nOAuth Lives on in Cloud App Logins Using Entra ID

Hackers Can Use Unverified Email to Log onto SaaS Apps With Entra ID David Perera (@daveperera) • June 25, 2025

A flaw in a Microsoft single sign-on feature allowing cloud app account takeovers discovered in 2023 never really went away, say researchers - notwithstanding a computing giant claim that it almost immediately fixed the vulnerability known as nOAuth.

See Also: Proof of Concept: Rethinking Identity for the Age of AI Agents

The flaw allows hackers to log into apps that accept Microsoft Entra ID for single sign-on. In the attack, hackers set up an Entra ID account and later reconfigured the identifier as the email address of a victim. The attack isn't sophisticated, involving a few minutes' worth of modifying an attacker-controlled Entra ID account. It takes advantage of software-as-a-service apps that accept unverified emails as an Entra ID identifier.

It turns out a lot of SaaS services ...