How Microsoft’s Entra ID Nearly Broke Itself

Identity systems are the glue that holds cloud security together. We assume they just work. Recently, Microsoft’s Entra ID came dangerously close to proving that assumption wrong. A flaw was uncovered that could have let attackers take over almost any tenant in Microsoft’s cloud. That means Azure, Microsoft 365, Exchange, SharePoint – all up for grabs. It was that bad.

Here’s what happened, what was fixed, and what you need to check right now.

What went wrong

A researcher discovered two connected issues in Entra ID that, when combined, could allow an attacker to impersonate any user in any tenant, including global admins. The problem came down to:

• Actor Tokens: An internal Microsoft mechanism that was meant for service-to-service purposes.
• Legacy API Checks: Microsoft’s older identity API didn’t properly check which tenant a token came from.

When linked together, this meant an attacker could create a token in a test or trial tenant and then use it to impersonate admins in another tenant. Once inside, they could change configurations, create new admin accounts, and access sensitive data. To make things worse, normal controls like MFA and logging could be bypassed or left blind.

How Microsoft fixed it

Microsoft was told about the issue mid-July and pushed a global fix within days. Additional protections were rolled out in August, particularly around retiring or restricting legacy APIs. According to Microsoft, there’s no evidence this flaw was ever exploited in the wild. But if it had been, the impact could have been catastrophic.

Why this was especially dangerous

This wasn’t just a coding bug. It was a combination of old design decisions, legacy systems that hadn’t been fully retired, and weak logging in some places. The result was an attack path that could have scaled from a low-privilege tenant to global compromise without being noticed.

What your MSP should be doing

Your MSP should have the following checklist:

1. Audit old APIs
   Make sure nothing in your environment is still tied to legacy Azure AD Graph. Migrate to modern endpoints where possible. This usually happens when enterprise applications are not cleaned up in Entra.
2. Review roles and privileges
   Keep the number of global admins to the bare minimum. Apply least privilege and audit who has what. This is something MSPs should be doing out of the box.
3. Check your logging and detection
   Look for unusual admin creation, odd configuration changes, or strange app behaviour. Use enhanced monitoring where you can. SIEM and other tools like our Todyl platoform help with this.
4. Plan for identity compromise
   Have recovery processes in place. If identity is compromised, it’s often game over unless you’ve planned ahead.

The bigger picture

The lesson here is simple: legacy creates risk. Old systems and hidden features are often the weakest links in cloud security. Zero trust means nothing if a forgotten internal mechanism can bypass it all. Logging and visibility are critical. And retiring outdated systems is just as important as rolling out new defences.

Final Thought

This was a near miss. Microsoft patched it, but it’s a reminder of how fragile identity systems can be. If you rely on Entra ID – and let’s face it, most of us do – now is the time to double-check your environment. Because the next time, we might not be so lucky.