One token to pwn them all: Entra ID bug could have granted access to every tenant
(2025/09/19)
- Reference: 1758285006
- News link: https://www.theregister.co.uk/2025/09/19/microsoft_entra_id_bug/
- Source link:
A security researcher claims to have found a flaw that could have handed him the keys to almost every Entra ID tenant worldwide.
[1]Dirk-jan Mollema reported the finding to the Microsoft Security Research Center (MSRC) in July. The issue was fixed and confirmed as mitigated, and a [2]CVE was raised on September 4.
It is, however, an alarming vulnerability involving flawed token validation that can result in cross-tenant access. "If you are an Entra ID admin," wrote Mollema, "that means complete access to your tenant."
[3]
There are two main elements in the vulnerability. The first, according to Mollema, is undocumented impersonation tokens called "Actor tokens" that Microsoft uses for service-to-service communication. There was a flaw in the legacy Azure Active Directory Graph API that did not properly validate the originating tenant, allowing the tokens to be used for cross-tenant access.
[4]
[5]
"Effectively," wrote Mollema, "this means that with a token I requested in my lab tenant I could authenticate as any user, including Global Admins, in any other tenant."
The tokens allowed full access to the Azure AD Graph API in any tenant. Any hope that a log might save the day was also dashed – "requesting Actor tokens does not generate logs."
[6]
"Even if it did, they would be generated in my tenant instead of in the victim tenant, which means there is no record of the existence of these tokens."
[7]Google pushes emergency patch for Chrome 0-day – check your browser version now
[8]Ruh-roh. DDR5 memory vulnerable to new Rowhammer attack
[9]Apple 0-day likely used in spy attacks affected devices as old as iPhone 8
[10]Samsung fixes Android 0-day that may have been used to spy on WhatsApp messages
The upshot of the flaw was a possible compromise for any service that uses Entra ID for authentication, such as SharePoint Online or Exchange Online. Mollema noted that access to resources hosted in Azure was also possible.
Microsoft's swiftness in resolving the issue is to be commended, even if it's unfortunate that it was present in the first place. Additionally, Mollema noted that Microsoft had not detected any abuse of the vulnerability in its internal telemetry.
That said, the researcher has provided some KQL for worried admins to use for tracking down evidence of possible abuse.
Mollema [11]called this "the most impactful vulnerability I will probably ever find," and it is difficult to dispute the claim. The CVE for the issue rates it as "Critical" with a "Low" Attack Complexity metric. The base score is 10.
[12]
To reiterate, according to Microsoft, the vulnerability has been fully mitigated, and users do not need to take any further action.
Still, before the vulnerability was found, there existed, in Mollema's words, "one token to rule them all." ®
Get our [13]Tech Resources
[1] https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55241
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aM1-F24KChDrPPUN0b96cwAAAMY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aM1-F24KChDrPPUN0b96cwAAAMY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aM1-F24KChDrPPUN0b96cwAAAMY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aM1-F24KChDrPPUN0b96cwAAAMY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/09/18/google_emergency_patch_chrome_0_day/
[8] https://www.theregister.com/2025/09/17/ddr5_dram_rowhammer/
[9] https://www.theregister.com/2025/09/16/apple_0day_spy_attacks/
[10] https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/
[11] https://x.com/_dirkjan/status/1968303993689665586
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aM1-F24KChDrPPUN0b96cwAAAMY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
[1]Dirk-jan Mollema reported the finding to the Microsoft Security Research Center (MSRC) in July. The issue was fixed and confirmed as mitigated, and a [2]CVE was raised on September 4.
It is, however, an alarming vulnerability involving flawed token validation that can result in cross-tenant access. "If you are an Entra ID admin," wrote Mollema, "that means complete access to your tenant."
[3]
There are two main elements in the vulnerability. The first, according to Mollema, is undocumented impersonation tokens called "Actor tokens" that Microsoft uses for service-to-service communication. There was a flaw in the legacy Azure Active Directory Graph API that did not properly validate the originating tenant, allowing the tokens to be used for cross-tenant access.
