Microsoft Patches Flaw in Entra ID That Could Let Attackers Take Over Any Tenant

Microsoft Seals Critical Entra ID Flaw After Discovery of Global-Tenant Admin Impersonation Vulnerability

September 22, 2025

Microsoft has patched a severe security vulnerability (CVE-2025-55241) in its identity platform, Entra ID (formerly Azure Active Directory), that could have allowed attackers to impersonate Global Administrators across any tenant worldwide. The flaw, which carried a maximum severity score (CVSS 10.0), combined legacy systems and broken validation checks in a way that exposed virtually every organisation using Entra ID to potential full compromise.

What Was the Vulnerability?

• Actor Tokens & Legacy APIs: The issue stemmed from an obscure mechanism inside Microsoft’s backend called “Actor tokens”, intended to enable service-to-service (S2S) internal communication. These tokens were issued through Microsoft’s old Access Control Service (ACS).

• Broken Tenant Validation: The legacy Azure AD Graph API (graph.windows.net) did not properly verify which tenant issued a token. An Actor token obtained from one tenant (even a non-privileged one) could be misused to impersonate a user, including a Global Administrator, in another tenant.

• Bypassing Security Controls: The exploit would have allowed bypassing core identity protections — including Conditional Access, Multi-Factor Authentication (MFA), and standard logging — meaning that malicious activity could proceed undetected in many cases.

Timeline & Discovery

• The vulnerability was discovered by researcher Dirk-jan Mollema of Outsider Security on July 14, 2025.

• Microsoft was notified the same day and rolled out an emergency fix on July 17, 2025.

• The legacy Azure AD Graph API is being deprecated (Microsoft Graph is its successor), with decommissioning steps accelerating following disclosure.

Potential Impact

Had the vulnerability been exploited:

• Attackers could have impersonated ANY user, including Global Admins, across different tenants.

• Complete tenant compromise was possible: reading or altering directory data, creating new privileged accounts, modifying application and role permissions, changing tenant configurations, and accessing any service tied to Entra ID (e.g. Azure, Microsoft 365, SharePoint, Exchange).

• Little to no logging/auditing would survive the attack: issuance and use of Actor tokens often leave no logs in the victim tenant; the Azure AD Graph API lacked detailed telemetry for many operations.

Microsoft’s Response and Mitigations

• Patch deployed globally on July 17, 2025.

• Blocked ability of applications to request Actor tokens for the Azure AD Graph API.

• Accelerated retirement of legacy systems, particularly Azure AD Graph API, and urged users to migrate to Microsoft Graph.

Microsoft has stated there is no evidence that the flaw was exploited in the wild to date.

What Organisations Should Do Now

• Confirm patch status: Ensure that your tenants have received the fix for CVE-2025-55241.

• Migrate off Azure AD Graph API: Replace any applications or workflows depending on the deprecated Graph API with Microsoft Graph as soon as possible.

• Audit Global Admin and privileged roles: Review all administrators and service principals to see if unauthorised accounts have slipped in.

• Improve visibility: Increase monitoring and logging of identity activity. Because some exploit paths did not trigger tenant-side logging or MFA, organisations should look for anomalous behaviour across service endpoints.

Broader Implications

This incident highlights deeper challenges in cloud identity security:

• Legacy systems and seldom-used internal mechanisms (like undocumented tokens) can present massive risk when they persist without rigorous oversight.

• Identity trust boundaries are fragile: correct validation of token origin and tenant identity is foundational but was compromised in this case.

• Even mature cloud providers must regularly audit their own back-end services and APIs for unexpected interactions and privilege assumptions.

In sum, Microsoft averted what could have been a catastrophic exposure. Although the immediate crisis has been addressed, the incident serves as a wake-up call for all organizations using cloud identity services: patches matter, but architecture, legacy components, logging, and governance often make the difference between a contained vulnerability and a full-scale breach.