Critical Azure Entra ID Flaw Highlights Microsoft IAM Issues

Summary

A critical elevation-of-privilege vulnerability (CVE-2025-55241) in Microsoft’s Azure AD Graph API could have allowed attackers to impersonate users — including global administrators — across tenants. Discovered by Dirk-jan Mollema, the flaw leverages an authentication failure in the legacy Azure AD Graph API together with undocumented, unsigned “Actor” tokens that bypass access controls, logging and conditional access policies. Microsoft patched the issue over the summer and later introduced mitigations that block requesting Actor tokens from customer tenants, but the discovery highlights deeper concerns about legacy protocols, telemetry gaps and internal transparency.

Key Points

The flaw is tracked as CVE-2025-55241 and had its CVSS score raised from 9.0 to 10.0.
Root cause: an authentication failure in the Azure AD Graph API (a legacy REST API due for deprecation).
Undocumented “Actor” tokens are unsigned, lack revocation during their 24-hour lifetime, bypass conditional access and generate minimal/no tenant logs.
Mollema demonstrated cross-tenant impersonation by requesting Actor tokens in his tenant, altering token fields and accessing other tenants if he knew a tenant ID and could guess a user netID.
netIDs are predictable/incremental and therefore susceptible to brute-force enumeration, enabling an attacker to target global admins.
Microsoft responded quickly with patches and an additional mitigation that blocks customers from requesting Actor tokens via Azure AD Graph.
The issue underlines risks from legacy authentication code and internal token flows that lack transparency and modern safeguards (signing, auditing).
The finding has reignited criticism of Microsoft IAM practices following previous CSRB scrutiny (Storm-0558) and prompted calls for stronger, transparent fixes.

Context and Relevance

This vulnerability matters because it strikes at identity — the core of cloud security. Cross-tenant impersonation and unsigned tokens that bypass conditional access and logging create an attacker-friendly path to widespread compromise. Although Microsoft has implemented mitigations, the episode exposes the danger that older, lightly maintained authentication paths pose in large-scale cloud platforms. Organisations using Microsoft cloud services should review their exposure, ensure logging and monitoring are as complete as possible, and track Microsoft’s follow-up changes to Entra ID/Graph APIs.

Author style

Punchy: this is immediate, high-impact research that should be read in full if you care about identity security. The technical demo and the subsequent patching are important — don’t skim the headlines if you run Microsoft cloud services.

Why should I read this?

Short and to the point — read this because it’s a proper alarm bell. An attacker could’ve impersonated global admins across tenants thanks to unsigned tokens and a legacy API. If you manage Microsoft cloud identity, this is the kind of mess you want on your radar now rather than after someone else exploits it. We’ve done the heavy lifting: the article tells you what went wrong, how it could be abused, and what Microsoft did to stop it.