AI-assisted Graph Explorer turns Entra ID admin access into destruction

At a glance

What this is: This is a browser-automation analysis showing how AI-assisted workflows can convert Entra ID administrative access into destructive tenant actions through Microsoft Graph Explorer.

Why it matters: It matters because IAM teams must treat browser sessions, consent flows, and privileged tokens as a combined control surface across NHI, autonomous tooling, and human admin access.

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

👉 Read Netwrix's analysis of AI-assisted Entra ID tenant destruction

Context

Microsoft Graph Explorer is a browser-based administrative interface, which means the browser session itself becomes part of the control plane when a privileged account is signed in. In this case, AI-assisted automation did not create new permissions. It accelerated the use of existing Entra ID permissions to enumerate, modify, and delete tenant objects through normal Graph operations.

For IAM and identity governance teams, the important question is not whether an AI assistant can type commands faster. It is whether privileged browser sessions, consented scopes, and API-accessible admin functions are governed as one attack surface. Once those elements are combined, destructive actions can be chained from the same session with very little friction.

Key questions

Q: What breaks when an AI assistant can drive privileged Entra ID browser sessions?

A: When an AI assistant can operate inside a privileged browser session, the boundary between human action and scripted action collapses. Destructive tasks such as user deletion, password resets, policy removal, and session revocation can be chained from the same authenticated context. The failure is not AI intelligence, but the lack of separation between admin browsing and destructive control.

Q: Why do privileged browser sessions increase tenant lockout risk?

A: Privileged browser sessions increase tenant lockout risk because they already carry the authority needed to disable accounts, revoke sessions, and alter access policies. If those actions can be automated from the same session, one workflow can remove both access and recovery. In Entra ID, that turns administrative convenience into a lockout pathway.

Q: How should security teams limit destructive Microsoft Graph operations?

A: Security teams should limit destructive Microsoft Graph operations by separating read and write administration paths, constraining consent to sensitive scopes, and monitoring for bulk deletion or disablement from privileged sessions. The goal is to prevent one browser context from becoming a mass-change interface. Controls should focus on session isolation and scoped elevation.

Q: Who is accountable when tenant lockout is triggered through admin tooling?

A: Accountability sits with the identity governance and access owners who allow destructive capabilities to be reachable from ordinary admin workflows. If a privileged browser session can delete users or remove policies without secondary containment, the governance model has not separated routine administration from recovery-critical actions. That gap is a control design problem, not just an incident response issue.

Technical breakdown

Browser session capture becomes a control-plane primitive

Microsoft Graph Explorer issues authenticated requests from the signed-in browser session, so an in-session script can intercept headers and reuse the bearer token without needing a separate malware implant or external proxy. That makes the browser itself a workable admin automation surface. When an AI assistant can inspect the page, modify JavaScript, and trigger requests, the distinction between user action and scripted action begins to blur. The security boundary is no longer just authentication. It is the combination of session state, browser execution context, and the privileges already attached to that token.

Practical implication: privileged browser sessions need the same scrutiny as API clients, including tight session controls and admin isolation.

Microsoft Graph batch requests compress destructive actions

Graph batch operations let a client package multiple API calls into one request, which is efficient for administration but dangerous when the goal is mass deletion or lockout. In the article’s workflow, the same structure was used to reset passwords, revoke sessions, and disable accounts across many users in groups. This is not a new privilege model. It is a force multiplier for whatever the token can already do. The risk increases when batch execution, token reuse, and broad permissions all exist inside a single browser session.

Practical implication: monitor and constrain Graph batch use in privileged contexts, especially where destructive writes are possible.

Consent-driven scope expansion turns read access into write access

Graph Explorer surfaces the permissions required for an endpoint, and a privileged user can consent to expand scope inside the same workflow. That means access can evolve mid-session from read-only enumeration to deletion and policy removal without leaving the browser. The article shows permissions such as Application.ReadWrite.All, Policy.ReadWrite.ConditionalAccess, RoleManagement.ReadWrite.Directory, and User.DeleteRestore.All being granted as needed. Once those scopes are present, the assistant can automate destructive calls just as easily as discovery calls.

Practical implication: review consent workflows for privileged administrators and restrict who can expand scopes from within browser-based tooling.

Threat narrative

Attacker objective: The objective is to use already-privileged identity access to disable recovery, remove administrative control, and leave the tenant unable to manage its own users and policies.

1. Entry occurred through a signed-in Global Administrator session in Microsoft Graph Explorer, where the browser itself provided authenticated access to tenant administration functions.
2. Escalation came from token interception and consented scope expansion, which allowed browser-side automation to move from enumeration to deletion, disablement, password reset, and session revocation.
3. Impact was tenant destruction and lockout, including deleted users, removed policies, revoked access, and recovery disruption across the Entra ID environment.

