Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover
A privilege escalation flaw in Microsoft Entra ID's Agent ID Administrator role allowed users to take over arbitrary service principals, potentially granting attackers broader tenant control.
Microsoft has patched a patched a privilege escalation vulnerability in its Entra ID identity platform that could have allowed attackers to take over arbitrary service principals and escalate their access across a tenant. The flaw, discovered by identity security firm Silverfort, resided in the Agent ID Administrator role — a built-in privileged role introduced by Microsoft as part of its agent identity platform to manage AI agent identity lifecycles.
The Agent ID Administrator role was designed to handle all aspects of an AI agent's identity lifecycle, enabling agents to authenticate securely and access necessary resources. However, Silverfort researchers found that users assigned this role could take over arbitrary service principals — including those unrelated to AI agents — by simply by becoming an owner of the principal and then adding their own credentials to authenticate as that principal.
"That's full service principal takeover," said Silverfort security researcher Noa Ariel. "In tenants where high-privileged service principals exist, it becomes a privilege escalation path." By owning a service principal, an attacker could operate within the scope of its existing permissions. If the targeted service principal held elevated permissions — such as privileged directory roles or high-impact Graph app permissions — the attacker could gain broader control over the entire tenant.
Microsoft rolled out a patch across all cloud environments on April 9, 2026, following responsible disclosure on March 1. The fix blocks any attempt to assign ownership over non-agent service principals using the Agent ID Administrator role, returning a "Forbidden" error message. No CVE identifier was assigned to the vulnerability.
Silverfort noted that the architectural issue highlights the need for validating how roles are scoped and permissions are applied, especially when new identity types are built on top of existing primitives. "When role permissions are applied on top of shared foundations without strict scoping, access can extend beyond what was originally intended," Ariel said.
To mitigate the threat, organizations are advised to monitor sensitive role usage — particularly those related to service principal ownership or credential changes — track service principal ownership changes, secure privileged service principals, and audit credential creation on service principals. The flaw underscores the growing risk surface introduced by non-human identities in the age of AI agents.