Mishcon de Reya page structure
Site header
Menu
Main content section
a blue lines and dots

Microsoft fixes Entra ID global admin impersonation flaw

Posted on 8 October 2025

What happened? 

In September 2025, Microsoft released an emergency fix for CVE 2025 55241, a critical flaw in Entra ID (formerly Azure Active Directory). The vulnerability, rated the maximum severity score of 10.0, could have allowed attackers to impersonate any user, including Global Administrators, across tenants. 

The flaw came from the way “Actor tokens” were handled. These tokens are special passes that let Microsoft services act on behalf of users or applications. A legacy system, the Azure AD Graph API, did not properly check where these tokens came from. As a result, an attacker could generate a token in their own environment and use it in another organisation’s tenant to gain administrator rights.1 

This created the potential for complete tenant compromise. An attacker could read or change directory data, create new accounts and escalate roles, and gain control over applications and policies. Microsoft has confirmed there is no evidence the flaw was exploited before the patch.

So what? 

The vulnerability highlights how weaknesses in cloud identity systems can have global consequences. Attackers could impersonate Global Administrators, the highest privileged accounts, while security measures such as multi-factor authentication and Conditional Access did not apply to these tokens. In addition, some of the request paths generated little or no logging, making detection and investigation extremely difficult.

The incident also underscores the risks of relying on retired services. The Azure AD Graph API, central to the flaw, was officially shut down in August 2025. Organisations still depending on it need to migrate to Microsoft Graph. 

Immediate actions for organisations 

No action is required from organisations, as this vulnerability has already been resolved by Microsoft. Organisations should identify any dependencies on Azure AD Graph and migrate them to Microsoft Graph. Privileged roles and service principals should be reviewed for unexpected or unauthorised changes. Organisations should also strengthen monitoring of service accounts and tokens to reduce risk. 

Future threat landscape 

This case reinforces two lessons for cloud identity security. First, legacy APIs create unnecessary risk and should be retired promptly. Second, strong token validation and detailed logging are essential to spot abuse. 

As attackers increasingly focus on cloud identity rather than malware, flaws in token handling or misconfigurations can expose entire organisations. Moving away from outdated services and maintaining strict governance of privileged accounts will be critical to staying secure. 

How can we help you?
Help

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

I'm a client

I'm looking for advice

Something else