{"id":12394,"date":"2026-04-25T10:05:04","date_gmt":"2026-04-25T10:05:04","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/04\/25\/hackers-can-abuse-entra-agent-id-administrator-role-to-hijack-service-principals\/"},"modified":"2026-04-25T10:05:04","modified_gmt":"2026-04-25T10:05:04","slug":"hackers-can-abuse-entra-agent-id-administrator-role-to-hijack-service-principals","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/04\/25\/hackers-can-abuse-entra-agent-id-administrator-role-to-hijack-service-principals\/","title":{"rendered":"Hackers Can Abuse Entra Agent ID Administrator Role to Hijack Service Principals"},"content":{"rendered":"

Hackers Can Abuse Entra Agent ID Administrator Role to Hijack Service Principals
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A critical scope overreach vulnerability was recently identified in the Microsoft Entra Agent Identity Platform. The newly introduced Agent ID Administrator role allowed accounts to hijack arbitrary service<\/a> principals and escalate privileges across the entire tenant.<\/p>\n

Microsoft has fully patched this behavior across all cloud environments as of April 2026.<\/p>\n

How the Permission Boundary Breaks<\/strong><\/h2>\n

The Microsoft Agent Identity Platform is a preview feature that provides artificial intelligence agents with identities using blueprints, agent identities, and agent users.<\/p>\n

To manage these non-human entities, Microsoft introduced the Agent ID Administrator role. According to Microsoft documentation<\/a>, this role was strictly scoped to manage only agent-related objects.<\/p>\n

\"A
A discrepancy in the Microsoft Entra \u201cprivileged\u201d indicator will be fixed(source : SilverFort)<\/figcaption><\/figure>\n

However, because agent identities are built on top of standard application and service principal primitives, a critical scoping gap emerged.<\/p>\n

Silverfort researchers found that actions like updating agent identity owners allowed administrators to modify the ownership of any service principal in the tenant.<\/p>\n

A user with the Agent ID Administrator<\/a> role could assign themselves as the owner of a completely unrelated, high-privileged service principal.<\/p>\n

Once ownership was established, the attacker could generate new credentials and authenticate as that targeted application.<\/p>\n

If the compromised service principal held elevated directory roles or high-impact Graph API permissions, this takeover primitive provided a direct path to full compromise of the environment.<\/p>\n

\"Attack
Attack Flow(Source: SilverFort)<\/em><\/figcaption><\/figure>\n

Attackers leveraging this vulnerability would naturally target the most powerful non-human identities in a network.<\/p>\n

According to Silverfort research<\/a>, organizations should proactively identify service principals with admin-level directory roles and secure them appropriately.<\/p>\n

Administrators can utilize the Azure CLI alongside jq to query the Microsoft Graph API<\/a> for these vulnerable configurations.<\/p>\n

The following script discovers service principals with privileged directory roles.<\/p>\n

BASE=\"https:\/\/graph.microsoft.com\"
roles=\"$(az rest -m GET --url \"${BASE}\/beta\/roleManagement\/directory\/roleDefinitions?$filter=isPrivileged eq true&$select=id,displayName\" -o json)\"
u=\"${BASE}\/beta\/roleManagement\/directory\/roleAssignments?$expand=principal($select=id,displayName)&$top=999\"
{
echo -e \"SP_NAMEtSP_IDtROLE\"
echo -e \"--------t------t----\"
while :; do
j=\"$(az rest -m GET --url \"$u\" -o json 2>\/dev\/null)\" || break
jq -r --argjson roles \"$roles\" '
($roles.value | map(select(.displayName|test(\"Reader\";\"i\")|not) | {key:.id, value:.displayName}) | from_entries) as $r
| .value[]
| select(.principal.\"@odata.type\"==\"#microsoft.graph.servicePrincipal\")
| select($r[.roleDefinitionId] != null)
| [.principal.displayName, (.principal.id \/\/ .principalId), $r[.roleDefinitionId]] | @tsv
' <<<\"$j\"
u=\"$(jq -r '.\"@odata.nextLink\"\/\/empty' <<<\"$j\")\"
[[ -z \"$u\" ]] && break
done | sort -t$'t' -k1,1
} | column -t -s $'t'<\/code><\/p>\n

Microsoft acknowledged the issue and deployed a fix that prevents the Agent ID Administrator role from managing the owners of non-agent service principals.<\/p>\n

\n
\n