{"id":5450,"date":"2025-07-18T10:00:29","date_gmt":"2025-07-18T10:00:29","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/07\/18\/microsoft-entra-id-vulnerability-let-attackers-escalate-privileges-to-global-admin-role\/"},"modified":"2025-07-18T10:00:29","modified_gmt":"2025-07-18T10:00:29","slug":"microsoft-entra-id-vulnerability-let-attackers-escalate-privileges-to-global-admin-role","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/07\/18\/microsoft-entra-id-vulnerability-let-attackers-escalate-privileges-to-global-admin-role\/","title":{"rendered":"Microsoft Entra ID Vulnerability Let Attackers Escalate Privileges to Global Admin Role"},"content":{"rendered":"<p>    Microsoft Entra ID Vulnerability Let Attackers Escalate Privileges to Global Admin Role<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A critical vulnerability in Microsoft Entra ID allows attackers to escalate privileges to the Global Administrator role through the exploitation of first-party applications.\u00a0<\/p>\n<p>The vulnerability, reported to Microsoft Security Response Center (MSRC) in January 2025, affects organizations using hybrid Active Directory environments with federated domains.<\/p>\n<pre class=\"wp-block-preformatted\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\"><strong>Key Takeaways<\/strong><br><\/mark>1. Attackers with certain admin or app permissions can hijack the Office 365 Exchange Online service principal.<br>2. Attackers use the Domain.ReadWrite.All to add a malicious federated domain and forge SAML tokens.<br>3. Microsoft classified this risk as \"expected behavior\".<\/pre>\n<h2 class=\"wp-block-heading\"><strong>Microsoft Entra ID Vulnerability<\/strong><\/h2>\n<p>Security researchers at Datadog <a href=\"https:\/\/securitylabs.datadoghq.com\/articles\/i-spy-escalating-to-entra-id-global-admin\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">discovered<\/a> that service principals (SPs) assigned the Cloud Application Administrator role, Application Administrator role, or Application.ReadWrite.All permission can escalate their privileges by hijacking the built-in Office 365 Exchange Online service principal (Client ID: 00000002-0000-0ff1-ce00-000000000000).<\/p>\n<p>The vulnerability works by exploiting the Office 365 Exchange Online SP\u2019s Domain.ReadWrite.All permission to add a new federated domain to the tenant.\u00a0<\/p>\n<p>Attackers can then forge SAML tokens as any hybrid tenant user synchronized between on-premises <a href=\"https:\/\/cybersecuritynews.com\/tag\/active-directory\/\" target=\"_blank\" rel=\"noreferrer noopener\">Active Directory<\/a> (AD) and Entra ID, including users with Global Administrator privileges.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXc-W4eQT3GHCi_M6pjVrxX-vPrZD2OQoq3NRyuGzH2FTGp1T2fq8W3_c4c9GGpM3H7DMGIZ618RobAuJiKIv6yVmAE8w20aAIncBDnKyOFiq8I8TwJkUGK3h1J9-8GEufwdH9D5mQ?key=MLWHuz94ZD30kK7_LthPNQ\" alt=\"\"><figcaption class=\"wp-element-caption\">Backdooring SPs<\/figcaption><\/figure>\n<p>The attack leverages the client credentials grant flow for authentication:<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdljAJnzZLJJ6PTK9DwVQq8wXFqfyofafeM3QGtfOKG-HUhv_m6Mt1FnNN0xvCGKRLLy99yWoQx2nGLaCL7a0xy5k0s6Mn5h1x5lTRYt5PVKP6B27bLyzZ9uieuQCPRZuWM2VXU?key=MLWHuz94ZD30kK7_LthPNQ\" alt=\"\"><\/figure>\n<\/div>\n<h2 class=\"wp-block-heading\"><strong>Federated Domain Backdoor Technique<\/strong><\/h2>\n<p>The privilege escalation follows a five-step process involving federated domain manipulation.\u00a0<\/p>\n<p>Attackers first add a malicious domain using the <a href=\"https:\/\/cybersecuritynews.com\/new-malware-exploiting-outlook-as-a-communication-channel\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Graph API<\/a> endpoint POST \/v1.0\/domains, then verify it through DNS records.