The Perfect Cloud Heist: Microsoft Entra ID Actor Token Exploit Explained
- syafiqs4
- Sep 23
- 3 min read
On July 14, 2025 a critical Entra ID vulnerability (CVE-2025-55241, CVSS 10.0) was disclosed that allowed cross-tenant impersonation using legacy Actor tokens. Microsoft patched the issue on July 17, 2025. While Microsoft reported no confirmed in-the-wild exploitation, the flaw allowed an attacker to impersonate Global Administrators across tenants, bypass MFA/Conditional Access and leave minimal direct logs, a catastrophic identity-provider risk.
Introduction
Microsoft Entra ID (formerly Azure Active Directory) is the identity and access foundation for Azure, Microsoft 365, and thousands of SaaS integrations. On July 14, 2025, researcher Dirk-jan Mollema published a PoC demonstrating a logic/validation flaw in the handling of Actor tokens by the legacy Azure AD Graph API (graph.windows.net). The defect allowed signed service-to-service (S2S) actor tokens issued for one tenant to be accepted and used against another tenant without proper tenant-origin validation. Microsoft issued a global fix on July 17, 2025 (CVE-2025-55241).
Why this matters: a compromise at the identity provider layer undermines the trust model for every downstream service such as administrative control, email, file stores, SaaS apps and subscriptions may all become reachable to an attacker who can impersonate privileged identities.
Attack Details
Root cause
Improper validation of the originating tenant in the legacy Azure AD Graph API when processing Actor tokens (service-to-service tokens).
The API accepted a signed Actor token from an attacker-controlled tenant and treated it as valid for the victim tenant.
High-level attack path
Attacker obtains a signed Actor token from their own (low-privilege/test) tenant.
Attacker presents the token to the legacy Graph API endpoint (graph.windows.net) targeting a victim tenant.
Because tenant origin was not validated, the API accepts the token and enables actions scoped to privileged roles (including impersonation of Global Admins).
Capabilities available to an attacker
Privilege escalation: create accounts, assign Global Administrator roles, alter service principals and permissions.
Service compromise: access Azure subscriptions, Exchange/SharePoint/OneDrive, Dataverse, and connected SaaS.
Data access and exfiltration: tenant settings, user data, device metadata, and any data reachable via Entra-backed services.
Stealth: exploitation could bypass MFA and Conditional Access and produce little to no direct sign-in logging in the victim tenant, making detection and attribution difficult.
Detection challenges
Forged/impersonation sign-ins may not appear in typical tenant sign-in logs; observable indicators are often secondary (unexpected role grants, new service principals, or unusual policy changes).
Impact
Scope & scale
Global reach: All non-national Entra tenants were theoretically susceptible while the legacy Graph API remained in use, producing a very large blast radius.
Cloud systemic risk: This is an identity trust failure where if abused, attackers can pivot to many cloud services and persist without obvious traces.
Operational & business impact
Operational disruption from administrative takeover or resource manipulation.
Data loss and confidentiality breaches if attackers access mail, files or databases.
Long-term persistence through created service principals, backdoors, or manipulated roles.
Forensics & assurance
Microsoft reported no confirmed in-the-wild exploitation prior to the patch. However, the absence of explicit tenant logs for forged token sign-ins means past abuse could be hidden; full retrospective certainty may be impossible without cross-layer telemetry.
Strategic implications
Highlights danger of undocumented/legacy S2S authentication paths. Similar validation gaps could exist in other identity providers and cloud APIs, suggesting broader ecosystem exposure.
Recommendation
Immediate (0–7 days)
Threat hunt: Search for immediate indicators:
Unexpected Global Admin role assignments and role changes.
New or modified service principals with high privileges.
Conditional Access edits or deletions originating from unfamiliar principals.
Correlate spikes in SharePoint/Exchange/Teams/Dataverse access with administrative changes.
Rotate high-value credentials: Rotate secrets/certs for high-privilege service principals and any long-lived application credentials.
Enable/collect cross-layer telemetry: Pull and preserve identity, SaaS, endpoint and network logs into a central store for correlation and retrospective analysis.
Short to medium term (1–30 days)
Decommission legacy APIs: Ensure all apps and automations are migrated from Azure AD Graph API (graph.windows.net) to Microsoft Graph (graph.microsoft.com); block legacy endpoints where feasible.
Audit and harden app registrations: Review OAuth permissions, consent grants, and remove or limit unnecessary delegated application privileges.
Tighten privileged access controls: Enforce MFA and risk-based policies for admin operations; consider Just-In-Time (JIT) privilege elevation and break glass procedures.
Strategic / programmatic (30–90 days)
Assume IDP compromise in tabletop exercises: Simulate identity provider compromise to test detection and response focused on post-compromise actions (account creation, role grants, resource provisioning).
Invest in cross-product detection: Improve telemetry integration across Entra ID, Azure subscriptions, Microsoft 365 and connected SaaS so suspicious activity can be observed even if identity logs are partial.
Vendor & supply-chain review: Identify third-party services that use S2S tokens and ensure they follow modern token validation practices.
For cloud security leaders & boards
Treat identity-provider incidents as board-level risks because they enable broad access, regulatory exposure, and reputational damage. Fund resilience efforts (detection, incident response, retention of cross-layer telemetry) and require evidence of migration away from legacy authentication surfaces.
Resources
Comments