Privilege Escalation Vulnerability Discovered in Microsoft Entra ID

-

 A critical vulnerability in Microsoft Entra ID has been uncovered, allowing attackers to escalate privileges to the Global Administrator role by abusing built-in first-party applications and federated domain configurations. The flaw affects organizations running hybrid Active Directory environments with federated domains, opening a stealthy path to full tenant compromise.



Discovery and Impact

The vulnerability, discovered by Datadog security researchers and reported to the Microsoft Security Response Center (MSRC) in January 2025, enables privilege escalation through the misuse of the Office 365 Exchange Online service principal (Client ID: 00000002-0000-0ff1-ce00-000000000000).

Attackers with Cloud Application Administrator, Application Administrator, or Application.ReadWrite.All permissions can hijack the Exchange Online service principal’s Domain.ReadWrite.All permission. This allows them to:

  1. Add a new federated domain to the tenant.

  2. Forge SAML tokens as any hybrid user synchronized between on-prem AD and Entra ID — including Global Administrators.

The attack exploits the OAuth2 client credentials grant flow to impersonate service principals, bypassing traditional user-based authentication.

Federated Domain Backdoor Technique: Step-by-Step Exploit Chain

The privilege escalation follows a five-step process leveraging Microsoft Graph APIs:

1. Add a Malicious Federated Domain

POST /v1.0/domains

An attacker adds a custom domain they control:



Verify Domain Ownership

They verify the domain via standard DNS TXT records to prove control.

3. Configure Federation with Malicious Certificate

POST /v1.0/domains/{domain}/federationConfiguration

The attacker configures the domain with a malicious SAML token-signing certificate.


4. Forge SAML Tokens

With the malicious federation in place, attackers can generate SAML tokens for any hybrid Entra ID user. These tokens can include MFA claims, even though no MFA occurred.

5. Bypass MFA and Gain Global Admin Access

Attackers can impersonate a Global Administrator and bypass multi-factor authentication, all while producing sign-in logs that appear legitimate.

Microsoft's Response

After Datadog’s responsible disclosure on January 14, 2025, Microsoft took four months to review the issue. On May 14, 2025, MSRC responded that:

“This is not a security vulnerability but expected behavior of the Application Administrator role and its associated permissions.”

Microsoft explained that the Application Administrator role inherently includes the ability to manage application credentials and impersonate service principals. According to Microsoft, the scenario represents a misconfiguration, not a platform-level flaw.

Security Community Reaction

This response sparked concern in the security community. The ability to add federated domains, bypass MFA, and impersonate Global Admins via a non-privileged role is far from expected behavior in many enterprise environments.

Security professionals are urged to:

  • Audit all service principals with elevated application roles.

  • Monitor Graph API usage, especially POST /domains and federationConfiguration.

  • Limit use of Application Administrator roles in hybrid and federated identity environments.

Recommendations

To mitigate the risk:

  • Avoid over-provisioning Application Administrator permissions.

  • Restrict the use of federated domains unless explicitly required.

  • Implement strict monitoring and detection rules for domain-related API changes.

  • Use Conditional Access Policies and Privileged Identity Management (PIM) to limit exposure.

 Conclusion

This case highlights the dangerous intersection of identity misconfigurations, overly permissive roles, and trusted first-party applications in cloud environments. While Microsoft considers this “by design,” the practical security implications demand immediate attention from IT and security teams managing Microsoft Entra ID and hybrid AD infrastructures.

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more