nOAuth abuse and cross-tenant account takeover: what teams miss

TL;DR: Nine of 104 tested applications were found vulnerable to nOAuth abuse, a low-complexity cross-tenant attack that can enable account takeover, data exfiltration, persistence, and lateral movement in Entra-connected SaaS, according to Semperis. The governance failure is deeper than a misconfigured claim: applications that trust mutable email attributes as identity have already lost the stability assumption IAM depends on.

NHIMG editorial — based on content published by Semperis: nOAuth abuse research and disclosure findings

Questions worth separating out

Q: How should security teams prevent cross-tenant account takeover in SaaS apps?

A: Security teams should require stable identity binding, usually issuer plus subject, and forbid account linking based on mutable attributes such as email.

Q: Why do email claims create identity risk in federated SaaS environments?

A: Email claims are risky because they are useful for contact and lookup but are not stable proof of identity.

Q: What do teams get wrong about account merging in multi-IdP applications?

A: Teams often assume that a matching email means the same person, when it only means the same address value.

Practitioner guidance

• Replace email-based account keys Require application teams to bind users with immutable issuer and subject claims, and block account creation paths that key on mutable email attributes.
• Test SaaS account-merge logic Validate whether each Entra-connected application performs ownership proof before merging identities from different sources or tenants.
• Review app registrations for unverified claims Check whether any app registration still accepts unverified email claims and document whether the application consumes them for identity decisions.

What's in the full article

Semperis's full research covers the operational detail this post intentionally leaves for the source:

• The step-by-step nOAuth abuse workflow across Entra tenant setup, app registration, and token handling.
• The testing approach Semperis used against 104 applications in the Entra App Gallery.
• Developer-level mitigation guidance for moving from email claims to immutable OIDC identifiers.
• The disclosure timeline with MSRC and the vendor response context behind the research.

👉 Read Semperis's analysis of nOAuth abuse in Entra-connected SaaS →

nOAuth abuse and cross-tenant account takeover: what teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →