A significant security vulnerability has been identified in Microsoft Entra ID, formerly known as Azure Active Directory, which allows attackers to escalate their privileges to the Global Administrator role by exploiting first-party applications. This flaw poses a substantial risk to organizations utilizing hybrid Active Directory environments with federated domains.
Discovery and Exploitation Mechanism
Security researchers at Datadog discovered that service principals (SPs) assigned the Cloud Application Administrator role, Application Administrator role, or possessing the Application.ReadWrite.All permission can exploit this vulnerability. By hijacking the built-in Office 365 Exchange Online service principal (Client ID: 00000002-0000-0ff1-ce00-000000000000), attackers can leverage its Domain.ReadWrite.All permission to add a new federated domain to the tenant. This manipulation enables the forging of Security Assertion Markup Language (SAML) tokens, allowing attackers to impersonate any hybrid tenant user synchronized between on-premises Active Directory and Entra ID, including those with Global Administrator privileges.
Technical Breakdown of the Attack
The attack unfolds through a series of steps:
1. Adding a Malicious Federated Domain: Attackers utilize the Microsoft Graph API endpoint POST /v1.0/domains to introduce a new federated domain into the tenant.
2. Domain Verification: The newly added domain is verified through DNS records to establish its legitimacy within the tenant.
3. Configuring Federation Settings: Attackers configure federation settings via POST /v1.0/domains/{domain}/federationConfiguration, incorporating a malicious certificate.
4. Forging SAML Tokens: With the malicious federation configuration in place, attackers can forge SAML tokens that include multi-factor authentication (MFA) claims. This tactic effectively bypasses MFA requirements, allowing unauthorized access while maintaining the appearance of legitimate authentication in sign-in logs.
Microsoft’s Response and Security Implications
Datadog reported this vulnerability to the Microsoft Security Response Center (MSRC) on January 14, 2025. After a thorough review, MSRC concluded on May 14, 2025, that this issue is not a security vulnerability but rather expected behavior of the Application Administrator role and its associated permissions. Microsoft emphasized that the scenario reflects a misconfiguration rather than a security bypass, stating that Application Administrator roles inherently include the ability to manage application credentials and impersonate application identities.
Broader Context of Entra ID Vulnerabilities
This discovery is part of a series of vulnerabilities identified in Microsoft Entra ID:
– nOAuth Vulnerability: In June 2025, Semperis uncovered a critical flaw named nOAuth, affecting cross-tenant authentication in Entra ID integrations. This vulnerability allows attackers to perform full account takeovers with minimal effort, bypassing advanced security measures such as MFA, conditional access policies, and zero-trust architectures. Approximately 10% of the estimated 150,000 SaaS applications globally are at risk, translating to over 15,000 affected applications. Semperis urges SaaS vendors to audit and patch vulnerable applications promptly. ([techradar.com](https://www.techradar.com/pro/security/microsoft-entra-id-vulnerability-allows-full-account-takeover-and-takes-barely-any-effort?utm_source=openai))
– UnOAuthorized Vulnerability: In 2024, Semperis discovered a vulnerability dubbed UnOAuthorized, which allowed attackers to elevate privileges to the Global Administrator role through manipulation of OAuth 2.0 scopes. This flaw enabled attackers to add and remove users from privileged roles without appearing to have permission to do so. The attack required the initiator to hold the Application Administrator or Cloud Application Administrator role, roles often not treated with the necessary security precautions, making them attractive targets for attackers. ([cybersecuritynews.com](https://cybersecuritynews.com/microsoft-entra-id-vulnerability/?utm_source=openai))
– Billing Roles Exploitation: In May 2025, BeyondTrust researchers identified a vulnerability where guest users with certain billing roles could create and own subscriptions within a target organization’s Azure environment. This capability allowed attackers to gain persistence and escalate privileges without explicit permissions in the target tenant. Microsoft acknowledged the risk and recommended organizations review their role assignments, especially those with Billing Administrator privileges. ([csoonline.com](https://www.csoonline.com/article/3997999/microsoft-entras-billing-roles-pose-privilege-escalation-risks-in-azure.html?utm_source=openai))
Recommendations for Organizations
Given the potential risks associated with these vulnerabilities, organizations are advised to:
1. Review Role Assignments: Regularly audit and restrict role assignments, ensuring that only essential personnel have elevated privileges.
2. Monitor for Anomalies: Implement robust monitoring to detect unusual activities, such as the addition of federated domains or unexpected role changes.
3. Enhance Authentication Measures: Strengthen authentication protocols, including the use of phishing-resistant MFA methods, to mitigate unauthorized access attempts.
4. Apply Security Patches Promptly: Stay informed about security updates and apply patches promptly to address known vulnerabilities.
By proactively addressing these areas, organizations can bolster their defenses against potential exploitation of vulnerabilities within Microsoft Entra ID.
