Microsoft Fixed Entra ID Vulnerability Allowing Global Admin Impersonation

Microsoft has addressed a critical security vulnerability in Azure Entra ID, tracked as CVE-2025-55241, that was initially described as a low-impact privilege escalation bug. Security research later revealed the flaw was far more severe, allowing attackers to impersonate any user, including Global Administrators.

The vulnerability was originally identified by cybersecurity researcher Dirk-Jan Mollema while preparing for Black Hat and DEF CON presentations earlier this year. His findings showed that undocumented “Actor tokens,” combined with a validation failure in the legacy Azure AD Graph API, could be abused to impersonate any user in any Entra ID tenant, even a Global Administrator.

This meant a token generated in one lab tenant could grant administrative control over others, with no alerts or logs if only reading data, and limited traces if modifications were made.

The design of Actor tokens, as per Mollema, made the problem even worse. These tokens are issued for backend service-to-service communication and bypass normal security protections like Conditional Access. Once obtained, they allowed impersonation of other identities for 24 hours, during which no revocation was possible.

Microsoft applications could generate them with impersonation rights, but non-Microsoft apps would be denied that privilege. Because the Azure AD Graph API lacked logging, administrators would not see when attackers accessed user data, groups, roles, tenant settings, service principals, BitLocker keys, policies, etc.

In his detailed technical blog post, Mollema demonstrated that impersonation worked across tenants because the Azure AD Graph API failed to validate the token’s originating tenant. By changing the tenant ID and targeting a known user identifier (netId), he could move from his own tenant into any other.

With a valid netId of a Global Admin, the door opened to full takeover of Microsoft 365, Azure subscriptions, and connected services. Worse, netIds could be brute forced quickly, or in some cases, retrieved from guest account attributes in cross-tenant collaborations.

Microsoft rolled out a global fix on July 17, just three days after the initial report and later added further mitigations that block applications from requesting Actor tokens for the Azure AD Graph. The company said no evidence of exploitation was found in its internal telemetry. On September 4, the vulnerability was officially catalogued as CVE-2025-55241.

Security professionals, however, say the issue exposes broader concerns about trust in cloud identity systems. Anders Askasan, Director of Product at Radiant Logic, argued that “This incident shows how undocumented identity features can quietly bypass Zero Trust.”

“Actor tokens created a shadow backdoor with no policies, no logs, no visibility, undermining the very foundation of trust in the cloud. The takeaway is clear: vendor patching after the fact simply isn’t enough,” he added.

“To reduce systemic risk, enterprises need independent observability across their entire identity fabric, continuously correlating accounts, entitlements, and policies,“ he advised. “Organisations need a trusted, vendor-agnostic view of their identity data and controls, so they can validate in real time and act before an adversarial incursion escalates into a breach that’s almost impossible to unwind.”