What happened?
In September 2025, Microsoft released an emergency fix for CVE 2025 55241, a critical flaw in Entra ID (formerly Azure Active Directory). The vulnerability, rated the maximum severity score of 10.0, could have allowed attackers to impersonate any user, including Global Administrators, across tenants.
The flaw came from the way “Actor tokens” were handled. These tokens are special passes that let Microsoft services act on behalf of users or applications. A legacy system, the Azure AD Graph API, did not properly check where these tokens came from. As a result, an attacker could generate a token in their own environment and use it in another organisation’s tenant to gain administrator rights.1
This created the potential for complete tenant compromise. An attacker could read or change directory data, create new accounts and escalate roles, and gain control over applications and policies. Microsoft has confirmed there is no evidence the flaw was exploited before the patch.2
So what?
The vulnerability highlights how weaknesses in cloud identity systems can have global consequences. Attackers could impersonate Global Administrators, the highest privileged accounts, while security measures such as multi-factor authentication and Conditional Access did not apply to these tokens. In addition, some of the request paths generated little or no logging, making detection and investigation extremely difficult.3
The incident also underscores the risks of relying on retired services. The Azure AD Graph API, central to the flaw, was officially shut down in August 2025. Organisations still depending on it need to migrate to Microsoft Graph.
Immediate actions for organisations
No action is required from organisations, as this vulnerability has already been resolved by Microsoft. Organisations should identify any dependencies on Azure AD Graph and migrate them to Microsoft Graph. Privileged roles and service principals should be reviewed for unexpected or unauthorised changes. Organisations should also strengthen monitoring of service accounts and tokens to reduce risk.
Future threat landscape
This case reinforces two lessons for cloud identity security. First, legacy APIs create unnecessary risk and should be retired promptly. Second, strong token validation and detailed logging are essential to spot abuse.
As attackers increasingly focus on cloud identity rather than malware, flaws in token handling or misconfigurations can expose entire organisations. Moving away from outdated services and maintaining strict governance of privileged accounts will be critical to staying secure.