TL;DR: Actor tokens in Microsoft Entra ID let attackers impersonate users across tenants, bypass Conditional Access, and leave little victim-side logging, according to Fabrix Security's analysis of CVE-2025-55241. The real governance failure is not just patching a flaw, but removing legacy delegation paths that break tenant binding, revocation, and auditability.
NHIMG editorial — based on content published by Fabrix Security: Exploiting Actor Tokens: High-Level Overview
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: What breaks when legacy impersonation tokens can be used across tenants?
A: Tenant-scoped trust breaks first, because a token issued in one directory can be accepted as authority in another.
Q: Why do deprecated identity APIs create disproportionate risk for IAM teams?
A: Deprecated APIs often keep old authentication semantics alive after the organisation has moved on to newer controls, which creates hidden trust paths.
Q: What do security teams get wrong about token-based persistence?
A: They often focus on account reset and miss the durable artefacts that survive a token compromise.
Practitioner guidance
- Inventory every legacy impersonation and delegation path Map all services and APIs that still accept deprecated Azure AD Graph or similar legacy token flows, then remove or isolate them before relying on policy claims.
- Verify tenant and issuer binding on all token acceptance points Test whether each identity boundary rejects tokens created in the wrong tenant or with mismatched issuer context, including old APIs, service integrations, and admin workflows.
- Eliminate permanent Global Admin standing privilege Move privileged administration to JIT access, then confirm that no long-lived Global Admin assignments remain in hidden accounts, shadow apps, or emergency break-glass paths that can be reached through impersonation.
What's in the full article
Fabrix Security's full research covers the operational detail this post intentionally leaves for the source:
- Step-by-step breakdown of how Actor Tokens were obtained and replayed across tenants.
- Detailed mitigation guidance for migrating off Azure AD Graph and validating patch coverage.
- Practical examples of how to hunt for shadow applications, added secrets, and hidden admin roles.
- The original technical reasoning behind the cross-tenant impersonation flaw and its exploitability.
👉 Read Fabrix Security's analysis of Entra ID actor token abuse and tenant impersonation →
Actor token abuse in Entra ID: what IAM teams need to fix?
Explore further
Legacy impersonation paths become governance liabilities when tenant binding is no longer enforced. Actor tokens were designed for a narrow delegation condition, but that condition collapsed once tokens could be replayed across tenants. The result is not just a bug in validation, but a governance failure in how identity authority is scoped and retired. Practitioners should treat any undocumented impersonation mechanism as a control boundary until proven otherwise.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when impersonation abuse bypasses directory controls?
A: Accountability sits across identity platform owners, application owners, and privileged access governance, because the failure usually spans token policy, API lifecycle, and role management. If the organisation allowed the legacy path to remain active, the control owner for that path is accountable for the exposure. If it was not inventoried, ownership is itself the gap.
👉 Read our full editorial: Actor token abuse in Entra ID exposes tenant-wide impersonation