Security researchers are warning about a max-severity vulnerability in Microsoft Entra ID (formerly Azure Active Directory) that could potentially allow attackers to impersonate any user in any tenant, including Global Administrators, without triggering MFA, conditional Access, or leaving any normal login or audit trail.
The flaw, first reported by red-teamer Dirk-jan Mollema, exploited βActor tokens,β a hidden Microsoft mechanism normally used for internal delegation, by manipulating a legacy API that failed to validate the originating tenant.
According to Mitigaβs further breakdown of the exploit, an attacker in a benign environment could request an Actor token, then use it to pose as a privileged user in a completely separate organization.
βThe vulnerability arose because the legacy API failed to validate the tenant source of the Actor token,β Mitiga researchers said in a blog post. βOnce impersonating a Global Admin, they could create new accounts, grant themselves permissions, or exfiltrate sensitive data.β
