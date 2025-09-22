Facepalm: Microsoft Entra ID, formerly known as Azure Active Directory, is a cloud-based identity and access management solution. The directory-based system provides authentication for nearly all Microsoft services and serves as a critical component of the company's cloud business. However, recent findings suggest it could also have posed a massive risk for millions of customers.

Microsoft recently patched a critical security vulnerability in its Entra ID system. The flaw, tracked as CVE-2025-55241, could have been exploited to take control of any Entra ID directory, also known as a tenant. Security researcher Dirk-jan Mollema, who discovered the issue, promptly reported it to Microsoft, and the company quickly moved to close the bug.

Mollema, an expert in Azure and Active Directory technologies, described the flaw as essentially a "god mode" for accessing Entra ID infrastructure.

From his own tenants, he was able to request authentication tokens for virtually any other Entra ID user. In the wrong hands, this exploit could have allowed attackers to seize control of sensitive accounts, create new admin users, and gain unrestricted access across entire tenants.

The root cause stemmed from legacy authentication technologies still supported within Entra ID. One vector involved Actor Tokens, provided through an outdated Azure authentication service called Access Control Service. A second vulnerability affected Graph, an Azure Active Directory API that enables access to data stored in Microsoft 365 servers.

Mollema discovered a way to manipulate how Graph validated Azure tenants, tricking the API into accepting an Actor Token from a different tenant. Under normal conditions, such an authentication attempt should have been rejected. According to Michael Bargury, CTO of security firm Zenity, Microsoft's existing security controls had no effect on this internal Actor Token bypass method.

"This is the most impactful vulnerability you can find in an identity provider, effectively allowing full compromise of any tenant of any customer," Bargury said.

Experts warn that the CVE-2025-55241 flaw could have been catastrophic for Microsoft's cloud business. Its potential impact has been compared to Storm-0558, a Chinese-sponsored threat group that compromised an Entra ID cryptographic key several years ago. That incident prompted Microsoft CEO Satya Nadella to launch the Secure Future Initiative, aimed at addressing systemic security weaknesses.

Mollema reported the vulnerability to the Microsoft Security Response Center in July. The company analyzed the flaw and deployed a global fix within three days, followed by additional protections rolled out in August. Microsoft has since announced that the legacy protocols underlying the issue are being rapidly decommissioned.