Critical Microsoft Entra ID Vulnerability Allows Global Admin Takeover in Any Tenant
A critical vulnerability in Microsoft Entra ID (formerly Azure AD) allows attackers to obtain Global Admin privileges in any tenant via specially crafted Actor tokens, with no patch yet available.
A critical vulnerability in Microsoft Entra ID (formerly Azure AD) allows attackers to obtain Global Admin privileges in any tenant via specially crafted Actor tokens. The flaw, detailed by researcher Dirkjan Mol, affects all Entra ID tenants and could enable complete tenant compromise. Microsoft has not yet released a patch, leaving organizations exposed to potential privilege escalation attacks.
The vulnerability, dubbed "One Token to rule them all," exploits the way Entra ID handles Actor tokens—a type of token used for authentication in certain scenarios. By crafting a malicious Actor token, an attacker can impersonate a Global Administrator and gain unrestricted access to the target tenant. This includes the ability to read and modify all directory data, manage user accounts, and access cloud resources.
According to Mol's research, the attack does not require any prior access to the target tenant. An attacker only needs to be able to send a crafted token to the Entra ID service. This makes the vulnerability particularly dangerous, as it can be exploited remotely without authentication.
The impact is widespread: every organization using Microsoft Entra ID is potentially affected. This includes millions of businesses and government agencies worldwide that rely on Azure AD for identity and access management. A successful attack could lead to data breaches, ransomware deployment, and complete compromise of cloud infrastructure.
Microsoft has acknowledged the vulnerability but has not yet released a security patch. In the meantime, organizations are advised to monitor for suspicious activity, review token policies, and implement additional security controls such as conditional access policies and privileged identity management. The company has not provided a timeline for a fix.
This vulnerability highlights the growing risk of identity-based attacks in cloud environments. As organizations increasingly rely on cloud identity providers, flaws in these systems can have catastrophic consequences. Security experts urge organizations to stay vigilant and apply patches as soon as they become available.