Microsoft Entra ID Vulnerability Enables Privilege Escalation to Global Administrator

A critical vulnerability in Microsoft’s Entra ID (formerly Azure Active Directory) that allows attackers to escalate privileges and impersonate any user with Global Administrator privileges.

The privilege escalation technique leverages a fundamental weakness in how Microsoft’s first-party applications handle authentication credentials.

Attackers who compromise service principals assigned the Cloud Application Administrator role, Application Administrator role, or Application.ReadWrite.

All permission can add malicious credentials to the Office 365 Exchange Online service principal.

Once an attacker gains control of this service principal, they can exploit its Domain.ReadWrite.

All permission to add a new federated domain to the target tenant. This critical step allows the attacker to configure a malicious certificate that Entra ID will trust for authentication.

However, other SP properties are derived from the app registration or are configured separately on the SP and the app registration.

The attack is particularly dangerous because it can bypass multi-factor authentication (MFA) requirements.

By setting the federatedIdpMfaBehavior property to “acceptIfMfaDoneByFederatedIdp,” attackers can include forged MFA claims in their SAML tokens, making Entra ID believe that MFA has already been completed.

Microsoft Entra ID Vulnerability

Microsoft response to this disclosure has been notably dismissive, with the Microsoft Security Response Center (MSRC) stating that “the scenario described reflects misconfiguration, not a security bypass.”

Using this certificate, attackers can forge SAML tokens to impersonate any hybrid user synchronized between on-premises Active Directory and Entra ID, including those with Global Administrator privileges.

MSRC argued that the vulnerability represents expected behavior of the Application Administrator role rather than a genuine security vulnerability.

This stance has raised concerns within the cybersecurity community, as the vulnerability allows privilege escalation far beyond what administrators might expect when assigning application management roles.

The technique specifically targets the Office 365 Exchange Online application, which Microsoft failed to protect with the same security controls applied to other first-party applications.

The browser was authenticated to M365 as the target Global Administrator after proceeding through this prompt.

The disclosure timeline reveals a lengthy investigation process, with MSRC initially acknowledging the issue in January 2025 but ultimately concluding in May that no security vulnerability existed.

This decision contradicts previous research that identified similar service principal hijacking techniques as legitimate security concerns.

Mitigations

Organizations can protect themselves by implementing comprehensive monitoring for application credential additions and federated domain modifications.

The vulnerability, reported to Microsoft in January 2025, exploits service principals (SPs) with application management permissions to hijack Microsoft’s own Office 365 Exchange Online service principal.

Security teams should specifically watch for “Add service principal credentials” and “Update application – Certificates and secrets management” activities in their Entra ID audit logs.

Microsoft recommends using cloud-only administrator accounts that are not synchronized with on-premises Active Directory, as these cannot be targeted through federated domain attacks.

Organizations should also review existing service principals for unexpected credentials and implement Conditional Access policies that restrict sign-ins to trusted locations and compliant devices.

For application developers, Microsoft suggests enabling the “app instance property lock” setting on app registrations created before March 2024, which prevents credential addition to associated service principals.

This feature is enabled by default for newer applications but requires manual configuration for legacy registrations.

The vulnerability highlights the complex security challenges in hybrid cloud environments and underscores the importance of least-privilege principles when assigning application management roles in Entra ID deployments.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.