A researcher has disclosed a critical vulnerability in Microsoft Entra ID (formerly Azure Active Directory) that could have allowed threat actors to access almost every Entra ID tenant in the world.
Tracked as CVE-2025-55241 and described by Microsoft as being a privilege escalation flaw, the vulnerability was assigned the maximum CVSS score of 10.0. While the flaw was fixed prior to disclosure and there is no indication that it was ever exploited in the wild, it has caused great concern for some security practitioners and raised questions around the wider security of the tech giant’s IAM offering.
According to Dirk-jan Mollema, founder of Outsider Security and the researcher behind the discovery, the vulnerability was caused by a combination of two failures. The first of these was that Microsoft was using undocumented impersonation tokens, called “Actor tokens”, to enable back-end service-to-service (S2S) communication. These tokens can be used to elevate privileges—but aren’t subject to access control policies such as conditional access, and they are difficult to trace.
“Requesting Actor tokens does not generate logs,” Mollema wrote in a blog about his findings. “Even if it did, they would be generated in my tenant instead of in the victim tenant, which means there is no record of the existence of these tokens.”
The second component of the vulnerability was an authentication failure in the legacy Azure AD Graph API—a connector that enables users to access Azure cloud resources. The authentication failure allowed unauthorized users to create impersonation tokens and use them for cross-tenant access.
“With a token I requested in my lab tenant I could authenticate as any user, including global admins, in any other tenant,” Mollema wrote.
According to Mollema, the combination of issues made it possible for threat actors to compromise almost every Entra ID tenant globally—with the potential exception of national cloud deployments—and extend that access to Microsoft 365 and Azure.
Why This Matters
According to Microsoft, at the time of writing, over 720,000 organizations globally use Entra ID.
The vulnerability could have enabled threat actors to access reams of information from virtually any of those organizations—including personal user information, group and role information, tenant settings and access policies, application permissions, and device information and BitLocker keys synced to Entra ID—without leaving any trace.
If impersonating a Global Admin, a threat actor would also have been able to access any service that uses Entra ID for authentication, such as SharePoint Online, and any resources hosted in Azure.
The potential impact of the vulnerability has caused some security professionals to raise concerns around the broader security of Microsoft’s IAM offering.
“We need another CSRB [Cyber Safety Review Board] to ensure msft [sic] burns this impersonation token mechanism to the ground,” Zenity CTO, Michael Bargury, posted on X.
While Mollema has praised Microsoft for their fast response to his disclosure report, he too still has concerns around the vendor’s internal security processes.
“Since the protocols used in this flaw are possibly from the very early days of Azure/Entra ID, I think this is more a past bad security decision having a big impact in the present than something recent,” he said in a statement to Dark Reading. “I am more worried about the lack of transparency about the protocols and processes Microsoft is using internally that are not available for external researchers to evaluate or find flaws in.”
Next Steps
Microsoft pushed a fix for the vulnerability into production on July 17th, and it was confirmed as resolved by MSRC on July 23rd. The tech giant also pushed an additional mitigation on August 6th to prevent Actor tokens being issued for the Azure AD Graph API with SP credentials.
However, many services are still relying on the deprecated Azure AD Graph API. As such, security teams should audit and retire any remaining Azure AD Graph integrations and migrate their apps to Microsoft Graph.
To help identify similar threats involving impersonation tokens, teams should enforce tenant-origin validation on all internal token issuance, and enable resource-provider logs to provide visibility into unusual service-to-service token use.
Read More
- One Token to rule them all – obtaining Global Admin in every Entra ID tenant via Actor tokens
- Microsoft Entra ID flaw allowed hijacking any company’s tenant
- Microsoft Patches Critical Entra ID Flaw Enabling Global Admin Impersonation Across Tenants
- Critical Azure Entra ID Flaw Highlights Microsoft IAM Issues
