A critical vulnerability in Microsoft Entra ID allows attackers to escalate privileges to the Global Administrator role through the exploitation of first-party applications.
The vulnerability, reported to Microsoft Security Response Center (MSRC) in January 2025, affects organizations using hybrid Active Directory environments with federated domains.
Key Takeaways
1. Attackers with certain admin or app permissions can hijack the Office 365 Exchange Online service principal.
2. Attackers use the Domain.ReadWrite.All to add a malicious federated domain and forge SAML tokens.
3. Microsoft classified this risk as “expected behavior”.
Microsoft Entra ID Vulnerability
Security researchers at Datadog discovered that service principals (SPs) assigned the Cloud Application Administrator role, Application Administrator role, or Application.ReadWrite.All permission can escalate their privileges by hijacking the built-in Office 365 Exchange Online service principal (Client ID: 00000002-0000-0ff1-ce00-000000000000).
The vulnerability works by exploiting the Office 365 Exchange Online SP’s Domain.ReadWrite.All permission to add a new federated domain to the tenant.
Attackers can then forge SAML tokens as any hybrid tenant user synchronized between on-premises Active Directory (AD) and Entra ID, including users with Global Administrator privileges.
Backdooring SPs
The attack leverages the client credentials grant flow for authentication:
Federated Domain Backdoor Technique
The privilege escalation follows a five-step process involving federated domain manipulation.
Attackers first add a malicious domain using the Microsoft Graph API endpoint POST /v1.0/domains, then verify it through DNS records.
The critical step involves configuring federation settings via POST /v1.0/domains/{domain}/federationConfiguration with a malicious certificate:
Malicious domain appears as federated in Entra ID
This configuration allows attackers to forge SAML tokens with MFA claims, bypassing multi-factor authentication requirements while maintaining the appearance of legitimate authentication in sign-in logs.
Sign-in prompt as a Global Administrator with forged SAML token
Microsoft’s Response
Datadog reported this vulnerability to the Microsoft Security Response Center (MSRC) on January 14, 2025, initiating a months-long disclosure process.
However, on May 14, 2025, MSRC concluded that this “is not a security vulnerability but expected behavior of the Application Administrator role and its associated permissions”.
Microsoft’s response emphasized that the scenario reflects misconfiguration rather than a security bypass, stating that Application Administrator roles inherently include the ability to manage application credentials and impersonate application identities.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
The post Microsoft Entra ID Vulnerability Let Attackers Escalate Privileges to Global Admin Role appeared first on Cyber Security News.
