Microsoft Entra Conditional Access Bypasses Exposed in Brokered and Resource-Exclusion Flows
Researchers disclosed two separate Microsoft Entra Conditional Access bypasses that could let attackers obtain Microsoft Graph access without the intended controls, including MFA in some cases. NetSPI reported that Nested App Authentication (NAA), also called BroCI, allowed certain brokered application flows to exchange an Azure Portal refresh token for Graph access tokens without Conditional Access enforcement. The issue affected specific clients, including ADIbizaUX and two Microsoft Intune portal extension clients, and was primarily useful as a persistence mechanism after an attacker had already stolen an Azure Portal refresh token through methods such as phishing or adversary-in-the-middle collection. Microsoft classified that issue as medium severity and deployed a fix; post-patch testing returned AADSTS53003 access-blocked errors for the previously successful exchanges.
A separate disclosure showed that Entra policies configured for all resources but with at least one excluded resource could also be bypassed to obtain Graph tokens without the expected Conditional Access checks. The researcher said the gap was broader than Microsoft had publicly documented and warned that some Microsoft first-party applications appeared able to reach Entra ID data through Graph beyond the scopes visible in issued tokens, enabling tenant enumeration and potentially modification where user privileges allowed it. Microsoft later acknowledged the problem and began rolling out baseline scope enforcement changes, with enforcement starting June 15 and an early opt-in option available through the Entra Admin Center; according to the researcher, enabling that enforcement closes the Graph token bypass and restores proper Conditional Access evaluation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
NetSPI publicly discloses Nested App Authentication bypass
NetSPI publicly disclosed its finding that Nested App Authentication could be abused in specific brokered application flows to bypass Conditional Access enforcement for Microsoft Graph tokens. The disclosure noted Microsoft had classified the issue as medium severity and rolled out a fix that blocked the previously successful exchanges.
Microsoft begins enforcement changes for resource exclusion bypass
Microsoft announced enforcement changes starting June 15 for a Conditional Access gap affecting policies that target all resources while excluding at least one resource. The change introduced baseline scope enforcement intended to close the bypass on Microsoft Graph token requests.
NetSPI reports Entra Conditional Access bypass to MSRC
NetSPI reported a Microsoft Entra ID Conditional Access bypass involving Nested App Authentication to the Microsoft Security Response Center. The issue allowed certain brokered flows to obtain Microsoft Graph access tokens without Conditional Access policy enforcement.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Microsoft Entra Conditional Access Policies Can Be Bypassed Via Nested App Authentication
cybersecuritynews.com
Open sourceBypassing Conditional Access policies that have a resource exclusion - dirkjanm.io
dirkjanm.io
Open sourceBypassing Microsoft Entra Conditional Access Policies via Nested App Authentication - NetSPI
netspi.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Entra ID Flaw Let Agent Admins Take Over Service Principals
Microsoft fixed a privilege escalation flaw in **Entra ID** that allowed users with the built-in **Agent ID Administrator** role to take over arbitrary service principals, including identities unrelated to AI agents. Silverfort reported that the role could assign ownership over a target service principal, add new credentials, and then authenticate as that principal, effectively enabling full service principal takeover. The weakness stemmed from a scoping gap in Microsoft’s Agent Identity Platform, where a role intended to manage agent-related objects could also affect standard directory components. The exposure was especially serious in tenants with highly privileged service principals, where attackers could inherit sensitive API access, integrations, or directory-level roles and potentially reach **Global Administrator-equivalent** power. Silverfort said the abuse path was broadly relevant because most customer tenants it analyzed had at least one privileged service principal, while ownership changes could blend in with normal administrative activity and evade detection. Microsoft addressed the issue with a backend fix that restricted the **Agent ID Administrator** role to agent-related objects and said the remediation was fully rolled out by April 9.
Apr 28, 2026
Microsoft Entra Agent ID Blueprint Model Expands Cross-Tenant Compromise Risk
New research warns that Microsoft Entra Agent ID can significantly widen the impact of a single credential compromise because authentication is anchored to an **agent blueprint** while privileges can be distributed across many child agent identities. Security researchers found that one blueprint principal can authenticate up to 250 agent identities per tenant, optionally span multiple tenants, and inherit a mix of service principal permissions, user-like capabilities, Entra role assignments, and delegated permissions. Datadog and Compass Security both reported that this design creates a larger blast radius than traditional Entra applications, especially when third-party or multitenant blueprints are used, because the publishing tenant controls the credential material trusted by consuming tenants. Researchers also demonstrated practical abuse paths. Compass Security showed that attackers who gain blueprint ownership or credential-management access could add credentials, create child agent identities through the `AgentIdentity.CreateAsManager` role claim, and potentially escalate privileges up to **Global Administrator**; it also described consent-phishing with a foreign multitenant blueprint to inherit permissions such as `Application.ReadUpdate.All`. Separately, Red Canary documented a suspicious non-interactive Microsoft Graph sign-in tied to an assistive agent, where the application `Agent001` authenticated with a federated identity credential, satisfied MFA via token claims rather than user interaction, and requested broad scopes including `Group.Read.All`, `Mail.ReadWrite`, `Mail.Send`, `MailboxSettings.ReadWrite`, and `User.Read`, underscoring how Agent ID workflows can blur the line between application and user access.
Jun 18, 2026
Critical Azure SRE Agent Token Flaw Exposed Cross-Tenant AI Sessions
Researchers at Enclave disclosed a critical improper authentication flaw in Microsoft's Azure SRE Agent that allowed an outsider with only a free Azure account to observe another organization's AI operations agent in real time. The cross-tenant exposure stemmed from a token issuance process that accepted accounts from any Microsoft cloud tenant and a communication channel that verified token validity but not tenant ownership, enabling unauthorized access to live agent sessions. Microsoft confirmed the issue, assigned `CVE-2026-32173`, rated it critical with a `CVSS` score of `8.6`, and remediated it server-side. According to the disclosure, exposed data could include user prompts, agent responses, step-by-step reasoning, executed commands, command output, and even plaintext credentials, while generating no logs visible to the victim organization, underscoring wider concerns that enterprise AI agent deployments are outpacing governance and security controls.
Apr 20, 2026