Microsoft Entra ID Vulnerability: The Discovery That Shook Identity Security

In July 2025, the cybersecurity world was rocked by security researcher Dirk-jan Mollema’s unveiling of a catastrophic vulnerability within Microsoft Entra ID. This was no ordinary flaw; it was a fundamental breach that shattered tenant isolation and obliterated the core trust boundaries essential for robust cloud identity security. The discovery exposed a critical weakness at the heart of Microsoft’s identity platform. 

CVE ID	CVE-2025-55241
Description	A critical elevation-of-privilege flaw impacting Microsoft Entra ID.
CVSS Score	10.0 (Critical) per The Hacker News and Microsoft’s CISA entry; 9.0 (Critical) per gm0 – Cyber Security Write-ups.
CWE	CWE-287 (Improper Authentication)
Affected Product	Microsoft Azure Entra ID
Discoverer	Dirk-jan Mollema (Outsider Security)
Discovery Date	July 2025 (Reported to Microsoft on July 14, 2025)
Patch Date	July 17, 2025 (per The Hacker News)

 

Anatomy of the Attack: Two Flaws, One Catastrophe 

Actor Tokens: The Hidden Skeleton Key  

Undocumented internal tokens designed for Microsoft service-to-service authentication. These tokens operate outside normal security boundaries—they bypass Conditional Access policies, circumvent Multi-Factor Authentication requirements, and produce virtually no audit trail in tenant logs.  

Microsoft services use these tokens to impersonate users for legitimate operations, but their existence was never publicly documented or secured against misuse. 

Legacy Azure AD Graph API: The Broken Gate  

The deprecated Azure AD Graph API contained a critical flaw in its tenant validation logic. When processing Actor tokens, it failed to verify whether the token truly belonged to the target tenant.  

This oversight meant tokens from one tenant could be replayed against any other tenant, breaking the fundamental isolation that customers expect from multi-tenant cloud services. 

The combination was devastating: an attacker could obtain an Actor token from their own tenant and use it to impersonate any user—including Global Administrators—in victim tenants. 

The Attack Chain: From Guest to Global Admin 

• Identify Guest Users & Collect Data An attacker queries guest users within an Entra ID tenant (even as a standard user) to extract the victim’s netId from alternativeSecurityIds and their home tenant ID from the UPN.  
• Craft & Replay Actor Token Using the victim’s netId and home tenant ID, the attacker crafts a malicious Actor Token, exploiting CVE-2025-55241, to impersonate the victim in their own home tenant.  
• Victim Impersonation in Home Tenant The crafted Actor Token is replayed against the victim’s home tenant, granting the attacker full user privileges, bypassing MFA and Conditional Access policies.  
• Enumerate & Escalate to Global Admin Impersonating a user, the attacker enumerates Global Administrators, then repeats the Actor Token crafting and replay to gain full control over the victim’s entire tenant.  
• Lateral Movement & Exponential Spread From the newly compromised tenant, the attacker identifies new guest users and their home tenants, pivoting to an ever-expanding set of targets. 

The Exponential Scaling Effect 

• Alarming Stealth: The initial steps are shockingly discreet, requiring as few as two API calls per tenant and leaving virtually no trace in the victim’s logs. This makes detection incredibly difficult, rendering traditional monitoring tools almost blind to the breach. 
• Rapid Compromise: Compromising one tenant immediately provides netIds and tenant IDs of all guest users within it, allowing for a rapid, exponential expansion of the attack surface. 
• Massive Scale: Global compromise of Entra ID tenants is possible within minutes. A breach of Microsoft’s tenant, for instance, could rapidly chain to major service providers worldwide due to widespread guest consultant accounts. 

Real-World Impact: Full Tenant Compromise  

With Global Administrator privileges obtained through Actor token impersonation, attackers could execute a complete takeover of victim organizations:  

Identity System Compromise Assign additional privileged roles to maintain persistence, create backdoor administrator accounts, and establish service principals with extensive permissions for long-term access.  

Application Ecosystem Control Grant malicious applications tenant-wide permissions, access OAuth tokens for third-party services, and manipulate application registrations to establish covert data channels.  

Microsoft 365 Data Exfiltration Access Exchange mailboxes, SharePoint document libraries, OneDrive personal files, and Teams conversations across the entire organization without user awareness.  

Azure Infrastructure Access Control Azure subscriptions, modify security policies, access Key Vault secrets, and manipulate cloud workloads running in the compromised tenant. This represented true cross-tenant impersonation—a fundamental breach of the trust isolation that Microsoft guarantees between customer tenants. 

Detection Challenges & Opportunities 

Why Traditional Monitoring Failed  

Actor tokens were specifically designed to bypass standard security controls:  

• No sign-in events logged in victim tenant  
• Conditional Access policies completely circumvented  
• MFA requirements ignored entirely  
• Risk-based authentication not triggered  
• User behavior analytics blind to the activity  

Security teams monitoring authentication logs would see privileged actions occurring without any corresponding authentication events—a massive blind spot in traditional SIEM approaches.  

