Microsoft has patched a privilege escalation flaw in Microsoft Entra ID that let users with the new Agent ID Administrator role take over arbitrary service principals, including ones with no link to AI agents. The issue was disclosed by identity security firm Silverfort in research published April 23.
The Agent ID Administrator role was introduced as part of the Microsoft Agent Identity Platform, a preview feature that gives AI agents their own first-class identities in Entra ID through new objects called blueprints, agent identities, and agent users. Per Microsoft’s documentation, the role was scoped to manage only those agent-related objects.
Silverfort researcher Noa Ariel found that the boundary did not hold in practice. A user assigned the role could add themselves as owner of any application service principal in the tenant, then attach new credentials and authenticate as that principal. The same attempt against application objects was correctly blocked, suggesting the gap sat specifically in the service-principal management layer.
“That’s full service principal takeover,” Ariel wrote in the Silverfort blog post. The likely cause, the researcher said, is that some agent identities are themselves implemented as service principals, and the role’s owner-update permissions were not tightly bound to the agent-backed subset.
Privilege Escalation Hinges on What the Hijacked Principal Can Do
The severity of any takeover depends on the target. Service principals frequently sit behind CI/CD pipelines, security tooling, and privileged Microsoft Graph integrations, and many hold directory roles or high-impact API permissions like RoleManagement.ReadWrite.Directory or Directory.ReadWrite.All.
Silverfort’s review of customer environments found that 99% of tenants have at least one privileged service principal, and just over half already use agent identities, with around half of those running 100 or more.
The company also flagged a documentation discrepancy: Microsoft’s documentation classes the Agent ID Administrator role as privileged, but the Entra UI did not display it that way, raising the chance that admins might add it without the scrutiny given to other privileged roles. Microsoft has confirmed the indicator will be corrected.
The flaw was reported to the Microsoft Security Response Center on March 1, 2026, confirmed on March 26, and patched in every Microsoft cloud on April 9. Attempts to assign ownership over non-agent service principals using the role are now blocked. Microsoft awarded Silverfort a bug bounty.
The finding follows a critical Entra ID privilege escalation vulnerability disclosed September 2025, when researcher Dirk-jan Mollema showed that undocumented impersonation tokens were exploitable against virtually any tenant.
Together, the two events point to a wider exposure: new identity types layered on existing primitives can carry permissions further than their scope suggests.
