Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover

Published:

28 april 2026 om 06:37:00

Alert date:

28 april 2026 om 07:02:19

Source:

thehackernews.com

Cloud & Virtualization, Identity & Access, Enterprise Applications

Microsoft patched a vulnerability in Entra ID's Agent ID Administrator role that could enable privilege escalation and identity takeover attacks. The flaw was discovered by Silverfort and affects the privileged built-in role designed for AI agents within Microsoft's agent identity platform. The vulnerability could allow attackers to escalate privileges and take over service principals in Microsoft's cloud identity service. This represents a significant security risk for organizations using Microsoft Entra ID for identity management.

Technical details

The Agent ID Administrator role in Microsoft Entra ID had a scope overreach vulnerability that allowed users assigned this role to take over arbitrary service principals beyond agent-related identities. Attackers could become an owner of service principals and add their own credentials to authenticate as that principal, effectively gaining full service principal takeover capabilities. This could lead to privilege escalation when targeting high-privileged service principals with elevated permissions, particularly those with privileged directory roles and high-impact Graph app permissions.

Mitigation steps:

Monitor sensitive role usage, particularly those related to service principal ownership or credential changes; track service principal ownership changes; secure privileged service principals; audit credential creation on service principals; validate how roles are scoped and permissions are applied, especially for shared identity components and new identity types built on existing primitives

Affected products:

Microsoft Entra ID - Agent ID Administrator role
Microsoft agent identity platform