Critical Microsoft Entra ID Flaws Prompt Rapid Global Patch
Key Points
- Researcher Dirk-jan Mollema discovered two critical Entra ID vulnerabilities.
- Flaws involved misuse of Actor Tokens and a tenant validation error in Azure AD Graph.
- Exploitation could have granted global administrator rights across cloud tenants.
- Microsoft quickly investigated, found no abuse, and deployed a global fix.
- The incident underscores risks of legacy authentication mechanisms.
- Microsoft is retiring the outdated protocol under its Secure Future Initiative.
Security researcher Dirk-jan Mollema uncovered two serious flaws in Microsoft’s Entra ID identity platform that could have allowed attackers to obtain global administrator rights across cloud tenants. The vulnerabilities involved misuse of Actor Tokens and a validation error in the legacy Azure AD Graph API. Microsoft’s Security Response Center quickly investigated, confirmed no evidence of abuse, and deployed a fix across its cloud ecosystem. The incident highlights risks tied to legacy authentication mechanisms and underscores Microsoft’s push to retire outdated protocols under its Secure Future Initiative.
Background
Microsoft’s Entra ID, formerly known as Azure Active Directory, serves as the core identity and access management system for Azure and Microsoft 365 services. As organizations increasingly rely on cloud platforms, the security of Entra ID becomes critical for protecting user credentials, application access, and subscription management.
Vulnerabilities Discovered
Security researcher Dirk-jan Mollema, who runs the Dutch firm Outsider Security, identified two related flaws. The first involves Actor Tokens issued by the Access Control Service, a rarely used authentication mechanism. The second flaw resides in the historic Azure AD Graph API, which failed to correctly validate the tenant origin of a request. When combined, these issues could let an attacker present an Actor Token from one tenant to the Graph API of another, bypassing normal security checks and granting global administrator privileges.
Microsoft’s Response
After Mollema reported the findings to Microsoft’s Security Response Center, the company launched an immediate investigation. Within a short period, Microsoft confirmed the vulnerabilities, found no evidence of exploitation, and deployed a code change that corrected the validation logic. The fix was rolled out across the entire cloud environment, and Microsoft announced additional measures to retire the legacy protocol as part of its Secure Future Initiative.
Potential Impact
Had the flaws been weaponized, attackers could have impersonated any user in any tenant, modified configurations, created privileged accounts, and accessed all services that rely on Entra ID—including Azure, SharePoint, and Exchange. The severity was compared to a prior incident where a Chinese espionage group stole a signing key that allowed them to generate authentication tokens for numerous Microsoft services.
Industry Reactions
Security experts highlighted the significance of the discovery, noting that the vulnerabilities represented a rare case of full‑tenant compromise in a major identity provider. Microsoft’s rapid remediation was praised as an example of effective coordination between independent researchers and vendor security teams.