Close Menu

    Subscribe to Updates

    Get the latest tech news from Tallwire.

      What's Hot

      U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

      July 16, 2026

      AI Chatbots Face Growing Scrutiny as Mental Health Risks Draw Medical Alarm

      July 16, 2026

      Record Industry Pushes for AI Labels on Streaming Music

      July 15, 2026
      Facebook X (Twitter) Instagram
      • Tech
      • AI
      • Get In Touch
      Facebook X (Twitter) LinkedIn
      TallwireTallwire
      • Tech

        U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

        July 16, 2026

        Fiat Bets on Tiny EV as Affordable Transportation Returns to the Spotlight

        July 15, 2026

        Personalized UVB Device Promises Vitamin D Benefits While Raising Questions About Medicalizing Everyday Health

        July 15, 2026

        Meta Patent Ignites Fresh Fears Over AI-Powered Emotional Surveillance

        July 14, 2026

        AI Protesters March on Silicon Valley Giants Demanding Development Freeze

        July 14, 2026
      • AI

        AI Chatbots Face Growing Scrutiny as Mental Health Risks Draw Medical Alarm

        July 16, 2026

        U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

        July 16, 2026

        Record Industry Pushes for AI Labels on Streaming Music

        July 15, 2026

        AI Chatbots Increasingly Clash With Eating Disorder Treatment

        July 15, 2026

        Anthropic Doubles Down on New York as AI Talent War Intensifies

        July 15, 2026
      • Security

        China’s AI Distillation Campaign Raises New Concerns Over U.S. Technology Security

        July 13, 2026

        AI Tools Increasingly Exploited by Terrorist Organizations, New Research Finds

        July 13, 2026

        Pentagon Expands Engineering Recruitment to Restore America’s Military Technology Edge

        July 13, 2026

        EU Lawmakers Advance Controversial Private Message Scanning Measure Despite Mounting Privacy Concerns

        July 12, 2026

        Scramble Intensifies to Secure America Against Emerging AI National Security Threats

        July 12, 2026
      • Health

        AI Chatbots Face Growing Scrutiny as Mental Health Risks Draw Medical Alarm

        July 16, 2026

        AI Chatbots Increasingly Clash With Eating Disorder Treatment

        July 15, 2026

        Personalized UVB Device Promises Vitamin D Benefits While Raising Questions About Medicalizing Everyday Health

        July 15, 2026

        Humanoid Robots Complete First Live Surgical Procedures in Medical Milestone

        July 14, 2026

        Meta Patent Ignites Fresh Fears Over AI-Powered Emotional Surveillance

        July 14, 2026
      • Science

        AI Chatbots Face Growing Scrutiny as Mental Health Risks Draw Medical Alarm

        July 16, 2026

        U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

        July 16, 2026

        Scientists Advance “StormWall” Concept to Defend Earth from Catastrophic Solar Storms

        July 15, 2026

        Personalized UVB Device Promises Vitamin D Benefits While Raising Questions About Medicalizing Everyday Health

        July 15, 2026

        Humanoid Robots Complete First Live Surgical Procedures in Medical Milestone

        July 14, 2026
      • Tech

        AI Protesters March on Silicon Valley Giants Demanding Development Freeze

        July 14, 2026

        Palo Alto Networks CEO Warns AI Costs Must Plunge Before Enterprise Adoption Can Accelerate

        July 14, 2026

        DeepMind Unionization Effort Encounters Early Resistance as Labor Talks Stall

        July 11, 2026

        Always-On Workplace Culture Pushes Employees Toward the Breaking Point

        July 10, 2026

        High-Income Families Embrace AI-Driven Schools as Alternative Education Expands

        July 9, 2026
      TallwireTallwire
      Home»Tech»Microsoft Patches Catastrophic Entra ID ‘Actor Token’ Flaw That Could’ve Let Attackers Own Any Tenant
      Tech

      Microsoft Patches Catastrophic Entra ID ‘Actor Token’ Flaw That Could’ve Let Attackers Own Any Tenant

      Updated:February 21, 20264 Mins Read
      Facebook Twitter Pinterest LinkedIn Tumblr Email
      Microsoft Patches Catastrophic Entra ID ‘Actor Token’ Flaw That Could’ve Let Attackers Own Any Tenant
      Microsoft Patches Catastrophic Entra ID ‘Actor Token’ Flaw That Could’ve Let Attackers Own Any Tenant
      Share
      Facebook Twitter LinkedIn Pinterest Email

      A newly disclosed vulnerability in Microsoft‘s Entra ID (formerly Azure Active Directory), tracked as CVE-2025-55241, could have allowed a determined attacker to impersonate any user — including Global Administrators — across nearly all Entra ID tenants, by exploiting undocumented “Actor tokens” together with improper tenant validation in the legacy Azure AD Graph API. ☠️ Security researcher Dirk-jan Mollema described it as possibly “the most impactful Entra ID vulnerability” he’ll ever find, and demonstrated that the exploit would bypass conditional access, multi-factor authentication, and generate virtually no logs in the victim tenant. Microsoft patched the vulnerability in July 2025 (rolled widely by September) after receiving Mollema’s report, and initiated further mitigations including the disabling of actor-token requests to the Graph API. 

      Sources: IT Pro, Hacker News

      Key Takeaways

      – The flaw hinged on undocumented service-to-service “Actor tokens” that were exempt from security controls like MFA, logging, and conditional access, enabling cross-tenant impersonation. 

      – The legacy Azure AD Graph API’s weak tenant validation allowed an actor token from one tenant to be accepted in another, enabling privilege escalation across tenant boundaries. 

      – Microsoft responded rapidly (within days of disclosure) and deployed global fixes, while also urging customers to migrate off the deprecated Graph API and audit privileged roles. 

