Critical Vulnerability in Microsoft Entra ID Allows Service Principal Hijacking

Severity: High (Score: 72.0)

Sources: Cybersecuritynews, Gbhackers

Summary

A critical scoping vulnerability was identified in Microsoft Entra ID's Agent Identity Platform, enabling users with the Agent ID Administrator role to hijack arbitrary service principals within an organization's tenant. This flaw poses a significant risk of privilege escalation, potentially compromising sensitive data and administrative controls. Microsoft has confirmed that the vulnerability has been fully patched across all cloud environments as of April 2026. The issue arises from a breakdown in the permission boundary intended to restrict the role's capabilities. Organizations utilizing Microsoft Entra ID should verify that they have applied the latest updates to mitigate this risk. The vulnerability affects all tenants using the Agent ID Administrator role. No specific CVEs were mentioned in the articles, but the severity of the flaw necessitates immediate attention from security teams. Key Points: • A critical vulnerability in Microsoft Entra ID allows hijacking of service principals. • The flaw affects all organizations using the Agent ID Administrator role. • Microsoft has issued a patch for the vulnerability across all cloud environments.

Key Entities

• CWE-269 - Improper Privilege Management (cwe)
• T1068 - Exploitation for Privilege Escalation (mitre_attack)
• Microsoft Entra (platform)
• Microsoft Entra ID (platform)