A security researcher claims to have found a flaw that could have handed him the keys to almost every Entra ID tenant worldwide.

Dirk-jan Mollema reported the finding to the Microsoft Security Research Center (MSRC) in July. The issue was fixed and confirmed as mitigated, and a CVE was raised on September 4.

It is, however, an alarming vulnerability involving flawed token validation that can result in cross-tenant access. “If you are an Entra ID admin,” wrote Mollema, “that means complete access to your tenant.”

There are two main elements in the vulnerability. The first, according to Mollema, is undocumented impersonation tokens called “Actor tokens” that Microsoft uses for service-to-service communication. There was a flaw in the legacy Azure Active Directory Graph API that did not properly validate the originating tenant, allowing the tokens to be used for cross-tenant access.

“Effectively,” wrote Mollema, “this means that with a token I requested in my lab tenant I could authenticate as any user, including Global Admins, in any other tenant.”

The tokens allowed full access to the Azure AD Graph API in any tenant. Any hope that a log might save the day was also dashed – “requesting Actor tokens does not generate logs.”

“Even if it did, they would be generated in my tenant instead of in the victim tenant, which means there is no record of the existence of these tokens.”

The upshot of the flaw was a possible compromise for any service that uses Entra ID for authentication, such as SharePoint Online or Exchange Online. Mollema noted that access to resources hosted in Azure was also possible.

Microsoft’s swiftness in resolving the issue is to be commended, even if it’s unfortunate that it was present in the first place. Additionally, Mollema noted that Microsoft had not detected any abuse of the vulnerability in its internal telemetry.

That said, the researcher has provided some KQL for worried admins to use for tracking down evidence of possible abuse.

Mollema called this “the most impactful vulnerability I will probably ever find,” and it is difficult to dispute the claim. The CVE for the issue rates it as “Critical” with a “Low” Attack Complexity metric. The base score is 10.

To reiterate, according to Microsoft, the vulnerability has been fully mitigated, and users do not need to take any further action.

Still, before the vulnerability was found, there existed, in Mollema’s words, “one token to rule them all.” ®