Introduction
A critical flaw in Microsoft Entra ID (formerly Azure Active Directory) — CVE-2025-55241 — reminds us how fragile cloud identity can be when legacy token flows linger. While Microsoft has already patched the issue, the lessons go far beyond a single CVE.
At Terait, we help organizations secure Entra ID and Azure identity services. This post breaks down what happened, why it matters, and practical steps you can take — including ready-to-use KQL queries for hunting suspicious activity.
What Happened
Security researcher Dirk-jan Mollema discovered that a little-known Actor Token type, when used against the legacy Azure AD Graph API, could bypass proper tenant validation.
That meant an attacker could present an Actor Token from one tenant and be accepted in another — effectively impersonating any user, including Global Admins.
Microsoft patched the flaw in July/August 2025 after responsible disclosure. No active exploitation has been observed, but the risk was severe:
- Risk level: 🔴 Critical (CVSS ~9.0)
- Impact: Tenant-wide takeover
- Bypasses: Conditional Access, MFA, and in some cases logging
Why It Matters
This wasn’t just a “bug fix.” It highlights three bigger truths:
- Legacy APIs are dangerous. Even if Microsoft Graph has replaced Azure AD Graph, old endpoints remain attackable if still in use.
- Service-to-service identities are high risk. They often bypass human safeguards and aren’t monitored as closely.
- Visibility is everything. Without extended token telemetry, attackers could move invisibly across tenants.
In other words: Identity really is the new perimeter.
What You Should Do Now
If you’re responsible for Entra ID or Azure tenants, here’s what to do immediately:
✅ Confirm patch status — check Microsoft tenant health notifications.
✅ Rotate credentials — especially service principals and application secrets tied to automation, CI/CD, sync, and monitoring.
✅ Retire legacy flows — migrate from Azure AD Graph to Microsoft Graph.
✅ Enable full logging — ensure sign-in and audit logs are ingested into Sentinel or your SIEM.
✅ Hunt for anomalies — look for unusual Actor Token usage and suspicious cross-tenant activity.
KQL Detection Queries
Below are KQL queries you can paste directly into Microsoft Sentinel / Log Analytics. Adjust time windows and fields for your environment.
1) Actor Token Sign-ins
Detect sign-ins where token details include “actor.”
SigninLogs
| where TimeGenerated > ago(14d)
| where isnotempty(ExtendedProperties) or isnotempty(AuthenticationDetails)
| where tostring(ExtendedProperties) contains "actor" or tostring(AuthenticationDetails) contains "actor"
| project TimeGenerated, TenantId, UserPrincipalName, AppDisplayName, ResourceDisplayName, ClientAppUsed, IPAddress
| sort by TimeGenerated desc
2) Cross-Tenant Actor Token Use
Look for mismatched tenant claims.
AuditLogs
| where TimeGenerated > ago(30d)
| extend claims = parse_json(AdditionalDetails)
| where tostring(claims["token"]["actor_tenant"]) != tostring(claims["token"]["tenant"])
| project TimeGenerated, OperationName, Actor, TargetResources, claims
| sort by TimeGenerated desc
3) Suspicious Service Principal Escalations
Find service principals adding roles, members, or owners.
AuditLogs
| where TimeGenerated > ago(30d)
| where ActorType == "Application"
| where OperationName has_any ("Add member","Add owner","Assign role","Add role member","Update settings")
| project TimeGenerated, Actor, TargetResources, OperationName, ResultStatus
| sort by TimeGenerated desc
4) Correlate SP Sign-ins With Admin Actions
Connect service principal logins to admin activity.
let sp_signins = SigninLogs
| where TimeGenerated > ago(30d)
| where ClientAppUsed == "ServicePrincipal"
| project SP_User = UserPrincipalName, SP_App = AppDisplayName, SP_Time = TimeGenerated, SP_IP = IPAddress;
let sp_ops = AuditLogs
| where TimeGenerated > ago(30d)
| where ActorType == "Application"
| project Op_Time = TimeGenerated, Actor, OperationName, TargetResources;
sp_signins
| join kind=inner (sp_ops) on $left.SP_User == $right.Actor
| where abs(datetime_diff('minute', SP_Time, Op_Time)) < 60
| project SP_Time, SP_User, SP_App, SP_IP, Op_Time, OperationName, TargetResources
5) Service Principal IP Diversity
Detect service principals authenticating from many IPs in a short time.
SigninLogs
| where TimeGenerated > ago(14d)
| where ClientAppUsed == "ServicePrincipal"
| summarize distinctIpCount = dcount(IPAddress) by UserPrincipalName, AppDisplayName, bin(TimeGenerated, 1d)
| where distinctIpCount >= 3
| project TimeGenerated, UserPrincipalName, AppDisplayName, distinctIpCount
| sort by TimeGenerated desc
6) Inventory Legacy Azure AD Graph Usage
Audit integrations that still call legacy endpoints.
AuditLogs
| where TimeGenerated > ago(30d)
| where OperationName contains "graph.windows.net"
| project TimeGenerated, OperationName, Actor, TargetResources, AdditionalDetails
The Bigger Picture
CVE-2025-55241 may already be fixed, but it should push security leaders to:
- Inventory and migrate legacy identity APIs.
- Harden service principals with JIT access, managed identities, and secret rotation.
- Improve visibility with extended logging of token claims.
- Adopt CIEM / PAM to control non-human identity sprawl.
Conclusion
This vulnerability is a reminder that the cloud’s weakest link may not be a human user — but a forgotten API, an overlooked token type, or a service identity left unmanaged.
At Terait, we work with enterprises to strengthen Entra ID, adopt passwordless strategies, and secure both human and non-human identities.
References
Dirk-jan Mollema — One Token to rule them all
