Microsoft Entra ID Bug Could Let Hackers Take Over Any Company Tenant

[johny899]

A major news came to my attention: a vulnerability in Microsoft Entra ID allowed hackers to take control of the account system for any organization. Not just limited access, but full administrator access. This means they were able to change passwords, add users to the system, and even block legitimate administrators. So it would be analogous to someone stealing the master keys to an office.

What caused the vulnerability​

Entra ID (previously known as Azure Active Directory) manages logins and permissions for a wide range of organizations. A security researcher discovered that two older features posed a significant risk.

• Actor tokens were operational for 24 hours, couldn’t be revoked after issued, and bypassed security checks.
• The old Azure AD Graph API didn’t properly validate that the request was from the correct company.
• This allowed hackers to pretend to be part of any company.

In short, hackers could impersonate anyone within your organization, including the top admin. Even worse, many actions weren’t logged and the victims might never know.

Here is how the hackers executed the attack, step by step:

1. The hacker created an actor token in their account.

2. The hacker found the tenant ID of the target company (which is very easy to look up).

3. The hacker found a user's netID within the company.

4. The hacker used the token and those identifiers to spoof the old API.

5. Within seconds, they were logged in as a Global Admin of the company.

It seems unbelievable, right? Like finding a hiding spare key under the mat and using it to access someone else's house.

What Microsoft did​

Fortunately, Microsoft was aware and moved quickly:

• The flaw was fixed within one week
• The old API started being shut down
• They will eventually get rid of the actor token entirely
• They began asking developers to use the new Microsoft Graph API

This is a good example of how dangerous it is to continue to use the "old" way of doing things just because it "still works."

Why this is important for all of us​

If your organization is using Entra ID, this flaw is definitely important to consider. The threat of admin takeovers is about as severe as you can get, and this attack could occur without a soul being aware of it.

Conclusion​

This vulnerability reminds us that one weak link can put everything at risk. Microsoft issued a patch to fix this vulnerability, but we should all take note: keep systems current and decommission tools while they are still on your platforms and you have time to develop a remediation plan.