A critical combination of legacy components could have allowed complete access to the Microsoft Entra ID tenant of every company in the world.
The fatal mix included undocumented tokens called “actor tokens” and a vulnerability in the Azure AD Graph API (CVE-2025-55241) that allowed the tokens to work with any organization’s Entra ID environment.
A threat actor exploiting the issue would have had access to a slew of highly sensitive data without leaving any trace in the logs on the targeted environment, except for their own actions.
Entra ID is Microsoft’s cloud-based identity and access management (IAM) service, formerly known as Azure Active Directory (Azure AD), which provides organizations with single sign-on, multi-factor authentication, and security controls across apps and resources.
A dedicated Entra ID instance represents a single organization and manages secure access to all the apps used, both on-premise and cloud-based.
This can include Microsoft 365 services, custom and third-party SaaS products like Salesforce, Dropbox, or cloud apps from Google, Amazon, or SAP.
Security researcher Dirk-jan Mollema, founder of offensive security Outsider Security, discovered a token validation flaw that gave him Global Admin privileges in every Entra ID tenant.
This level of access allows full tenant compromise and opens the door to any service authenticated through Entra ID.
Impersonating any user in the tenant
In a technical blog post, Mollema explains that actor tokens are issued by a legacy service called Access Control Service, which “is used for authentication with SharePoint applications and also seems to be used by Microsoft internally.”
... continue reading