      In-Depth

      In the modern cloud world, identity systems like Microsoft’s Entra ID serve as foundational trust infrastructure: they authenticate users, grant permissions, and gate access to sensitive resources. So when there’s a flaw in that layer, anything built on top becomes vulnerable. That’s exactly what Dirk-jan Mollema discovered in mid-2025: a two-part design oversight involving “Actor tokens” and the outdated Azure AD Graph API allowed for cross-tenant impersonation that skipped nearly every security guardrail.

      First, the actor tokens. These tokens were undocumented internal tokens used by Microsoft services for service-to-service (S2S) operations. Because they were designed for internal use, they avoided many of the protections placed on standard user tokens: they could bypass conditional access rules, weren’t audited in standard logs in the target tenant, and weren’t subject to revocation or usual token checks. Mollema figured out how to request such an actor token from a “lab” or benign tenant and then use it in another tenant. 

      Here’s where the second flaw comes in: the legacy Azure AD Graph API (graph.windows.net) failed to properly validate the “originating tenant” claim in requests. In other words, the API didn’t reliably check whether the token presented actually belonged to the same tenant it was being used against. By combining an actor token from Tenant A with a crafted request to the Graph API of Tenant B (with knowledge of a user’s netId, which can be discovered via public APIs), an attacker could impersonate a user in Tenant B — including a Global Administrator. 

      Mollema walked through the full sequence in his blog: obtain the tenant ID (which is publicly retrievable), determine a user’s netId, forge an impersonation token based on that, list global admins, then forge a token for one of them, and finally carry out any directory-level change or access. Because Graph API is a powerful interface, once control was gained, the attacker could create or modify identities, escalate privileges, alter policies, or pivot into Microsoft 365 / Azure. 

      The worst part? Very little of this triggers alerts on the victim side. Actor token issuance and use doesn’t log metadata in the target tenant, and the Graph API itself has minimal telemetry in many deployments. So unless defenders had very detailed detection rules or a strong “assume breach / hunt mode,” the attack could proceed unobserved. 

      Once Mollema reported the flaw to Microsoft on July 14, work started quickly. Microsoft patched the flaw in the Graph API validation logic, began blocking actor token requests for Graph, and rolled updates across their cloud systems. The official CVE-2025-55241 was published on September 4, and analysts have rated it at the maximum severity (CVSS 10.0) in Microsoft’s own reporting. 

      Microsoft also used the episode to push more strongly on retiring the Azure AD Graph API (which is officially being phased out), urging developers to shift to the more modern Microsoft Graph, which has improved logging, stronger validation, and better security design. 

      So what does this mean for organizations and for cloud security in general? At a minimum, tenants should confirm that they have received Microsoft’s fixes, verify that no residual dependencies remain on the legacy Graph API, audit privileged roles and service accounts for anomalies, and adopt threat hunting practices targeted at anomalous token use or cross-tenant telegraphing. More broadly, this incident is a stark reminder that legacy internal components—even ones hidden from public documentation—can become attack vectors, and that identity-as-a-service (IdaaS) must never be treated as invulnerable. The trust boundary that identity providers enforce must be rigorously defended and audited.

      Microsoft
      Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
      Previous ArticleMicrosoft Makes Bold Move Toward AI Autonomy with First Home-Grown Models
      Next Article Microsoft PowerToys Adds Long-Overdue Automatic Light/Dark Theme Switcher and Shortcut Conflict Detector

      Related Posts

      U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

      July 16, 2026

      Fiat Bets on Tiny EV as Affordable Transportation Returns to the Spotlight

      July 15, 2026

      Personalized UVB Device Promises Vitamin D Benefits While Raising Questions About Medicalizing Everyday Health

      July 15, 2026

      Meta Patent Ignites Fresh Fears Over AI-Powered Emotional Surveillance

      July 14, 2026
      Add A Comment
      Leave A Reply Cancel Reply

      Editors Picks

      U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

      July 16, 2026

      Fiat Bets on Tiny EV as Affordable Transportation Returns to the Spotlight

      July 15, 2026

      Personalized UVB Device Promises Vitamin D Benefits While Raising Questions About Medicalizing Everyday Health

      July 15, 2026

      Meta Patent Ignites Fresh Fears Over AI-Powered Emotional Surveillance

      July 14, 2026
      Popular Topics
      trending starlink Tesla Cybertruck Software Satellite Viral Series B Satya Nadella Startup UAE Tech Space Stocks SpaceX Series A Taiwan Tech Tesla Sundar Pichai Samsung spotlight Tim Cook
      Major Tech Companies
      • Apple News
      • Google News
      • Meta News
      • Microsoft News
      • Amazon News
      • Samsung News
      • Nvidia News
      • OpenAI News
      • Tesla News
      • AMD News
      • Anthropic News
      • Elbit News
      AI & Emerging Tech
      • AI Regulation News
      • AI Safety News
      • AI Adoption
      • Quantum Computing News
      • Robotics News
      Key People
      • Sam Altman News
      • Jensen Huang News
      • Elon Musk News
      • Mark Zuckerberg News
      • Sundar Pichai News
      • Tim Cook News
      • Satya Nadella News
      • Mustafa Suleyman News
      Global Tech & Policy
      • Israel Tech News
      • India Tech News
      • Taiwan Tech News
      • UAE Tech News
      Startups & Emerging Tech
      • Series A News
      • Series B News
      • Startup News
      Tallwire
      Facebook X (Twitter) LinkedIn Threads Instagram RSS
      • Tech
      • Entertainment
      • Business
      • Government
      • Academia
      • Transportation
      • Legal
      • Press Kit
      © 2026 Tallwire. Optimized by ARMOUR Digital Marketing Agency.

      Type above and press Enter to search. Press Esc to cancel.