--- title: "Microsoft Patches Entra ID Flaw That Threatened Every Cloud Tenant" date: 2025-09-22 author: "Sofia Ramirez" featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2025/09/microsoft-patches-entra-id-flaw-that-threatened-every-cloud-tenant.jpg" categories: - name: "Cybersecurity" url: "/cybersecurity.md" tags: - name: "News" url: "/tag/news.md" --- # Microsoft Patches Entra ID Flaw That Threatened Every Cloud Tenant A critical security flaw in **Microsoft Entra ID** could have allowed attackers to impersonate **Global Administrators** across *any* cloud tenant. Microsoft has now patched the issue, stopping what could have been one of the most severe identity vulnerabilities in recent history. ## Quick Summary – TLDR: - A vulnerability (CVE‑2025‑55241) in Microsoft Entra ID allowed Actor tokens and a flaw in the Azure AD Graph API to be abused for cross‑tenant Global Admin impersonation. - The tokens bypassed key protections like Conditional Access, Multi Factor Authentication, and logging, leaving almost no trace. - Microsoft patched the flaw within days of discovery, with no customer action required. - Organizations are urged to retire Azure AD Graph API and migrate to Microsoft Graph. ## What Happened? Security researcher **Dirk‑jan Mollema**, founder of **Outsider Security**, [discovered a serious flaw](https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/) in Microsoft Entra ID that allowed cross-tenant impersonation of users, including **Global Admins**, using legacy **Actor tokens** and a broken validation mechanism in the deprecated **Azure AD Graph API**. On **July 14, 2025**, Mollema reported the issue to Microsoft. It was assigned **CVE‑2025‑55241** with a **CVSS score of 10.0**, the highest possible. Microsoft patched the issue globally by **July 17**. The exploit leveraged two things: **Actor tokens** issued by Microsoft’s **Access Control Service** and a legacy API that failed to properly check the source tenant of those tokens. > 🚨Detect Actor Token Abuse ([\#CVE](https://twitter.com/hashtag/CVE?src=hash&ref_src=twsrc%5Etfw)-2025-55241) > > After verifying the details with [@\_dirkjan](https://twitter.com/_dirkjan?ref_src=twsrc%5Etfw), I created a query to detect Actor Token abuse, regardless of the activity involved. The idea is simple: If these activities are S2S, they should originate from Microsoft service IPs. 🧐… [pic.twitter.com/RCnRLzqU7M](https://t.co/RCnRLzqU7M) > > — Mehmet Ergene (@Cyb3rMonk) [September 19, 2025](https://twitter.com/Cyb3rMonk/status/1969020334943744191?ref_src=twsrc%5Etfw) ## Technical Impact An attacker with no special privileges could use their own Entra ID tenant to generate an **Actor token**. They could then use this token to **impersonate any user** in another tenant, including **Global Admins**. Because Actor tokens are **not signed**, valid for **24 hours**, **non-revocable**, and **bypass Conditional Access and MFA**, they posed a significant [security risk](https://sqmagazine.co.uk/cybersecurity-statistics/). There was **no logging** when these tokens were created or used, and **no alerts** were triggered during impersonation. The only log entry might occur if the attacker modified the target tenant, such as by creating new users or altering configurations. ## Microsoft’s Response and Fix [Microsoft confirmed](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55241) and patched the flaw in **just three days**. The company also began rolling out **mitigations** that prevent third-party apps from requesting Actor tokens for the Azure AD Graph API. Microsoft is also moving ahead with the **retirement** of the **Azure AD Graph API**, encouraging all users to migrate to **Microsoft Graph**, which offers **better validation** and **stronger logging**. Importantly, [Microsoft](https://sqmagazine.co.uk/microsoft-statistics/) said it has **no evidence** that the vulnerability was exploited in the wild. ## What Organizations Should Do? - Verify that your tenant is **up-to-date** with Microsoft’s fix - Audit all applications still relying on **Azure AD Graph API** and plan migration to **Microsoft Graph** - Review logs for **suspicious Global Admin activity**, especially around **user creation**, **role changes**, or **application permissions** - Enforce **least privilege access** across all service principals and user roles - Stay updated on **Microsoft’s retirement timeline** for legacy identity APIs ## Broader Implications This incident highlights the danger of **legacy systems** and **undocumented internal tools**. The **Actor token** system, meant for internal use, created a backdoor that allowed complete tenant compromise with no visibility to the victim. It also exposes how **logging gaps** and **cross-service assumptions** can weaken even highly secure environments. Conditional Access and MFA, while robust, were not effective in this case because the attack vector sat **outside the usual identity flow**. Organizations must ensure they fully understand and monitor any **third-party or legacy dependencies** that touch authentication and identity services. ## SQ Magazine’s Takeaway I think this flaw is one of the scariest identity bugs we’ve seen in years. The idea that someone could quietly impersonate your **Global Admin**, make changes, and walk away without a trace is just chilling. It’s a clear sign that **legacy APIs**, no matter how hidden, can become **open doors** if not retired. If you’re still using **Azure AD Graph**, **stop everything** and move to **Microsoft Graph** today. Identity is the front door to everything in the [cloud](https://sqmagazine.co.uk/cloud-computing-statistics/). And we just learned how easily that door could have been kicked open.