Microsoft’s cloud security systems are a big part of how many businesses protect their data today. But recent findings show there might be a dark side. A security researcher found serious flaws in Microsoft’s Entra ID platform, which could have let hackers take over nearly all Azure customer accounts if exploited.

The Hidden Vulnerabilities in Entra ID

Entra ID, formerly known as Azure Active Directory, is the backbone of Microsoft’s cloud identity system. It holds user accounts, login controls, and access to apps and subscriptions. Security researcher Dirk-jan Mollema has studied Entra ID for years. While preparing for a security conference, he uncovered two bugs that could give someone full control over any Entra ID tenant—think of a tenant as a separate customer environment.

Mollema was stunned. He realized that with these bugs, an attacker could impersonate any user, create new admin accounts, and change configurations. Basically, they could gain “god mode” access to a tenant, which is as dangerous as it sounds. The scope was huge; almost all tenants worldwide, except perhaps some government clouds, could have been affected.

The Technical Flaws and Their Risks

The first flaw involved something called Actor Tokens. These are special authentication tokens issued by an old Azure system called the Access Control Service. Mollema discovered that these tokens could be manipulated to impersonate users across tenants. The second flaw was in the now-retiring Azure AD Graph API, used to access data in Microsoft 365. It failed to properly verify which tenant was making a request, allowing an attacker to use tokens from one tenant to access another.

Both issues stemmed from legacy systems still running inside Entra ID. While Microsoft has moved quickly to fix the problems—disabling the vulnerabilities within days—experts say the potential damage could have been catastrophic if bad actors had exploited them.

Microsoft’s Response and the Bigger Picture

Microsoft responded promptly once the flaws were disclosed in July. They patched the vulnerabilities and added extra security measures. The company confirmed that no evidence of abuse was found during their investigation. They also issued a CVE, a public record of the security flaw, to alert other organizations.

However, the risks highlighted by these bugs are significant. In 2023, a different attack known as Storm-0558 used stolen cryptographic keys to access Outlook accounts, including some belonging to U.S. government agencies. That incident exposed how dangerous cloud identity vulnerabilities can be and prompted Microsoft to launch its “Secure Future Initiative.” This program aims to strengthen protections and respond faster to new security issues.

Mollema emphasizes that these recent bugs could have been even more damaging. If exploited, an attacker could have added themselves as the top admin in any tenant, gaining full control over cloud services like Azure, SharePoint, or Exchange. This highlights the importance of ongoing security vigilance in cloud systems that millions rely on daily.

In the end, these discoveries remind us how complex cloud security is. Even the biggest providers like Microsoft have flaws, but quick fixes and responsible disclosures can help prevent bigger disasters. As cloud use continues to grow, staying alert to vulnerabilities remains crucial for everyone.

Inspired by

• https://arstechnica.com/security/2025/09/microsofts-entra-id-vulnerabilities-could-have-been-catastrophic/

Sources

• wired.com
• conde.digital
• cnevids.com
• wired.com
• wired.com