Microsoft Fixed Entra ID Vulnerability Allowing Global Admin Impersonation

Microsoft patched an Entra ID vulnerability that let attackers impersonate Global Admins across tenants, risking full Microsoft 365 and Azure takeover.

Microsoft has addressed a critical security vulnerability in Azure Entra ID, tracked as CVE-2025-55241, that was initially described as a low-impact privilege escalation bug. Security research later revealed the flaw was far more severe, allowing attackers to impersonate any user, including Global Administrators.

The vulnerability was originally identified by cybersecurity researcher Dirk-Jan Mollema while preparing for Black Hat and DEF CON presentations earlier this year. His findings showed that undocumented “Actor tokens,” combined with a validation failure in the legacy Azure AD Graph API, could be abused to impersonate any user in any Entra ID tenant, even a Global Administrator.

This meant a token generated in one lab tenant could grant administrative control over others, with no alerts or logs if only reading data, and limited traces if modifications ...