“This vulnerability could have allowed me to compromise every Entra ID tenant in the world.”
— Dirk-jan Mollema, Security Researcher
What Happened: A Silent Path to Global Admin in Any Tenant
In a high-stakes vulnerability disclosed by researcher Dirk-jan Mollema, attackers could impersonate any user in any Microsoft Entra ID tenant, including Global Admins, using a little-known and undocumented type of access called an actor token. This wasn’t a theoretical problem. It was a dangerous combo of:
- Actor tokens, issued through a long-deprecated Microsoft legacy system (ACS), which allowed service-to-service impersonation.
- A bug in the Azure AD Graph API (graph.windows.net), which failed to properly verify tenant boundaries when actor tokens were used.
By creating a valid actor token in their own tenant, an attacker could swap in a victim’s tenant ID and user identifier, then impersonate a Global Admin in the victim org with no MFA, no Conditional Access, and no logging on the victim side. It’s essentially like crafting a master key in your own house, then using it to unlock anyone else’s, while the alarm system remains silent.
Why This Was So Dangerous
- Bypassed core defenses like MFA, Conditional Access, and device compliance checks.
- No logs in the victim tenant, meaning most orgs wouldn’t even see the attack happening.
- Used legacy APIs, which many orgs haven’t fully deprecated, even though Microsoft has warned about them for years.
- Global Admin access, which opens up full control of users, apps, email, and cloud resources.
If exploited, this would have been a multi-tenant cloud compromise scenario, on par with some of the most severe identity-related vulnerabilities we’ve seen.
What Security Teams Should Do Right Now
Even though Microsoft has patched the issue (CVE-2025-55241), there are still critical steps every organization should take:
1. Audit API Usage
- Identify and remove any use of the Azure AD Graph API (graph.windows.net).
- Migrate to Microsoft Graph immediately.
- Disable legacy auth protocols and deprecated token flows wherever possible.
2. Investigate for Signs of Abuse
- Review privileged role assignments, especially any unusual changes to Global Admins or app role assignments.
- Correlate logs across tenants, if applicable, attacker activity may only show up in non-obvious places.
- Look for anomalous use of old service principals or unexpected API behavior.
3. Harden Identity Access
- Reduce the number of permanent Global Admins; implement Just-in-Time (JIT) access and role-based delegation.
- Enforce MFA, even on service accounts and break-glass accounts.
- Use Conditional Access policies that include risk-based signals and device context.
4. Eliminate Legacy Dependencies
- Scan for usage of legacy tokens, ACS integrations, or unmaintained identity flows in internal tools.
- Kill off service-to-service connections that don’t use modern token validation and signing.
Final Thoughts
This vulnerability may be patched, but it reveals how much of your cloud identity security depends on what’s under the surface. If your monitoring, detection, or assessment strategy ignores identity and API-level threats, you’re not seeing the full picture.
You don’t need to wait for another “actor token” scenario to start addressing these risks. Focus now on:
- Identity attack surface assessments
- M365 Configuration Audits
- Cloud penetration testing
- Privilege escalation detection
- Legacy API decommissioning
- Logging & forensics visibility across Entra ID
And remember: it’s often the quiet, undocumented pieces of infrastructure, not the flashy zero-days, that give attackers the loudest victories.
