Customers
Why Mitiga
Request a DemoEmergency Assistance
Home
»
Blog Main
Customers
Why Mitiga
Request a DemoEmergency Assistance

At-a-Glance

  • Critical Entra ID flaw: A vulnerability in Microsoft Entra ID (formerly Azure AD) allowed attackers to use “Actor tokens” to impersonate any user, including Global Administrators, across any tenant.
  • No defenses triggered: Exploitation bypassed MFA, Conditional Access, and logging, leaving no direct trace of compromise.
  • Broader cloud risk: Similar service-to-service authentication mechanisms exist across cloud and SaaS platforms, making this issue a warning beyond Microsoft.
  • Defensive priority: Security teams must shift from relying on logs to hunting anomalous activity across Entra ID, Azure, Microsoft 365, and connected SaaS environments.

When we think about catastrophic vulnerabilities in the cloud, we usually imagine complex exploits that require advanced techniques, persistence, or luck. Sometimes a single flaw breaks the trust we put in our identity providers. 

Last week, Dirk-jan Mollema uncovered exactly that kind of vulnerability in Microsoft Entra ID (formerly Azure Active Directory).

The issue: a flaw in how “Actor tokens” were handled. In short, this allowed an attacker to silently authenticate as any user in any Entra ID tenant – including Global Administrators. No MFA. No Conditional Access. No alerts. No logs.

This isn’t just another CVE. You guessed it: It’s a wake-up call.

How the Microsoft Entra ID Actor Token Vulnerability Works (Simple Version)

To make this accessible: think of Entra ID as the central passport office for Microsoft’s cloud. Every user, every admin, every app needs its passport validated here before entering Microsoft services, like Azure or Microsoft 365.

The exploit abused a hidden Microsoft feature called Actor tokens. Microsoft services normally use Actor tokens to delegate access internally. But Dirk-jan discovered that attackers could craft these tokens in ways that tricked Entra ID into thinking they were anyone, anywhere.

The vulnerability arose because the legacy API failed to validate the tenant source of the token. 

This meant that an attacker could obtain an Actor token from their own, non-privileged test environment and then use it to impersonate a Global Admin in any other company's tenant. The attacker didn't need any pre-existing access to the target organization.

Once impersonating a Global Admin, they could create new accounts, grant themselves permissions, or exfiltrate sensitive data.

The Impact in Plain Terms

The Entra ID Actor token vulnerability allows attackers:

  • Global Admin privileges across any tenant. Full control of identity, policies, apps, and even BitLocker keys.
  • Stealthy access. No login entries, no Conditional Access enforcement, no MFA prompts.
  • No audit trail. Because there’s no record of the forged authentication itself.

Imagine someone breaking into a vault without tripping a single alarm. You’d never know they were inside – unless they later touched something valuable and left fingerprints.

Why the Entra ID Actor Token Vulnerability Matters Beyond Microsoft

Actor tokens are not unique to Microsoft. Potentially every cloud, SaaS, AI, and identity provider might have equivalent backchannel or service-to-service authentication mechanisms. 

These are usually undocumented, poorly understood, and assumed safe because “only the platform itself uses them.”

But history shows us: if it exists, it can be abused.

The scary reality is that this won’t be the last time we find a design flaw in the hidden plumbing of identity systems. Whether in Okta, Google Workspace, AWS, or Salesforce, there are mechanisms designed for convenience and performance that, under the wrong conditions, can become perfect weapons.

This is why cloud detection and response has to account for what logs don’t show.

The Hardest Part of the Entra ID Vulnerability: No Logs

One of the most terrifying aspects of this bug is the absence of traces. If an attacker used this technique last month – or last year – you wouldn’t know.

That’s because the forged Actor tokens bypass all the checkpoints that normally log a sign-in attempt. So, unless attackers later misconfigure something, give themselves visible roles, or access resources in a sloppy way, there is no smoking gun.

There are two main reasons for this:

  1. Token Request: The initial request for an Actor token from Microsoft's backend does not generate a log. If it does, it's in the attacker's own tenant, not the victim's.
  2. API Activity: The legacy Azure AD Graph API, which is used in this attack, does not have API-level logging. This means the specific actions taken by the attacker using the impersonated token are invisible in the logs.

For defenders, it’s like fighting in the dark. But, for anyone running Microsoft Entra ID, there are cloud incident response steps you can take now.

