A researcher has uncovered what may be one of the most severe cloud identity vulnerabilities ever found-one that could have given attackers global admin rights in every Microsoft Entra ID tenant worldwide.
According to Dirk-jan Mollema, the flaw revolved around a dangerous combination of undocumented “Actor tokens” and a validation failure in the legacy Azure AD Graph API. Together, they created a perfect storm, allowing an attacker to impersonate any user-including global administrators-across any tenant.
Microsoft has since patched the issue and assigned CVE-2025-55241, but the discovery highlights the deep risks in legacy authentication mechanisms and hidden backend processes.
What Happened?
Actor tokens were designed by Microsoft for service-to-service (S2S) communication. These tokens could impersonate users and operate outside of standard security controls like Conditional Access policies, making them inherently risky.
Mollema discovered that by manipulating these tokens, attackers could bypass tenant boundaries in the Azure AD Graph API. With just one token from their own lab tenant, they could theoretically log in as a global admin in any other tenant including corporate, government, or cloud service providers.
The implications were staggering: full access to user data, role assignments, tenant policies, applications, devices, and even BitLocker recovery keys synced to Entra ID. In short, complete control.
Why It Matters
- No Logs, No Trace: Actor tokens left no logs in victim tenants, making abuse nearly invisible.
- Bypassing Defenses: Conditional Access and MFA policies were powerless against this method.
- Tenant Takeover: Attackers could create or modify accounts, escalate privileges, and access Microsoft 365, Exchange Online, SharePoint, and Azure resources.
- Cascade Effect: With guest accounts and cross-tenant links, a single compromise could spread exponentially, potentially reaching Microsoft’s own environment and its partners.
While Microsoft reports no evidence of exploitation, the vulnerability is a reminder that legacy APIs and undocumented features are soft targets for attackers.
The Global and Regional Impact
For enterprises worldwide, especially in regions like the Middle East and Africa (MEA) where governments and businesses increasingly rely on Microsoft’s cloud, this flaw represents a wake-up call. Many MEA organizations depend heavily on Entra ID for identity and access management across digital services. An attack of this scale could have jeopardized critical infrastructure, banking systems, and public services.
What Security Teams Should Do Now
Even though Microsoft has fixed the issue, defenders should take proactive steps to harden their environments against similar risks:
- Audit tenant configurations for reliance on legacy Azure AD Graph APIs migrate to Microsoft Graph where possible.
- Review service principals and remove unnecessary credentials or delegated permissions.
- Monitor for suspicious global admin activity, especially actions attributed to Exchange, SharePoint, or Dynamics services.
- Implement just-in-time (JIT) admin access to reduce standing privileges.
- Conduct tenant-wide identity hygiene checks, removing dormant or guest accounts that could be abused.
- Review audit logs for anomalies where Exchange or SharePoint appears to act as a global admin.
- Adopt strict identity governance, including role-based access control (RBAC).
- Educate IT and security teams via targeted training and awareness on emerging identity threats.
- Stay informed on CVEs and advisories, particularly those affecting identity platforms.
- Run red-team or penetration tests simulating identity compromise to validate detection and response readiness.
Conclusion
The Entra ID “Actor token” vulnerability underscores a simple truth: invisible mechanisms can have massive consequences. Even though Microsoft rapidly mitigated the flaw, the scale of potential impact is a stark reminder that organizations must continually question the unseen parts of their cloud environments.
As Mollema put it, this was likely the most impactful bug he’ll ever find. For defenders, it should be seen as one of the most urgent lessons in identity security: never underestimate the power of a single token.
Related Reading:
