Microsoft Fixed Entra ID Vulnerability Allowing Global Admin Impersonation

Microsoft has addressed a critical security vulnerability in Azure Entra ID, tracked as CVE-2025-55241. Initially described as a low-impact privilege escalation bug, security research later revealed the flaw was far more severe, allowing attackers to impersonate any user, including Global Administrators.

The vulnerability was identified by cybersecurity researcher Dirk-Jan Mollema while preparing for Black Hat and DEF CON presentations earlier this year. His findings showed that undocumented “Actor tokens,” combined with a validation failure in the legacy Azure AD Graph API, could be abused to impersonate any user in any Entra ID tenant, even a Global Administrator.

According to Mollema, the design of Actor tokens exacerbated the problem. These tokens are issued for backend service-to-service communication and bypass normal security protections like Conditional Access. Once obtained, they allowed impersonation of other identities for 24 hours, during which no revocation was possible.

In his detailed technical blog post, Mollema demonstrated that impersonation worked across tenants because the Azure AD Graph API failed to validate the token’s originating tenant. By changing the tenant ID and targeting a known user identifier (netId), he could move from his own tenant into any other. With a valid netId of a Global Admin, it opened the door to full takeover of Microsoft 365, Azure subscriptions, and connected services. Worse, netIds could be brute-forced quickly or retrieved from guest account attributes in cross-tenant collaborations.

To read the complete article see: Full Article.