Actor auth tokens gave Global Admin access across Azure Entra ID tenants

A Dutch security researcher has published an indepth analysis of a critical vulnerability that could have allowed attackers to compromise every Microsoft Entra ID tenant worldwide through a fundamental flaw in legacy authentication token handling.

Dirk-jan Mollema said he discovered the serious flaw in July this year, describing it as "the most impactful Entra ID vulnerability that I will probably ever find."

Microsoft has patched the two-pronged vulnerability, which comprised undocumented impersonation tokens used by the company for backend service to service communications, and a flaw in the legacy Azure Active Directory Graph application programming interface.

The latter failed to properly validate originating tenants, Mollema said, which allowed the Actor tokens to be used for cross-tenant access.

"Effectively this means that with a token I requested in my lab tenant I could authenticate as any user, including Global Admins, in any other tenant," Mollema said.

Global Admins are the most privileged superuser accounts for Entra ID tenants.

Actor tokens are issued by the 2010-era Access Control Service, which was retired in 2018.

ACS was part of the early Windows Azure platform, acting as a federated identity broker for cloud developer use.

Mollema said ACS seems to be used internally by Microsoft, for authentication with SharePoint applications.

The impersonation Actor tokens were not covered by security policies such as Conditional Access, meaning there was no way to mitigate the vulnerability for hardened tenants, Mollema found.

"Since the Azure AD Graph API is an older API for managing the core Azure AD / Entra ID service, access to this API could have been used to make any modification in the tenant that Global Admins can do, including taking over or creating new identities and granting them any permission in the tenant," Mollema added.

Furthermore, the Azure AD Graph API is a legacy interface that lacks comprehensive audit logging that would typically alert administrators to suspicious activity.

"With these compromised identities the access could also be extended to Microsoft 365 and Azure," Mollema said.

"In my personal opinion, this whole Actor token design is something that never should have existed."

He said the tokens are unsigned and could be used to impersonate anyone against the requested target service for 24 hours, during which time they couldn't be revoked.

Mollema said he stumbled upon the powerful impersonation tokens while investigating hybrid Exchange setups for his research into Azure attacks.

This invisible access extended to user information, group memberships, tenant settings, application permissions, and device data including BitLocker keys.

Perhaps most concerning was the vulnerability's potential for exponential propagation across organisations.

Organisations routinely invite external users through Azure business-to-business guest accounts, creating trust relationships between tenants.

An attacker could exploit these relationships to hop between organisations by reading guest users' network identifiers and using them to impersonate victims in their home tenants.

"The information needed to compromise the majority of all tenants worldwide could have been gathered within minutes using a single Actor token," Mollema noted.

Mollema runs Outsider Security, a consultancy that specialises in Active Directory/Entra ID and cloud identity research, which he has presented at the DEF CON and Black Hat conferences.