Privilege Escalation Vulnerability Discovered in Microsoft Entra ID
A critical vulnerability in Microsoft Entra ID has been uncovered, allowing attackers to escalate privileges to the Global Administrator role by abusing built-in first-party applications and federated domain configurations. The flaw affects organizations running hybrid Active Directory environments with federated domains , opening a stealthy path to full tenant compromise. Discovery and Impact The vulnerability, discovered by Datadog security researchers and reported to the Microsoft Security Response Center (MSRC) in January 2025 , enables privilege escalation through the misuse of the Office 365 Exchange Online service principal (Client ID: 00000002-0000-0ff1-ce00-000000000000 ). Attackers with Cloud Application Administrator , Application Administrator , or Application.ReadWrite.All permissions can hijack the Exchange Online service principal’s Domain.ReadWrite.All permission. This allows them to: Add a new federated domain to the tenant. Forge SAML tokens as any ...