Major Entra ID Actor Tokens Vulnerability: How Actor Tokens Could Hand Over Global Admin Access to Anyone

Look, in the world of cloud security, things move fast, and sometimes the cracks in big systems like Microsoft's Entra ID show up in ways that make you double-check your own setup. Security researcher Dirkjan van der Bijl just dropped a bombshell about a vulnerability that basically lets attackers snag Global Admin rights in pretty much any Entra ID tenant out there. It's all tied to these undocumented "Actor tokens" and a sloppy validation issue in the old Azure AD Graph API. If you're a security pro dealing with Microsoft environments, this is the kind of stuff you need to know about – not just for the tech details, but to shore up your defenses before something similar pops up again.

Breaking Down the Major Entra ID Actor Tokens Vulnerability

In the Major Entra ID Actor Tokens Vulnerability tokens are these behind-the-scenes tokens Microsoft uses for service-to-service chats, like when Exchange needs to impersonate a user to talk to other parts of the system. They're JWTs that skip a lot of the usual security checks, like Conditional Access policies, which is handy for legit operations but a nightmare if exploited.

Here's how the attack played out, step by step:

1. An attacker grabs an Actor token from their own tenant – easy enough if they've got a service principal set up.

2. They swap out the tenant ID in the token to point to the victim's tenant. Victim's ID? No sweat, you can pull that from public domain lookups.

3. The key bit: They need a valid "netId" for a user in the target tenant. That's like a unique user identifier (think puid in tokens).

4. With that, they craft an impersonation token and hit the Azure AD Graph API, which doesn't bother checking if the token came from the right tenant.

5. From there, list out all the Global Admins and their netIds.

6. Impersonate one of those admins to read or write whatever – create new accounts, add app creds, pull sensitive data like BitLocker keys.

Finding those netIds wasn't rocket science either. You could brute-force them since they're often sequential, dig them out from old leaked tokens, or hop through B2B trusts by querying guest users' alternativeSecurityIds to reveal home tenant details.

The fallout? Total tenant takeover without much trace for reads. It spilled over to M365 stuff like Exchange and SharePoint, and even Azure resources if the admin ramps up privileges. Detection was tough because the Graph API doesn't log like the newer Microsoft Graph does.

Microsoft patched it quick – fixed the validation and locked down Actor token requests for the API to just internal services. They dropped CVE-2025-55241 on it, too.

For hunting remnants or similar weirdness, try this KQL query in Sentinel to spot fishy audit logs:

AuditLogs| where not(OperationName has "group")
| where not(OperationName == "Set directory feature on tenant")
| where InitiatedBy has "user"
| where InitiatedBy.user.displayName has_any ("Office 365 Exchange Online", "Skype for Business Online", "Dataverse", "Office 365 SharePoint Online", "Microsoft Dynamics ERP")

It flags changes that appear to originate from a Global Admin but actually come from service apps – a red flag for token shenanigans.

What This Means for Your Team

Stuff like this reminds us why we can't just set and forget in the cloud. Unmonitored APIs, loose trusts – it's a recipe for quiet compromises that lead to big problems like data leaks or ransomware. Even with the fix, variants may still appear, so staying vigilant with monitoring and responding quickly is key.

Strengthening Your Defenses with Inception Protection

Here at Inception Security, our Inception Protection MDR service is built for exactly these kinds of threats in Microsoft setups. We tap into your existing licenses for Defender for Endpoint, Sentinel, Conditional Access, and Azure tools to create a solid security layer without extra bloat.

Our team keeps an eye out 24/7 for odd API activity, token tweaks, and those subtle log patterns that scream trouble. We handle threat hunting, incident response, and get you back on track fast.

Want to see where your environment stands? Grab our free Inception Foresight M365 Assessment. It's a straightforward scan that spots vulnerabilities, config slips, and risks like the ones in this Actor token mess. No strings attached – just real insights to tighten things up.

Sign up for your free assessment and let's chat about how we can help.

For more on threats like this, follow us on LinkedIn at Inception Security and on X @inceptionsec. Share this if it hits home – let's keep the community sharp.