Microsoft Patches Critical Entra ID Flaw Enabling Global Admin Impersonation Across Tenants

Microsoft patched a critical token-validation vulnerability in Entra ID (formerly Azure Active Directory) — CVE-2025-55241 — that could have allowed attackers to impersonate any user, including Global Administrators, across virtually any tenant. The flaw, assigned a CVSS score of 10.0, was reported by researcher Dirk-jan Mollema on 14 July 2025 and addressed by Microsoft on 17 July 2025. Microsoft states there is no evidence the issue was exploited in the wild and that no customer action was required after the fix.

 Technically, the weakness resulted from two interacting problems: the use of service-to-service (S2S) “actor” tokens issued by the legacy Access Control Service (ACS), and a fatal tenant-validation bug in the deprecated Azure AD Graph API (graph.windows.net). Because the Graph API did not properly verify the originating tenant of these actor tokens, an attacker could craft or obtain an actor token in their own environment and then use it to impersonate accounts in other tenants. Crucially, these tokens were subject to Conditional Access policies, so the vulnerability effectively allowed cross-tenant privilege escalation while appearing to respect normal access controls. 

The practical impact of such an impersonation is severe. An attacker posing as a Global Administrator could create accounts, grant permissions, modify tenant settings, exfiltrate user and configuration data, and gain control of any service that relies on Entra ID for authentication (for example Exchange Online, SharePoint Online, and Azure subscriptions). Security firms warned that exploitation could also bypass multi-factor authentication, Conditional Access, and API-level logging, potentially leaving little or no forensic trail of the attack. 

Microsoft has framed this class of failure as “high-privileged access” (HPA), where an application or service can obtain broad access to customer content and impersonate users without proof of user context. Observers also noted that the legacy Azure AD Graph API had long been deprecated (Microsoft retired it on 31 August 2025) and urged migration to Microsoft Graph — a move that would avoid relying on the outdated endpoint implicated in this issue. 

Although Microsoft fixed the vulnerability rapidly and required no customer intervention, the incident underscores multiple security lessons: legacy APIs can introduce systemic risk, token validation must enforce tenant context, and comprehensive API logging is essential for detection and attribution. Organizations should verify they no longer depend on retired Graph endpoints, review service-to-service token usage and Conditional Access coverage, and ensure monitoring and logging are in place to detect any anomalous high-privilege activity. 

 

What you should do 

1. Confirm Microsoft’s fix is in effect for your tenant.
   • Microsoft says no customer action was required, but verify your tenant shows no outstanding mitigation notices and that Microsoft’s service health indicates the patch was deployed. 
2. Search for signs of compromise around the disclosure window (14–17 July 2025) and afterwards.
   • Review Azure AD Sign-ins and Audit logs for unusual Global Admin sign-ins, unexpected admin role assignments, new user creation, app registration changes, or other high-privilege actions.
   • Check the timeframe and afterwards for service principal / application authentications originating from unfamiliar IPs, countries, or unusual user agents. 
3. Look for suspicious use of legacy Graph API calls.
   • Query logs for requests to graph.windows.net (or proxies that resolved to it) and any unusual API calls that access user/group/role or device information. 
4. Rotate high-risk secrets and revoke sessions if you have any suspicion.
   • Immediately rotate credentials for service principals, app secrets, certificates, and any long-lived keys for apps that used legacy APIs
   • Revoke refresh tokens / sign-out sessions for accounts suspected or for all Global Admins if compromise is suspected. 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.