Entra ID Zero-Day: Microsoft Fixes Global Admin Bypass — By CyberDudeBivash

-

 


Executive Snapshot

  • What happened: Researcher Dirk-jan Mollema uncovered that undocumented “actor tokens” plus a validation flaw in the legacy Azure AD Graph API could let an attacker impersonate any user—up to Global Admin—across any Entra ID tenant, bypassing MFA, Conditional Access, and logging at the API layer. Microsoft assigned CVE-2025-55241. dirkjanm.io+2The Hacker News+2

  • Fix status: Microsoft says it addressed the issue on July 17, 2025 (no customer action required), then completed additional patching/retirement steps as Azure AD Graph reached end-of-life in late August/early September 2025. Public disclosure landed mid-September. The Hacker News+2BleepingComputer+2

  • Impact: No evidence of in-the-wild exploitation, but the blast radius was theoretical tenant-wide takeover with minimal traces. Treat as critical and perform retrospective checks and hardening. The Hacker News

Timeline (what’s known)

  • July 14, 2025: Vulnerability reported to Microsoft (MSRC). dirkjanm.io

  • ~July 17–23, 2025: Microsoft deploys back-end fixes; Microsoft and multiple reports reference the issue as addressed in July. The Hacker News

  • Aug 31–early Sept 2025: Azure AD Graph API retirement phase completes; legacy endpoints are decommissioned/blocked per schedule to push all workloads to Microsoft Graph. The Hacker News+1

  • Mid–late Sept 2025: Public write-ups (Wired, BleepingComputer, THN) and vendor analyses (Mitiga) detail the flaw and mitigations. mitiga.io+3WIRED+3BleepingComputer+3

Why the date confusion? Microsoft staged back-end mitigations in July, then finalized Graph retirement/locks in late Aug–Sep. News outlets quote different milestones; the net is fixed at Microsoft’s end with no customer hotfix required, but you still need to harden and audit. The Hacker News+1

How the Bypass Worked (plain English)

  • Actor tokens (S2S): Legacy, undocumented tokens issued by Access Control Service for Microsoft service-to-service flows. They could be used to impersonate users. These tokens weren’t governed by your Conditional Access and generated little/no telemetry. dirkjanm.io

  • Legacy Graph gap: The retired Azure AD Graph endpoint didn’t validate the originating tenant strictly enough. An actor token from attacker tenant A could be combined with a victim tenant B user identifier to read/modify tenant data—and even impersonate Global Admin. The Hacker News

  • Why scary: With Global Admin impersonation, an attacker could create accounts, grant permissions, rotate creds, and access M365/Azure resources. MFA/CA wouldn’t save you because they weren’t consulted by that legacy API path. And API-level logging on Azure AD Graph was sparse. The Hacker News

Who’s Most Exposed

  • Any tenant with apps/integrations still touching Azure AD Graph during the retirement window. (You should be on Microsoft Graph.) Microsoft Learn

  • Tenants with many B2B trusts and public identifiers, because finding valid user identifiers (netId/puid) becomes easier at scale. dirkjanm.io

What You Should Do Now (15-step, high-signal)

A. Confirm posture & dependencies

  1. Inventory legacy usage: Verify zero dependence on Azure AD Graph across app registrations/SPNs. (Microsoft retirement doc & partner notices list dates and checks.) Microsoft Learn+1

  2. Disable & remove any remaining Graph (graph.windows.net) endpoints in code/integrations; migrate to Microsoft Graph. Microsoft Learn

  3. Review service principals with application permissions and long-lived credentials; rotate secrets/certs; prune unused apps.

  4. PIM everywhere: Put Global Admin and other high-privilege roles behind Privileged Identity Management (JIT); remove standing admin. Microsoft Learn

B. Hunt for abuse artifacts (July–September lookback)

  1. Directory audit logs: Look for role assignments, app credential adds, owner adds, policy changes, and bulk user changes during the window. (Even if token issuance wasn’t logged, object changes are.) dirkjanm.io

  2. Egress/DNS: Flag calls to graph.windows.net from workloads that shouldn’t talk to legacy Graph. The Hacker News

  3. Cross-tenant anomalies: New guest users or consent grants you didn’t initiate; unexpected app-only access to mail/files.

