For teams seeking to upskill, our NHI Foundation Level Training Course is the world’s first structured learning program dedicated to Non-Human Identity Security. This course provides security professionals, engineers, and architects with the knowledge and hands-on understanding needed to protect APIs, cloud workloads, service accounts, and machine credentials in today’s interconnected environments.

Secure your NHIs. Strengthen your knowledge. Join the NHI Foundation Level Training Course today.

Conclusion

This vulnerability underscores how legacy identity components can silently undermine even the most advanced cloud systems. Microsoft’s quick patching minimized the exposure, but the discovery should serve as a wake-up call for all enterprises relying on Entra ID.

Modern identity systems demand constant vigilance, token lifecycle transparency, and continuous modernization. Any residual dependency on outdated APIs or token types should be treated as a critical risk vector.

#1 Authority in NHI Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs).

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.