Introduction
A researcher disclosed a chain of two Entra ID issues that, when combined, could have let an attacker gain Global Admin in virtually any tenant – bypassing Conditional Access and logs via Actor tokens and a validation flaw in legacy Azure AD Graph. Microsoft rapidly mitigated the issues in mid-July and later assigned a CVE.
What happened
While preparing a Black Hat and DEF CON talk, researcher Dirk-jan Mollema discovered two issues in Entra ID: undocumented “Actor” tokens used for service-to-service impersonation and a tenant-validation flaw in the legacy Azure AD Graph API. When combined, these flaws could allow a threat actor to impersonate a global administrator in any tenant. Mollema reported the issues to Microsoft on July 14. Microsoft rolled out a fix between July 17 and 23 and added more mitigations in August. A CVE was published in September, and Microsoft says they have not found evidence of exploitation.
Why it was so severe
Actor tokens could bypass Conditional Access controls, lacked expiration and revocation, and generated little to no telemetry. The second bug in Azure AD Graph allowed the token to be accepted across tenants without verification. Together, the chain would have allowed silent, cross-tenant escalation to global admin with almost no logs to hunt. Organizations relying on legacy APIs were therefore at significant risk until Microsoft issued the fix.
What to do now
- Retire legacy Azure AD Graph and enforce Microsoft Graph only.
- Audit app permissions, hunt for anomalous Graph calls, and review Global Admin assignments and changes.
- Enable continuous access evaluation and token protection, and monitor Entra ID sign-in logs for anomalies.
redsec.ninja 
Leave a comment