πŸ”‘ IAM

Microsoft Entra Agent ID Role Misconfiguration Enabled Full Tenant Takeover via Service Principal Hijack

A flaw in Microsoft Entra's Agent ID role assignment model allowed an attacker with low-level Entra access to hijack privileged service principals and achieve full tenant administrator rights. Microsoft silently patched the issue on April 9; organisations with agentic AI workloads or automation service accounts should audit role bindings immediately.

4 min read
#entra-id#service-principal#privilege-escalation#tenant-takeover#azure#agentic-ai

A privilege escalation path in Microsoft Entra ID β€” exposed specifically by the growing use of agentic AI workloads and automation service principals β€” allowed an adversary with limited directory access to inherit the permissions of any service principal in a tenant, including those holding Global Administrator equivalency. Microsoft patched the issue on April 9, 2026 as part of its backend service updates, without a public CVE advisory, meaning many enterprise security teams remain unaware the vulnerability existed or that their environments were exposed.

The Flaw: Agent ID Role Resolution

The Entra Agent ID model, introduced to support Microsoft Copilot Studio and Azure AI Foundry automation agents, uses a role assignment chain that links agent application identities to their backing service principals. Security researcher findings published this week revealed that the role resolution logic failed to enforce tenant boundary checks when an Agent ID application was granted the built-in Automation Contributor role in a subscription.

An attacker who could create or modify an Agent ID application within a tenant β€” a permission available to any user with the Application Developer role β€” could craft a malicious agent identity that resolved upward into a pre-existing privileged service principal. By triggering an agent invocation, the attacker obtained an access token scoped to the victim service principal, effectively taking over its identity.

In tested environments, this path reached service principals holding Microsoft Graph Directory.ReadWrite.All, Azure subscription Owner, and Exchange ApplicationImpersonation permissions β€” sufficient for complete tenant control.

Affected Configurations

The issue affected all Entra tenants that had:

  • Agent ID features enabled (enabled by default in tenants with Copilot Studio or Azure AI Foundry licensing)
  • At least one service principal holding elevated directory or Azure RBAC permissions
  • Any user holding the Application Developer, Application Administrator, or Cloud Application Administrator built-in roles

Tenants that had explicitly disabled Agent ID application creation or had restricted service principal creation to Global Administrators were not affected by this path.

Silent Patch β€” No CVE Issued

Microsoft’s April 9 backend service patch corrected the role resolution logic server-side without requiring any tenant-side action. No CVE was issued and no MSRC advisory was published at the time of patching. The first public documentation appeared in third-party security research published on April 26, prompting Microsoft to confirm the fix retroactively.

The absence of a CVE complicates organisational risk assessment. Security teams relying on CVE feeds or MSRC advisories as their primary patching signal would have received no notification that a significant privilege escalation existed in their identity infrastructure.

  • Audit Agent ID application registrations β€” in Entra admin centre, navigate to App registrations β†’ All applications and filter by createdDateTime in the past 90 days; review any applications with Agent-type identifiers for unexpected permission grants.
  • Review Application Developer role membership β€” enumerate users holding Application Developer, Application Administrator, and Cloud Application Administrator; remove where not operationally required.
  • Inspect service principal permission scopes β€” use Microsoft Graph (GET /servicePrincipals) to export all service principals and flag those with Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory, or subscription-level Owner assignments.
  • Enable Entra audit logs for service principal modifications β€” ensure ServicePrincipal - Update, AppRoleAssignment - Add, and Consent - Grant events are forwarded to your SIEM with appropriate alerting.
  • Review Conditional Access coverage for service principals β€” confirm that workload identity Conditional Access policies apply to all high-privilege service principals, limiting token issuance to expected locations and clients.

Wider Context

This vulnerability is representative of a broader class of risk emerging from agentic AI infrastructure: service principal proliferation, opaque role inheritance, and the assumption that automation identities deserve elevated trust. As Copilot Studio and Azure AI Foundry deployments scale, the attack surface on service principal hierarchies will grow β€” and silent patching without CVE issuance leaves security teams blind to what was exposed.

Share this article