A extreme scoping vulnerability was not too long ago found in Microsoft Entra ID’s new Agent Id Platform.
The safety flaw allowed customers assigned the Agent ID Administrator function to hijack arbitrary service principals throughout a corporation’s tenant, resulting in potential privilege escalation.
Though the executive function was designed strictly to handle AI agent identities, a boundary breakdown allowed it to manage non-agent service principals as effectively. Microsoft has totally patched the vulnerability throughout all cloud environments.
Nonetheless, the incident highlights the continued dangers of introducing new management planes constructed on current listing primitives.
When an software is registered in Microsoft Entra ID, it creates a world software object and a neighborhood service principal.
The service principal acts because the localized identification that authenticates, receives function assignments, and accesses enterprise assets.
Microsoft Entra Agent ID is a preview function that enables organizations to control and safe AI brokers by treating them as first-class identities. The platform introduces new listing objects, comparable to agent identities and blueprints.
As a result of these AI agent identities are technically applied as specialised service principals, they share a standard foundational infrastructure with commonplace enterprise functions.
To handle these new AI objects, Microsoft created the Agent ID Administrator function. The documentation acknowledged that this function was restricted to agent-related objects. Nonetheless, because of the shared underlying structure between brokers and functions, a essential scoping hole emerged.
Hackers Exploit Agent ID Administrator Position
Cybersecurity researchers from SilverFort discovered that accounts holding solely the Agent ID Administrator function might exploit this scoping hole to take over any service principal.
The assault circulate executes by means of a easy however devastating takeover primitive:
- Assign Unauthorized Possession: An attacker with the Agent ID Administrator function can power themselves because the proprietor of any service principal, bypassing meant agent-only restrictions.
- Generate New Credentials: As soon as possession is established, the attacker can seamlessly connect a brand new secret or certificates to the focused service principal.
- Authenticate and Hijack: The attacker makes use of the newly created credentials to authenticate because the hijacked service principal, gaining all of its related entry rights.
This course of grants the attacker full management over the compromised software identification. Curiously, the vulnerability was strictly restricted to the service principal floor, because the system efficiently blocked makes an attempt to change possession on broader software objects maliciously.
The first hazard of this vulnerability lies in extreme privilege escalation. Service principals steadily function because the digital identities behind essential CI/CD pipelines, automated workflows, and high-level safety instruments.
If an attacker efficiently hijacks a service principal that holds highly effective Microsoft Graph permissions or administrative listing roles, they instantly inherit these elevated rights.
Whereas the Agent ID Administrator function is comparatively new, almost all enterprise tenants make the most of extremely privileged service principals.
Moreover, the Entra consumer interface did not visually flag the Agent ID Administrator function as privileged, probably deceptive IT directors into assigning it with out enough safety scrutiny.
Following accountable disclosure in February 2026, Microsoft confirmed the flaw and efficiently deployed a complete repair by April 9, 2026.
The Agent ID Administrator function is now completely blocked from modifying the homeowners of non-agent service principals.
To keep up strong safety, organizations should actively monitor delicate function utilization and alert safety groups to any sudden adjustments in service principal possession.
Privileged service principals have to be handled as essential infrastructure and require steady auditing of any newly created credentials.
Observe us on Google Information, LinkedIn, and X to Get Instantaneous Updates and Set GBH as a Most well-liked Supply in Google.