\u00a0<\/p>\n<p>The critical step involves configuring federation settings via POST \/v1.0\/domains\/{domain}\/federationConfiguration with a malicious certificate:<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcCyEH5aigMUMkQ6IFIF6dLd6ShXT2YZjaF6afqqq8ZoDrFj5UcwwYtorfL3TVFBIieF5H34Hkc7wdm4ayh71KaKMW5aRpNj69Mym68Z6rg6DIe8t0CX1YCI2XDLVxK7UpyEQ00EQ?key=MLWHuz94ZD30kK7_LthPNQ\" alt=\"\"><\/figure>\n<\/div>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcafpmbe29ex4knAGJqeNaf766T4QItf89ttP6SBRKH6GXTHrPntoIVJFkIjZ1QsZcLQ9XWlskQblmaSJwrQdwB6ZHXbRxTSAOagVBlDgDkzNYBNMGxjt2Nb-O55LR_XAhlAFQjZA?key=MLWHuz94ZD30kK7_LthPNQ\" alt=\"\"><figcaption class=\"wp-element-caption\">Malicious domain appears as federated in Entra ID<\/figcaption><\/figure>\n<p>This configuration allows attackers to forge <a href=\"https:\/\/cybersecuritynews.com\/golden-saml-attack-let-attackers-gains-control\/\" target=\"_blank\" rel=\"noreferrer noopener\">SAML tokens<\/a> with MFA claims, bypassing multi-factor authentication requirements while maintaining the appearance of legitimate authentication in sign-in logs.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfSeRnJra-fON6e-QZvLZmC2QQjxJolDspvd0O-XMJDd2uw6894UlAF8-B-5MHX5rOe__eq46OX6y75PE2pQk6wRIXxDI2A34VGzaP07xtXwMqQdJvRlWsEDYVE3vTdpaWizGq_?key=MLWHuz94ZD30kK7_LthPNQ\" alt=\"\"><figcaption class=\"wp-element-caption\">Sign-in prompt as a Global Administrator with forged SAML token<\/figcaption><\/figure>\n<\/div>\n<h2 class=\"wp-block-heading\"><strong>Microsoft\u2019s Response\u00a0<\/strong><\/h2>\n<p>Datadog reported this vulnerability to the Microsoft Security Response Center (MSRC) on January 14, 2025, initiating a months-long disclosure process.\u00a0<\/p>\n<p>However, on May 14, 2025, MSRC concluded that this \u201cis not a security vulnerability but expected behavior of the Application Administrator role and its associated permissions\u201d.<\/p>\n<p>Microsoft\u2019s response emphasized that the scenario reflects misconfiguration rather than a security bypass, stating that Application Administrator roles inherently include the ability to manage application credentials and impersonate application identities.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 93%,rgb(169,184,195) 100%)\">Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -&gt;<strong>\u00a0<a href=\"https:\/\/any.run\/demo?utm_source=csn&amp;utm_medium=article&amp;utm_campaign=top3_ciso_challenges&amp;utm_content=demo_1&amp;utm_term=160725\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Try ANY.RUN Now<\/a>\u00a0<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/microsoft-entra-id-vulnerability-escalate-privileges\/\">Microsoft Entra ID Vulnerability Let Attackers Escalate Privileges to Global Admin Role<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/microsoft-entra-id-vulnerability-escalate-privileges\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Entra ID Vulnerability Let Attackers Escalate Privileges to Global Admin Role A critical vulnerability in Microsoft Entra ID allows attackers to escalate privileges to the Global Administrator role through the exploitation of first-party applications.\u00a0 The vulnerability, reported to Microsoft Security Response Center (MSRC) in January 2025, affects organizations using hybrid Active Directory environments with [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-5450","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/5450"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=5450"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/5450\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=5450"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=5450"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=5450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}