What Still Left Traces  

Despite evading authentication monitoring, privileged actions still generated audit events:  

• Directory role assignments and modifications  
• Service principal credential additions  
• Application registration changes  
• High-privilege consent grants  
• Azure resource permission modifications  

Key Detection Pattern: Administrative actions occurring without matching sign-in logs should trigger immediate investigation.  

Detection Insight: Focus monitoring on what changed rather than who authenticated to catch Actor token abuse. 

Future-Proofing Identity Security  

• SSPM/CSPM: Reduce Attack Surface –   Implement SaaS/Cloud Security Posture Management to minimize Global Administrator accounts, identify overprivileged service principals, and maintain lean privilege baselines that limit potential impact. 
• ITDR: Detect the Undetectable –   Deploy Identity Threat Detection & Response solutions that monitor privilege changes, correlate administrative actions with authentication events, and flag anomalous identity behaviors.  
• PIM: Just-in-Time Administration – Enforce Privileged Identity Management for all administrative roles, requiring approval workflows and time-bounded access that makes persistent Global Admin accounts obsolete.  

The Actor Token Lesson: MFA and Conditional Access are not enough when hidden authentication flows bypass them entirely. Modern identity security requires continuous monitoring of what privileged accounts do, not just who logs in.  

CVE-2025-55241 is patched, but the fundamental truth remains—identity security must evolve beyond traditional authentication monitoring to encompass comprehensive privilege oversight and behavioral analysis.  

Entra ID & M365 Threat Brief: Recent Misconfiguration Exploits  

The ‘Actor Token’ bypass (CVE-2025-55241) is a stark reminder, but it’s just one facet of a relentless attack landscape targeting misconfigurations in Entra ID and Microsoft 365. Security teams are increasingly battling sophisticated attackers who exploit subtle gaps beyond traditional authentication controls. The incidents detailed below highlight persistent threat vectors and their real-world impact, demanding immediate attention and proactive posture management. 

1. OAuth Application & Consent Phishing Abuse (e.g., ‘Engineering Hub Rescue’) 
   • Threat Vector: Attackers register malicious OAuth applications in Entra ID or leverage consent phishing to trick users into granting excessive permissions to legitimate-looking apps.  
   • Observed Impact: These apps gain persistent access to user data (emails, files, calendars) or, in advanced cases, impersonate users to access internal applications and bypass conditional access. This has facilitated initial access, data exfiltration, and even internal reconnaissance.  
   • Strategic Relevance: Highlights the critical need for strict OAuth app governance, consent policy enforcement, and continuous monitoring of app registrations and delegated permissions.
2. OneDrive Known Folder Move (KFM) & SharePoint Persistent Access  
   • Threat Vector: Following initial compromise (e.g., via token theft or phishing), attackers utilize the OneDrive KFM feature or exploit SharePoint online permissions.  
   • Observed Impact: Persistent access to synchronized data, including sensitive application files and documents, within SharePoint Online and OneDrive. This allows for data exfiltration, command-and-control communication, and establishing a lasting foothold within the M365 environment, often evading endpoint detection.  
   • Strategic Relevance: Emphasizes the importance of robust M365 security policies, granular SharePoint/OneDrive permissions, and continuous monitoring for anomalous data access and sync activities. 
3. Service Principal & Application Secret Exposure  
   • Threat Vector: Hardcoded or improperly stored application secrets (client IDs, client secrets, certificates) are exposed in public source code repositories, misconfigured storage accounts, or insecure CI/CD pipelines.  
   • Observed Impact: Attackers harvest these valid credentials to directly authenticate against Entra ID as the compromised service principal or application. This grants them the permissions of that entity, which can include highly privileged access to M365 services, Azure resources, and even the ability to create new users or modify configurations.  
   • Strategic Relevance: Underlines the necessity of secure secrets management, secrets scanning in code repositories, least-privilege principles for service principals, and regular auditing of application registrations. 

Why These Incidents Demand Immediate Action  

These real-world exploit chains underscore how pervasive misconfigurations in Entra ID and connected services are actively exploited to:  

• Forge new pathways for data theft and unauthorized access, often bypassing traditional perimeter controls.  
• Enable sophisticated privilege escalation, rendering MFA and Conditional Access less effective.  
• Trigger cascading follow-on attacks that compromise entire enterprise environments with alarming speed.  
• Expose the inherent limitations of relying solely on authentication-time security measures.  

Critical Takeaway: Proactive Posture Management is Non-Negotiable 

 

About the Authors  

Shravan Konthalapally 

Shravan Konthalapally is Senior Manager at CheckRed, leading SaaS Security Posture Management. He specializes in SaaS and identity security, with expertise in misconfiguration mitigation, compliance, and risk reduction across multi-SaaS environments. 

Shubham Takankhar

Shubham Takankhar is a Software Development Engineer at CheckRed who is focused on SaaS Security Posture Management, with a keen eye on modern identity risks and misconfigurations.