Microsoft Entra Agent ID Flaw Enabled Tenant Takeover via Privilege Escalation
Microsoft Entra Agent ID flaw enabled privilege escalation and tenant takeover via Service Principal abuse.
Summary
Silverfort researchers discovered a critical vulnerability in Microsoft Entra Agent ID that allowed privilege escalation and tenant takeover through Service Principal abuse. The Agent ID Administrator role had overly broad permissions, enabling attackers to modify non-agent Service Principals, inject credentials, and gain full tenant control. Microsoft patched the vulnerability on April 9, 2026, restricting the role from managing owners of regular Service Principals.
Full text
Security MicrosoftMicrosoft Entra Agent ID Flaw Enabled Tenant Takeover via Privilege Escalation Microsoft Entra Agent ID flaw allowed privilege escalation and tenant takeover via Service Principal abuse, now fully patched by Microsoft. byDeeba AhmedApril 26, 20262 minute read Cybersecurity researchers at the identity protection firm Silverfort found a vulnerability in a Microsoft platform built to manage AI. The issue involved Microsoft Entra Agent ID, an identity and authorisation framework that gives AI agents their own identities. These identities allow them to log into systems and access resources just like human users. To manage this environment, Microsoft created a specific directory role known as the Agent ID Administrator The Attack Chain Silverfort researchers Noa Ariel and Yoav S found that this directory role had a dangerous scope gap. It was meant to handle agent-related objects like Blueprints and Agent Identities, but it could actually modify nearly any Application Service Principal within a tenant. Think of a Service Principal as a digital ID card for software. A Service Principal takeover is basically identity theft for apps; if a hacker becomes the owner of that ID, they can create their own secret key to log in. Since these digital accounts usually have high-level permissions to move data or change settings, stealing one allows a hacker to control the system while staying hidden. During an attack, a user with the Agent ID Administrator role performs enumeration using the Microsoft Graph API or Azure CLI. This is done to find accounts with elevated permissions, specifically targeting Service Principals with high-impact Graph permissions like RoleManagement.ReadWrite.Directory. The attacker then uses the role to add themselves as an owner of a non-agent Service Principal. This worked because the role permissions for updating owners were not strictly limited to agent-backed objects. After becoming the owner, they perform ‘credential injection’ by adding a new password or certificate to that account. They then authenticate as that Service Principal. Researchers noted in the blog post shared with Hackread.com that “ownership is a takeover primitive,” which means that becoming an owner allows a user to steal the identity of the account entirely. This technique is a form of Privilege Escalation that gives an attacker total control over the tenant. To prove the risk, researchers recorded a demo where an Agent ID Administrator successfully hijacked a Global Administrator account. By signing in with these stolen credentials, they gained full control over the entire network. Security Impact The danger was widespread. About 99% of business networks have at least one privileged Service Principal. While the Agent ID Administrator role is relatively new, over half of the companies studied already use agent identities. Some even run more than 100 active agents, thus creating a situation where the security rules for the role simply didn’t match its actual power. Silverfort discovered the flaw on 24 February 2026 and reported it to Microsoft Security Response Center (MSRC) on 1 March. The company confirmed the vulnerability on 26 March, and by 9 April, a full fix was rolled out to all cloud environments, which blocked the Agent ID Administrator role from managing owners of regular, non-agent Service Principals. Companies are urged to check AuditLogs for any changes to account ownership or the creation of new secrets on sensitive accounts. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Agentic AIAICyber AttackCybersecurityIdentity theftMicrosoft EntraSilverfortVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Read More Cyber Crime Data Breaches Security French Police Arrest HexDex Hacker Over Mass Data Theft and Leaks French police arrest HexDex hacker, a 20-year-old suspect accused of mass data theft and leaks targeting government, sports groups, and firms. byDeeba Ahmed Read More Security Zero-day Flaws Exposed EV Chargers to Shutdowns and Data Theft NCC Group experts share details of how they exploited critical zero-day vulnerabilities in Phoenix Contact EV chargers (electric… byDeeba Ahmed Read More Security Phishing Scam Surveillance China Hackers Used Trojanized UyghurEditPP App to Target Uyghur Activists China-linked hackers targeted Uyghur activists using a Trojanized UyghurEditPP app in a spear-phishing campaign, Citizen Lab researchers reveal.… byDeeba Ahmed Read More Security Cyber Attacks Russian Midnight Blizzard Breached UK Home Office via Microsoft Russian hacking group Midnight Blizzard breached the UK Home Office, stealing sensitive data. Learn how they exploited supply… byDeeba Ahmed