Incident Response After the Entra ID Vulnerability: Focus on Anomalous Activity

Since you can’t rely on direct evidence of exploitation, you need to shift focus to indirect signs of compromise – especially activities that would follow a Global Admin takeover.

Given the lack of logs for the initial exploitation, organizations must shift their focus from looking for the attack itself to searching for the anomalous activity that results from a successful compromise. An attacker who gains Global Admin access won't just sit on it. They'll use it.

1. Threat Hunt in Entra ID Logs

Even though the forged logins themselves won’t appear, the attacker’s actions might. Look back months or years for:

  • Unexplained Global Admin role assignments
  • New or suspicious service principals
  • Changes to Conditional Access policies
  • Unfamiliar directory integrations or federations

2. Expand Investigations into Azure

A compromised Global Admin could escalate into Azure by granting themselves privileged access. You should review:

  • Role assignments at subscription or resource group level
  • Creation of new privileged identities
  • Unusual deployments or automation accounts

3. Check Microsoft 365 Compromise Paths

Entra ID is the backbone, so the attacker could also pivot into email, files, and collaboration platforms. Check for:

  • New mailbox permissions
  • Suspicious inbox rules or forwarding
  • Change of access to sensitive SharePoint/OneDrive content

4. Correlate Across Identity, Endpoint, and SaaS

Identity alone won’t tell the whole story. If the attacker operated “as a legitimate admin,” their activities will look valid at the identity layer. Cross-correlate logs across your cloud services:

  • Endpoint activity (e.g., unusual device sign-ins)
  • Data access patterns (e.g., mass downloads, privilege escalations)
  • Anomalies in SaaS services (e.g., GitHub repo access, Salesforce configuration changes)

5. Build Long-Term Cloud Resilience

The lesson is simple: your identity provider alone won’t keep you safe. You need multi-layer visibility across your cloud, identity, AI, and SaaS stack. 

Final Thoughts: Lessons from the Entra ID Actor Token Vulnerability

The Microsoft Entra ID Actor token exploit is one of the most severe identity vulnerabilities uncovered in the cloud era. It wasn’t a mere bug but a design oversight that broke the foundation of trust in Microsoft’s identity layer.
Microsoft has patched it, but the lack of historical visibility means defenders still can’t be sure whether it was used in the past. That uncertainty is the point: attackers keep looking for invisible pathways. Defenders need visibility everywhere – before, during, and after exploitation.
At Mitiga, we assume attackers will get through preventative security sooner or later. The question is whether you can catch them before the damage is done.

Mitiga’s Cloud Detection and Response platform gives security teams visibility across Microsoft Entra ID, Azure Active Directory, SaaS, AI, and identity environments. It surfaces activity that logs miss, accelerates investigations, and helps your SOC stop attackers who hide in the gaps. Schedule a meeting with us to see how we can strengthen your cloud incident response.

LAST UPDATED:

September 18, 2025

Don't miss these stories:

Invisible Threats: Wireless Exploits in the Enterprise with Brett Walkenhorst

In this episode of Mitiga Mic, Field CISO Brian Contos talks with Brett Walkenhorst, CTO of Bastille, about how wireless attack techniques like Evil Twin and Nearest Neighbor are used to gain access to protected environments. They discuss how these threats show up inside data halls, executive spaces, and high-security facilities, often bypassing traditional network defenses

From Rogue OAuth App to Cloud Infrastructure Takeover

How a rogue OAuth app led to a full AWS environment takeover. And the key steps security leaders can take to prevent similar cloud breaches.

CORSLeak: Abusing IAP for Stealthy Data Exfiltration

When people talk about “highly restricted” cloud environments, they usually mean environments with no public IPs, no outbound internet, and strict VPC Service Controls locking everything down.

Defending SaaS & Cloud Workflows: Supply Chain Security Insights with Idan Cohen

From GitHub Actions to SaaS platforms, supply chain threats are growing. Hear Mitiga’s Idan Cohen and Field CISO Brian Contos explore real-world compromises, detection tips, and strategies to strengthen your cloud security.

Inside Mitiga’s Forensic Data Lake: Built for Real-World Cloud Investigations

Most security tools weren’t designed for the scale or complexity of cloud investigations. Mitiga’s Forensic Data Lake was.

Measurements That Matter: What 80% MITRE Cloud ATT&CK Coverage Looks Like

Security vendors often promote “100% MITRE ATT&CK coverage.” The reality is most of those claims reflect endpoint-centric testing, not the attack surfaces organizations rely on most today: Cloud, SaaS, AI, and Identity.