Breaches seen in the wild

• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Browser-side AI turns privileged admin sessions into a destructive control plane. This is not a new identity type, but it is a new operating model for misuse. When an AI assistant can observe the page, alter JavaScript, and trigger Graph requests inside a signed-in browser, the control boundary shifts from the admin console to the session itself. Practitioners should treat browser execution context as part of privileged access governance.

Consent-driven scope expansion is the failure mode, not just excess privilege. The article shows how a read-oriented Graph session became a write-capable destructive workflow once the operator consented to additional scopes. That means the real governance gap is not simply standing privilege, but mid-session privilege escalation through delegated browser consent. IAM teams need to re-evaluate how much authority a single browser session can accumulate before review or termination.

Tenant destruction is an identity governance problem before it is a technical one. Password resets, session revocation, account disablement, policy deletion, and device removal all operate through legitimate Entra ID controls. The abuse occurs when those controls are reachable from a privileged session with no secondary containment. The practitioner implication is clear: destructive API capability must be separated from routine admin browsing.

Graph Explorer has become a practical example of identity blast radius. The article demonstrates how one authenticated session can enumerate, modify, and remove large parts of a tenant at speed. That makes blast-radius modelling more important than isolated permission checks, because the risk is the chain of actions, not any single request. Security teams should assess how much tenant damage one privileged browser session can cause before recovery breaks.

From our research:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
• The same research notes that DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys.
• For the broader governance pattern behind this post, see Ultimate Guide to NHIs for lifecycle, visibility, and privilege-control context.

What this signals

Identity blast radius is the right concept for this kind of browser-assisted admin abuse. When a single authenticated session can enumerate, consent, delete, disable, and revoke at speed, the programme question changes from whether controls exist to how much damage one session can do before recovery fails.

With only 44% of developers reported to follow secrets-management best practices, per The State of Secrets in AppSec, organisations are already dealing with weak operational discipline around sensitive credentials. The same governance pattern appears here in privileged browser use: convenience outpaces control design.

Teams should assess whether privileged browser workflows are explicitly covered by Zero Trust and access-governance policy. The relevant frame is not just MFA or session timeout, but whether admin browsing, consent, and destructive API capability are separated enough to keep recovery available after misuse.

For practitioners

• Isolate privileged browser sessions Keep high-risk administrator work out of general-purpose browsers and separate destructive Entra ID operations from routine sign-in sessions. Use dedicated admin workstations or tightly governed access paths for accounts that can delete users, revoke sessions, or change policies.
• Restrict mid-session scope expansion Review consent flows in Graph Explorer and similar browser tools so privileged users cannot freely accumulate write scopes during the same session. Require stronger approval, shorter-lived elevation, or pre-authorised endpoints for destructive permissions.
• Monitor Graph batch activity for destructive patterns Alert on grouped delete, disable, password reset, and revoke-session requests that arrive as batch operations from privileged contexts. Treat high-volume write sequences as a sign of tenant lockout or destructive automation, not routine admin use.
• Protect recovery accounts and break-glass paths Keep a small set of recovery-capable accounts outside everyday admin workflows and verify they remain available if conditional access or account disablement is abused. Test whether those accounts can still restore the tenant after mass deletion or lockout.

Key takeaways

• AI-assisted browser automation can make ordinary Entra ID admin sessions destructive if privileged scopes and browser access are not separated.
• The evidence in the article shows that destructive Graph actions can be chained through consent, batch requests, and token reuse inside one browser session.
• The practical control point is not AI suppression, but reduction of tenant blast radius through session isolation, consent limits, and recovery-path protection.

Key terms

• Privileged Browser Session: A privileged browser session is a logged-in browser context that already holds administrative authority and can act directly against identity systems. In practice, the browser becomes part of the control plane because the session can carry tokens, consent scopes, and API access that permit destructive operations without leaving the page.
• Consent-Driven Scope Expansion: Consent-driven scope expansion is the process of granting additional permissions during an active session so a tool can do more than it could at the start. For identity governance, this matters because one browser workflow can move from safe-looking read access to write-capable destructive access before the session ends.
• Tenant Lockout: Tenant lockout is the state in which an organisation loses the ability to manage its own identity environment because administrative access has been removed, disabled, or made unusable. In Entra ID, lockout can follow mass account disablement, broken access policies, or the loss of all recovery-capable administrators.
• Identity Blast Radius: Identity blast radius is the maximum amount of damage a compromised or misused identity can cause before containment or recovery interrupts it. For browser-based administration, it measures how much of the tenant a single session can enumerate, change, delete, or lock out through legitimate controls.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Netwrix: Automating Entra ID tenant destruction with AI. Read the original.