Critical Microsoft Entra ID Flaw Exposes Path to Global Admin Takeover
Microsoft Entra ID flaw allows attackers to elevate privileges and bypass security through trusted Microsoft applications.
Key Takeaways:
- A critical Entra ID vulnerability could let attackers gain Global Admin access through trusted Microsoft apps.
- The attack exploits federated domains and misconfigured service principals in hybrid environments.
- Microsoft acknowledges the issue but attributes it to misconfiguration, not a security flaw.
Security researchers have identified a critical flaw in Microsoft Entra ID that could let attackers seize Global Administrator access by exploiting trusted first-party applications. This vulnerability poses a serious risk, especially for organizations using hybrid Active Directory environments.
What is the exploitation technique?
Last week, Datadog published a comprehensive report demonstrating a critical privilege escalation technique in Microsoft Entra ID that allows attackers to gain Global Administrator access by exploiting Microsoft’s Exchange Online application. The vulnerability arises when a Service Principal (SP) with roles like Application Administrator or Cloud Application Administrator is compromised. These roles have the ability to manage application credentials and permissions. By leveraging this access, an attacker can hijack the Exchange Online SP, which inherently has powerful permissions like Domain.ReadWrite.All.
Cybercriminals could leverage a series of steps that manipulate Microsoft Entra ID’s federated domain configuration. First, the attacker registers a malicious domain using the Microsoft Graph API and verifies it via DNS. Then, they configure federation settings for that domain by uploading a malicious certificate. This setup allows the hacker to forge SAML tokens for any hybrid user in the tenant, including those with Global Admin rights. These forged tokens can include multi-factor authentication (MFA) claims, which make the access appear legitimate in logs and bypass normal security checks.
Datalog researchers reported this vulnerability to Microsoft Security Response Center (MSRC) in January 2025. Microsoft acknowledged the issue, but classified the behaviour as expected. The company emphasized that the scenario reflects misconfiguration rather than a security bypass.
Security recommendations for Microsoft Entra ID customers
Organizations can protect themselves from the Entra ID privilege escalation technique by implementing several key security practices focused on identity governance, role management, and application monitoring.
- Restrict high-privilege role assignments
Administrators are advised to limit the use of powerful roles like Application Administrator, Cloud Application Administrator, and Privileged Role Administrator to only those accounts that absolutely require them.
- Audit and monitor service principals
It’s highly recommended to regularly audit all service principals to ensure they haven’t been modified or assigned unauthorized credentials. IT admins should monitor for changes to application credentials and role assignments using tools like Microsoft Defender for Cloud Apps or third-party solutions.
- Secure domain federation settings
Organizations should also ensure that only trusted administrators can configure domain federation and upload certificates. They should periodically review federation configurations and remove unused or suspicious domains.
Rabia has a master's degree in Software Engineering and she has years of experience writing professionally about Microsoft products and other technologies. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on t...
