Entra ID certificate bypass: what identity teams need to fix

TL;DR: A low-privileged legacy service principal, over-permissive app roles, PIM group activation, and certificate-based authentication can be chained to reach Global Administrator access in Entra ID, bypassing passwords and MFA, according to Semperis research. The real failure is not one control, but the assumption that individually scoped permissions cannot combine into tenant-wide trust collapse.

NHIMG editorial — based on content published by Semperis: EntraGoat Scenario 6, Certificate Bypass Authority - Root Access Granted

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

Questions worth separating out

Q: What breaks when service principal ownership is not governed tightly?

A: Ownership can become a credential-management backdoor, not just an administrative label.

Q: Why do app permissions become dangerous when combined with PIM-eligible roles?

A: Because a limited app permission can become a route to tenant-wide change once a human activation step unlocks a privileged group.

Q: How do security teams know whether certificate-based authentication is over-trusted?

A: A tenant is over-trusting CBA when a small number of role holders can change binding modes, add trusted certificate authorities, or make certificate sign-in satisfy MFA requirements.

Practitioner guidance

• Map ownership chains across service principals Identify every service principal that owns another service principal and treat those links as privilege-bearing.
• Eliminate hardcoded client credentials from legacy automation Search repositories, scripts, and build artifacts for embedded secrets, then rotate and revoke any service principal credentials found there.
• Review app-role combinations against tenant configuration rights Pair Application.ReadWrite.OwnedBy with Organization.ReadWrite.All and similar combinations to see whether a supposedly limited app can reach authentication settings or other tenant-wide controls.

What's in the full article

Semperis' full research covers the operational detail this post intentionally leaves for the source:

• The exact EntraGoat walkthrough for pivoting from a legacy service principal into a privileged user context
• The full Graph API sequence used to activate PIM, enable certificate-based authentication, and upload the rogue root CA
• The working certificate generation and validation steps, including the troubleshooting that appears in real environments
• The cleanup and verification steps used to restore the simulated tenant after the scenario is completed

👉 Read Semperis' EntraGoat scenario on certificate bypass and Global Admin access →

Entra ID certificate bypass: what identity teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →