Background

Microsoft’s Entra ID, formerly known as Azure Active Directory, serves as the core identity and access management system for Azure and Microsoft 365 services. As organizations increasingly rely on cloud platforms, the security of Entra ID becomes critical for protecting user credentials, application access, and subscription management.

Vulnerabilities Discovered

Security researcher Dirk-jan Mollema, who runs the Dutch firm Outsider Security, identified two related flaws. The first involves Actor Tokens issued by the Access Control Service, a rarely used authentication mechanism. The second flaw resides in the historic Azure AD Graph API, which failed to correctly validate the tenant origin of a request. When combined, these issues could let an attacker present an Actor Token from one tenant to the Graph API of another, bypassing normal security checks and granting global administrator privileges.

Microsoft’s Response

After Mollema reported the findings to Microsoft’s Security Response Center, the company launched an immediate investigation. Within a short period, Microsoft confirmed the vulnerabilities, found no evidence of exploitation, and deployed a code change that corrected the validation logic. The fix was rolled out across the entire cloud environment, and Microsoft announced additional measures to retire the legacy protocol as part of its Secure Future Initiative.

Potential Impact

Had the flaws been weaponized, attackers could have impersonated any user in any tenant, modified configurations, created privileged accounts, and accessed all services that rely on Entra ID—including Azure, SharePoint, and Exchange. The severity was compared to a prior incident where a Chinese espionage group stole a signing key that allowed them to generate authentication tokens for numerous Microsoft services.

Industry Reactions

Security experts highlighted the significance of the discovery, noting that the vulnerabilities represented a rare case of full‑tenant compromise in a major identity provider. Microsoft’s rapid remediation was praised as an example of effective coordination between independent researchers and vendor security teams.

Usado: News Factory APP - descoberta e automação de notícias - ChatGPT para Empresas