  4. Break-glass check: Validate your emergency admin accounts and sign-in alerts. Microsoft Learn

C. Strengthen identity & sessions

  1. Passkeys / phishing-resistant MFA for all admins; enforce step-up for critical actions.

  2. Token protections: Where applicable, enable device-bound token protection in Conditional Access to reduce token replay. (Does not relate to actor tokens, but raises your bar.) Microsoft Learn

  3. Disable legacy auth and older protocols; block non-interactive flows you don’t need.

  4. CA hygiene: Explicitly allow-list admin access paths; block high-risk client locations; monitor impossible travel.

D. Prepare for next time

  1. Deprecation watch: Subscribe to Microsoft retirement advisories; run a quarterly API dependency audit (CIEM/EASM helps). Microsoft Tech Community

  2. Secrets discipline: Shorten SPN secret lifetimes; prefer managed identities over embedded secrets.

  3. Blue-team drills: Practice “admin impersonation” tabletop: who can rotate keys, revoke sessions, restore policy baselines, and prove tenant integrity to auditors?

What Microsoft Said (and Didn’t)

  • Microsoft characterized this class of access as High-Privileged Access (HPA) and committed to eliminating such back-end patterns; deprecating Azure AD Graph is part of that push. Microsoft

  • Microsoft and multiple outlets say no evidence of abuse was found, and the fix required no customer action for the core defect—you still need to audit/harden because downstream changes (like role grants) would look legit in logs. The Hacker News

Quick FAQ (practical & non-exploit)

Was this actively exploited?
There’s no indication of in-the-wild abuse. Still, do a retrospective log review for role/app changes in the July–September window. The Hacker News

Does MFA/Conditional Access stop this?
Not for this legacy path—actor tokens plus Azure AD Graph could bypass them and leave few traces. Move fully to Microsoft Graph, audit role changes, and enforce PIM. The Hacker News

What’s the fastest protective step today?
Verify no Azure AD Graph usage, rotate SPN creds, enforce PIM for Global Admin, and sweep logs for Add member to role/Add credentials to SPN/Update application during the risk window. Microsoft Learn

FAQ Schema (JSON-LD)

<script type="application/ld+json">
{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[
{"@type":"Question","name":"Was this actively exploited?","acceptedAnswer":{"@type":"Answer","text":"Microsoft and multiple outlets report no evidence of in-the-wild abuse. Still run a retrospective audit of role and app changes in the July–September 2025 window."}},
{"@type":"Question","name":"Does MFA/Conditional Access stop this?","acceptedAnswer":{"@type":"Answer","text":"Not in this legacy path. Actor tokens plus Azure AD Graph could bypass MFA and Conditional Access and leave few traces. Migrate to Microsoft Graph and enforce PIM."}},
{"@type":"Question","name":"What’s the fastest protective step today?","acceptedAnswer":{"@type":"Answer","text":"Ensure zero Azure AD Graph usage, rotate service principal credentials, enforce PIM for Global Admin, and sweep logs for admin/app changes during the risk window."}}
]}
</script>

Sources & Further Reading

  • Dirk-jan Mollema (technical write-up): Actor tokens + Azure AD Graph flaw; potential Global Admin in any tenant; July disclosure to MSRC; CVE-2025-55241. dirkjanm.io

  • The Hacker News: CVE-2025-55241 (CVSS 10.0), addressed July 17, 2025; bypassed MFA/CA; Graph retirement context. The Hacker News

  • BleepingComputer: Cross-tenant hijack narrative; notes Sept 4 CVE patch reference and Graph retirement window. BleepingComputer

  • Wired: Broad risk framing across all Azure customers; context on severity. WIRED

  • Mitiga: Breakdown of no-MFA/CA/logging characteristics. mitiga.io

  • Microsoft docs: Azure AD Graph retirement timeline; HPA definition and commitment; token protection reference. Microsoft Learn+2Microsoft+2

Affiliate Toolbox (clear disclosure)

Disclosure: If readers buy via the links you add here, we may earn a commission at no extra cost. These tools augment (don’t replace) Microsoft’s fixes:

  • CIEM / Identity Posture — find legacy Graph dependencies, over-privileged SPNs, long-lived creds.

  • Cloud EASM — discover apps still calling graph.windows.net; flag risky public endpoints.

  • FIDO2 / Passkey Platforms — phishing-resistant MFA for admins and finance/IT workflows.

  • Secrets Management — short-lived SPN credentials; cert rotation.