[4]
[5]
"Effectively," wrote Mollema, "this means that with a token I requested in my lab tenant I could authenticate as any user, including Global Admins, in any other tenant."
The tokens allowed full access to the Azure AD Graph API in any tenant. Any hope that a log might save the day was also dashed – "requesting Actor tokens does not generate logs."
[6]
"Even if it did, they would be generated in my tenant instead of in the victim tenant, which means there is no record of the existence of these tokens."
[7]Google pushes emergency patch for Chrome 0-day – check your browser version now
[8]Ruh-roh. DDR5 memory vulnerable to new Rowhammer attack
[9]Apple 0-day likely used in spy attacks affected devices as old as iPhone 8
[10]Samsung fixes Android 0-day that may have been used to spy on WhatsApp messages
The upshot of the flaw was a possible compromise for any service that uses Entra ID for authentication, such as SharePoint Online or Exchange Online. Mollema noted that access to resources hosted in Azure was also possible.
Microsoft's swiftness in resolving the issue is to be commended, even if it's unfortunate that it was present in the first place. Additionally, Mollema noted that Microsoft had not detected any abuse of the vulnerability in its internal telemetry.
That said, the researcher has provided some KQL for worried admins to use for tracking down evidence of possible abuse.
Mollema [11]called this "the most impactful vulnerability I will probably ever find," and it is difficult to dispute the claim. The CVE for the issue rates it as "Critical" with a "Low" Attack Complexity metric. The base score is 10.
[12]
To reiterate, according to Microsoft, the vulnerability has been fully mitigated, and users do not need to take any further action.
Still, before the vulnerability was found, there existed, in Mollema's words, "one token to rule them all." ®
Get our [13]Tech Resources
[1] https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55241
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aM1-F24KChDrPPUN0b96cwAAAMY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aM1-F24KChDrPPUN0b96cwAAAMY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aM1-F24KChDrPPUN0b96cwAAAMY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aM1-F24KChDrPPUN0b96cwAAAMY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/09/18/google_emergency_patch_chrome_0_day/
[8] https://www.theregister.com/2025/09/17/ddr5_dram_rowhammer/
[9] https://www.theregister.com/2025/09/16/apple_0day_spy_attacks/
[10] https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/
[11] https://x.com/_dirkjan/status/1968303993689665586
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aM1-F24KChDrPPUN0b96cwAAAMY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
Security by wilful obscurity
Mister Dubious
"...Microsoft had not detected any abuse of the vulnerability..."
"I see nothing! I hear nothing! I know nothing!" -- Oberfeldwebel (Sergeant) Hans Schultz
Re: Security by wilful obscurity
elsergiovolador
Seems like this is a carefully crafted phrase, presumably by the legal team.
If you were exploiting the flaw, surely you would slurp data at a rate that will be buried in telemetry background noise.
Security
elsergiovolador
Security is micro and soft.
I mean, it's in plain sight.
So reassuring that government uses Microsoft software.
Doctor Syntax
undocumented impersonation tokens called "Actor tokens"
Remind me again how one of Linux's weaknesses is that it doesn't have something something Active Directory something something logins something something company wide something 1000s of users something.
ginolee
I'm curious as to the details of this vulnerability. Was it a mistake due to incompetence or was it a mistake that many reasonably intelligent programmers might have also made? Also, how did it pass code review?
Icon required
Whitter
If you are going to reference Microsoft code review (or the equivalently missing test), one should use the Joke icon :)
Microsoft apparently gave the middle finger back to the US Government and CISA after the latter's dressing down of Microsoft from the 2023 Exchange Online breach.
But at least we have CoPilot... instead of a more secure Azure... I guess.
https://www.theregister.com/2024/04/03/cisa_microsoft_exchange_online_china_report/