Microsoft Entra ID Flaw Let Agent Admins Take Over Service Principals
Microsoft fixed a privilege escalation flaw in Entra ID that allowed users with the built-in Agent ID Administrator role to take over arbitrary service principals, including identities unrelated to AI agents. Silverfort reported that the role could assign ownership over a target service principal, add new credentials, and then authenticate as that principal, effectively enabling full service principal takeover. The weakness stemmed from a scoping gap in Microsoft’s Agent Identity Platform, where a role intended to manage agent-related objects could also affect standard directory components.
The exposure was especially serious in tenants with highly privileged service principals, where attackers could inherit sensitive API access, integrations, or directory-level roles and potentially reach Global Administrator-equivalent power. Silverfort said the abuse path was broadly relevant because most customer tenants it analyzed had at least one privileged service principal, while ownership changes could blend in with normal administrative activity and evade detection. Microsoft addressed the issue with a backend fix that restricted the Agent ID Administrator role to agent-related objects and said the remediation was fully rolled out by April 9.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Media reports highlight Microsoft patch and severity of Entra ID flaw
Security news outlets reported that Microsoft had patched the Entra ID flaw and emphasized the risk that compromised accounts or insiders with the Agent ID Administrator role could gain highly privileged access. Coverage also noted the issue was difficult to detect because ownership changes could resemble normal administrative activity.
Silverfort publicly discloses Entra ID service principal takeover issue
Silverfort published research describing how users with only the Agent ID Administrator role could assign ownership of arbitrary service principals, add credentials, and authenticate as them. The disclosure warned this could enable compromise of privileged service principals and broader tenant-wide privilege escalation.
Microsoft rolls out backend fix for Entra ID privilege escalation flaw
Microsoft remediated a scoping flaw in the Entra ID Agent ID Administrator role that allowed takeover of arbitrary service principals, including non-agent identities. The company restricted the role so it can affect only agent-related objects, and the fix was fully rolled out by April 9, 2026.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Microsoft patches Entra ID bug that let AI agents escalate privileges | news | SC Media
scworld.com
Open sourceMicrosoft fixes Entra ID flaw enabling privilege escalation
securityaffairs.com
Open sourceAgent ID Administrator scope overreach: Service Principal takeover in Entra ID - Silverfort
silverfort.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Entra Agent ID Blueprint Model Expands Cross-Tenant Compromise Risk
New research warns that Microsoft Entra Agent ID can significantly widen the impact of a single credential compromise because authentication is anchored to an **agent blueprint** while privileges can be distributed across many child agent identities. Security researchers found that one blueprint principal can authenticate up to 250 agent identities per tenant, optionally span multiple tenants, and inherit a mix of service principal permissions, user-like capabilities, Entra role assignments, and delegated permissions. Datadog and Compass Security both reported that this design creates a larger blast radius than traditional Entra applications, especially when third-party or multitenant blueprints are used, because the publishing tenant controls the credential material trusted by consuming tenants. Researchers also demonstrated practical abuse paths. Compass Security showed that attackers who gain blueprint ownership or credential-management access could add credentials, create child agent identities through the `AgentIdentity.CreateAsManager` role claim, and potentially escalate privileges up to **Global Administrator**; it also described consent-phishing with a foreign multitenant blueprint to inherit permissions such as `Application.ReadUpdate.All`. Separately, Red Canary documented a suspicious non-interactive Microsoft Graph sign-in tied to an assistive agent, where the application `Agent001` authenticated with a federated identity credential, satisfied MFA via token claims rather than user interaction, and requested broad scopes including `Group.Read.All`, `Mail.ReadWrite`, `Mail.Send`, `MailboxSettings.ReadWrite`, and `User.Read`, underscoring how Agent ID workflows can blur the line between application and user access.
Jun 18, 2026
Critical Azure SRE Agent Token Flaw Exposed Cross-Tenant AI Sessions
Researchers at Enclave disclosed a critical improper authentication flaw in Microsoft's Azure SRE Agent that allowed an outsider with only a free Azure account to observe another organization's AI operations agent in real time. The cross-tenant exposure stemmed from a token issuance process that accepted accounts from any Microsoft cloud tenant and a communication channel that verified token validity but not tenant ownership, enabling unauthorized access to live agent sessions. Microsoft confirmed the issue, assigned `CVE-2026-32173`, rated it critical with a `CVSS` score of `8.6`, and remediated it server-side. According to the disclosure, exposed data could include user prompts, agent responses, step-by-step reasoning, executed commands, command output, and even plaintext credentials, while generating no logs visible to the victim organization, underscoring wider concerns that enterprise AI agent deployments are outpacing governance and security controls.
Apr 20, 2026
Microsoft Discloses Elevation-of-Privilege Flaws Across Azure Services
Microsoft has published multiple Security Update Guide entries for elevation-of-privilege vulnerabilities affecting cloud services including **Azure Resource Manager**, **Azure Entra ID**, **Azure AI Foundry**, and **Redis Enterprise**. The disclosed issues include `CVE-2026-47280` and `CVE-2026-24304` in Azure Resource Manager, `CVE-2026-24305` and `CVE-2025-55241` in Azure Entra ID, `CVE-2025-59271` in Redis Enterprise, and `CVE-2026-35435` in Azure AI Foundry, indicating a broader set of privilege-boundary weaknesses across Microsoft-managed platforms. Microsoft provided the most detail for **CVE-2026-35435**, describing it as a **critical** improper access control flaw in Azure AI Foundry M365 published agents that could be exploited remotely over the network without privileges or user interaction, with potential for high confidentiality impact. The company said exploitation was considered more likely, but the vulnerability had not been publicly disclosed or exploited at publication time, and the service-side issue was already fully mitigated with **no customer action required**; the remaining CVEs were listed with limited public detail in the update guide.
May 25, 2026