CyberDudeBivash — Brand & Services

CyberDudeBivash | Cybersecurity, AI & Threat Intelligence Network

  • Entra Hardening Sprint (2 weeks): PIM, app-only audit, SPN cleanup, Graph retirement validation, drift monitors.

  • Identity IR Runbook: fast rotation of keys/tokens, role rollbacks, tenant integrity evidence for auditors.

  • Board Briefing: what happened, what changed, and how we’ll prove it can’t happen again (KPIs, SLA to green).

Book a rapid consult: https://www.cyberdudebivash.com/contact

  • Newsletter: CyberDudeBivash Threat Brief (weekly identity/cloud tradecraft + ready-to-deploy controls). https://www.linkedin.com/newsletters/cyberdudebivash-threatwire-7357235763907858432/


#CyberDudeBivash #EntraID #AzureAD #CVE202555241 #GlobalAdmin #PIM #CIEM #IdentitySecurity #MicrosoftGraph #ZeroDay

Affiliate Toolbox (clearly disclosed)

Disclosure: If you buy via the links below, we may earn a commission at no extra cost to you. These items supplement (not replace) your security controls. This supports CyberDudeBivash in creating free cybersecurity content.

🌐 cyberdudebivash.com | cyberbivash.blogspot.com

Comments

Post a Comment

Popular posts from this blog

CyberDudeBivash Rapid Advisory — WordPress Plugin: Social-Login Authentication Bypass (Threat Summary & Emergency Playbook)

-
Image
  TL;DR: A class of vulnerabilities in WordPress social-login / OAuth plugins can let attackers bypass normal authentication flows and obtain an administrative session (or create admin users) by manipulating OAuth callback parameters, reusing stale tokens, or exploiting improper validation of the identity assertions returned by providers. If you run a site that accepts social logins (Google, Facebook, Apple, GitHub, etc.), treat this as high priority : audit, patch, or temporarily disable social login until you confirm your plugin is safe. This advisory gives you immediate actions, detection steps, mitigation, and recovery guidance. Why this matters (short) Social-login plugins often accept externally-issued assertions (OAuth ID tokens, authorization codes, user info). If the plugin fails to validate provider signatures, nonce/state values, redirect URIs, or maps identities to local accounts incorrectly , attackers can craft requests that the site accepts as authenticated. ...
Read more

Hackers Injecting Malicious Code into GitHub Actions to Steal PyPI Tokens CyberDudeBivash — Threat Brief & Defensive Playbook

-
Image
  SUMMARY  Attackers are modifying GitHub Actions workflows (via compromised accounts, malicious PRs, or forged commits) to add steps that exfiltrate PyPI (or other package registry) publishing tokens. With those tokens they publish backdoored packages or download private packages — a supply-chain multiplier. Defend by eliminating long-lived secrets, switching to OIDC/ephemeral credentials, hardening workflow controls, monitoring workflow changes and secret usage, and rotating tokens immediately if you suspect compromise. How attackers typically operate  Gain write access to repo or CI/CD config (via compromised developer account, stolen token, privilege abuse, or merge of malicious PR). Modify or add a workflow file that runs in the repo’s runner context (self-hosted or GitHub-hosted). Add steps that read repository secrets (e.g., PYPI_TOKEN ) or create credentials files ( ~/.pypirc ), then send the token to attacker-controlled endpoints or push a malicious p...
Read more

Exchange Hybrid Warning: CVE-2025-53786 can cascade into domain compromise (on-prem ↔ M365) By CyberDudeBivash — Cybersecurity & AI

-
Image
  Executive summary CVE-2025-53786 is a post-authentication elevation of privilege in Microsoft Exchange hybrid deployments . If an attacker first gains admin on an on-prem Exchange server , they can abuse the legacy “shared service principal” trust used by Hybrid Configuration to escalate into Exchange Online —potentially leading to full cloud+on-prem domain compromise . CISA issued Emergency Directive ED-25-02 with a deadline of 9:00 a.m. EDT on August 11, 2025 for U.S. federal agencies; Microsoft urges all hybrid customers to take the same steps: apply the April 2025 Hotfix Updates , migrate to the dedicated Exchange Hybrid app , and reset/clean up service principal credentials . cisa.gov +1 TECHCOMMUNITY.MICROSOFT.COM +1 Why this is dangerous: actions initiated from the on-prem Exchange side may not show up as obviously malicious in M365 audit trails, making cloud abuse harder to spot if you’ve not modernized the trust. TechRadar What is actually vulnerable? (trust...
Read more