Security researchers are warning about a max-severity vulnerability in Microsoft Entra ID (formerly Azure Active Directory) that could potentially allow attackers to impersonate any user in any tenant, including Global Administrators, without triggering MFA, conditional Access, or leaving any normal login or audit trail.
The flaw, first reported by red-teamer Dirk-jan Mollema, exploited “Actor tokens,” a hidden Microsoft mechanism normally used for internal delegation, by manipulating a legacy API that failed to validate the originating tenant.
According to Mitiga’s further breakdown of the exploit, an attacker in a benign environment could request an Actor token, then use it to pose as a privileged user in a completely separate organization.
“The vulnerability arose because the legacy API failed to validate the tenant source of the Actor token,” Mitiga researchers said in a blog post. “Once impersonating a Global Admin, they could create new accounts, grant themselves permissions, or exfiltrate sensitive data.”
