This Microsoft Entra ID Vulnerability Could Have Been Catastrophic

As businesses around the world have shifted their digital infrastructure over the last decade from self-hosted servers to the cloud, they’ve benefitted from the standardized, built-in security features of major cloud providers like Microsoft. But with so much riding on these systems, there can be potentially disastrous consequences at a massive scale if something goes wrong. Case in point: Security researcher Dirk-jan Mollema recently stumbled upon a pair of vulnerabilities in Microsoft Azure’s identity and access management platform that could have been exploited for a potentially cataclysmic takeover of all Azure customer accounts.

Known as Entra ID, the system stores each Azure cloud customer’s user identities, sign-in access controls, applications, and subscription management tools. Mollema has studied Entra ID security in depth and published multiple studies about weaknesses in the system, which was formerly known as Azure Active Directory. But while preparing to present at the Black Hat security conference in Las Vegas in July, Mollema discovered two vulnerabilities that he realized could be used to gain global administrator privileges—essentially god mode—and compromise every Entra ID directory, or what is known as a “tenant.” Mollema says that this would have exposed nearly every Entra ID tenant in the world other than, perhaps, government cloud infrastructure.

“I was just staring at my screen. I was like, ‘No, this shouldn’’t really happen,’” says Mollema, who runs the Dutch cybersecurity company Outsider Security and specializes in cloud security. “It was quite bad. As bad as it gets, I would say.”

“From my own tenants—my test tenant or even a trial tenant—you could request these tokens and you could impersonate basically anybody else in anybody else’s tenant,” Mollema adds. “That means you could modify other people’s configuration, create new and admin users in that tenant, and do anything you would like.”

Given the seriousness of the vulnerability, Mollema disclosed his findings to the Microsoft Security Response Center on July 14, the same day that he discovered the flaws. Microsoft started investigating the findings that day and issued a fix globally on July 17. The company confirmed to Mollema that the issue was fixed by July 23 and implemented extra measures in August. Microsoft issued a CVE for the vulnerability on September 4.

“We mitigated the newly identified issue quickly, and accelerated the remediation work underway to decommission this legacy protocol usage, as part of our Secure Future Initiative,” Tom Gallagher, Microsoft’s Security Response Center vice president of engineering, told WIRED in a statement. “We implemented a code change within the vulnerable validation logic, tested the fix, and applied it across our cloud ecosystem.”

Gallagher says that Microsoft found “no evidence of abuse” of the vulnerability during its investigation.

Both vulnerabilities relate to legacy systems still functioning within Entra ID. The first involves a type of Azure authentication token Mollema discovered known as Actor Tokens that are issued by an obscure Azure mechanism called the “Access Control Service.” Actor Tokens have some special system properties that Mollema realized could be useful to an attacker when combined with another vulnerability. The other bug was a major flaw in a historic Azure Active Directory application programming interface known as “Graph” that was used to facilitate access to data stored in Microsoft 365. Microsoft is in the process of retiring Azure Active Directory Graph and transitioning users to its successor, Microsoft Graph, which is designed for Entra ID. The flaw was related to a failure by Azure AD Graph to properly validate which Azure tenant was making an access request, which could be manipulated so the API would accept an Actor Token from a different tenant that should have been rejected.

“Microsoft built security controls around identity like conditional access and logs, but this internal impression token mechanism bypasses them all,” says Michael Bargury, the CTO at security firm Zenity. “This is the most impactful vulnerability you can find in an identity provider, effectively allowing full compromise of any tenant of any customer.”

If the vulnerability had been discovered by, or fallen into the hands of, malicious hackers, the fallout could have been devastating.

“We don’t need to guess what the impact may have been; we saw two years ago what happened when Storm-0558 compromised a signing key that allowed them to log in as any user on any tenant,” Bargury says.

While the specific technical details are different, Microsoft revealed in July 2023 that the Chinese cyber espionage group known as Storm-0558 had stolen a cryptographic key that allowed them to generate authentication tokens and access cloud-based Outlook email systems, including those belonging to US government departments.

Conducted over the course of several months, a Microsoft postmortem on the Storm-0558 attack revealed several errors that led to the Chinese group slipping past cloud defenses. The security incident was one of a string of Microsoft issues around that time. These motivated the company to launch its “Secure Future Initiative,” which expanded protections for cloud security systems and set more aggressive goals for responding to vulnerability disclosures and issuing patches.

Mollema says that Microsoft was extremely responsive about his findings and seemed to grasp their urgency. But he emphasizes that his findings could have allowed malicious hackers to go even farther than they did in the 2023 incident.

“With the vulnerability, you could just add yourself as the highest privileged admin in the tenant, so then you have full access,” Mollema says. Any Microsoft service “that you use EntraID to sign into, whether that be Azure, whether that be SharePoint, whether that be Exchange—that could have been compromised with this.”