Actor token abuse in Entra ID: what IAM teams need to fix

TL;DR: Actor tokens in Microsoft Entra ID let attackers impersonate users across tenants, bypass Conditional Access, and leave little victim-side logging, according to Fabrix Security's analysis of CVE-2025-55241. The real governance failure is not just patching a flaw, but removing legacy delegation paths that break tenant binding, revocation, and auditability.

NHIMG editorial — based on content published by Fabrix Security: Exploiting Actor Tokens: High-Level Overview

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: What breaks when legacy impersonation tokens can be used across tenants?

A: Tenant-scoped trust breaks first, because a token issued in one directory can be accepted as authority in another.

Q: Why do deprecated identity APIs create disproportionate risk for IAM teams?

A: Deprecated APIs often keep old authentication semantics alive after the organisation has moved on to newer controls, which creates hidden trust paths.

Q: What do security teams get wrong about token-based persistence?

A: They often focus on account reset and miss the durable artefacts that survive a token compromise.

Practitioner guidance

• Inventory every legacy impersonation and delegation path Map all services and APIs that still accept deprecated Azure AD Graph or similar legacy token flows, then remove or isolate them before relying on policy claims.
• Verify tenant and issuer binding on all token acceptance points Test whether each identity boundary rejects tokens created in the wrong tenant or with mismatched issuer context, including old APIs, service integrations, and admin workflows.
• Eliminate permanent Global Admin standing privilege Move privileged administration to JIT access, then confirm that no long-lived Global Admin assignments remain in hidden accounts, shadow apps, or emergency break-glass paths that can be reached through impersonation.

What's in the full article

Fabrix Security's full research covers the operational detail this post intentionally leaves for the source:

• Step-by-step breakdown of how Actor Tokens were obtained and replayed across tenants.
• Detailed mitigation guidance for migrating off Azure AD Graph and validating patch coverage.
• Practical examples of how to hunt for shadow applications, added secrets, and hidden admin roles.
• The original technical reasoning behind the cross-tenant impersonation flaw and its exploitability.

👉 Read Fabrix Security's analysis of Entra ID actor token abuse and tenant impersonation →

Actor token abuse in Entra ID: what IAM teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →