{"id":606318,"date":"2026-04-25T21:42:13","date_gmt":"2026-04-25T21:42:13","guid":{"rendered":"https:\/\/www.newsbeep.com\/us\/606318\/"},"modified":"2026-04-25T21:42:13","modified_gmt":"2026-04-25T21:42:13","slug":"hackers-can-abuse-entra-agent-id-administrator-role-to-hijack-service-principals","status":"publish","type":"post","link":"https:\/\/www.newsbeep.com\/us\/606318\/","title":{"rendered":"Hackers Can Abuse Entra Agent ID Administrator Role to Hijack Service Principals"},"content":{"rendered":"<p>A critical scope overreach vulnerability was recently identified in the Microsoft Entra Agent Identity Platform. The newly introduced Agent ID Administrator role allowed accounts to <a href=\"https:\/\/cybersecuritynews.com\/openclaw-0-click-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">hijack arbitrary service<\/a> principals and escalate privileges across the entire tenant.<\/p>\n<p>Microsoft has fully patched this behavior across all cloud environments as of April 2026.<\/p>\n<p>How the Permission Boundary Breaks<\/p>\n<p>The Microsoft Agent Identity Platform is a preview feature that provides artificial intelligence agents with identities using blueprints, agent identities, and agent users.<\/p>\n<p>To manage these non-human entities, Microsoft introduced the Agent ID Administrator role. <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/role-based-access-control\/permissions-reference\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">According to Microsoft documentation<\/a>, this role was strictly scoped to manage only agent-related objects.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.newsbeep.com\/us\/wp-content\/uploads\/2026\/04\/Screenshot 2026-04-24 184341 (1).webp.jpeg\" alt=\"A discrepancy in the Microsoft Entra \u201cprivileged\u201d indicator will be fixed(source : SilverFort)\"\/>A discrepancy in the Microsoft Entra \u201cprivileged\u201d indicator will be fixed(source : SilverFort)<\/p>\n<p>However, because agent identities are built on top of standard application and service principal primitives, a critical scoping gap emerged.<\/p>\n<p>Silverfort researchers found that actions like updating agent identity owners allowed administrators to modify the ownership of any service principal in the tenant.<\/p>\n<p>A user with the <a href=\"https:\/\/cybersecuritynews.com\/microsoft-details-on-how-security-copilot-in-intune\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Agent ID Administrator<\/a> role could assign themselves as the owner of a completely unrelated, high-privileged service principal.<\/p>\n<p>Once ownership was established, the attacker could generate new credentials and authenticate as that targeted application.<\/p>\n<p>If the compromised service principal held elevated directory roles or high-impact Graph API permissions, this takeover primitive provided a direct path to full compromise of the environment.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.newsbeep.com\/us\/wp-content\/uploads\/2026\/04\/Screenshot 2026-04-24 184356 (1).webp.jpeg\" alt=\"Attack Flow(Source: SilverFort)\"\/>Attack Flow(Source: SilverFort)<\/p>\n<p>Attackers leveraging this vulnerability would naturally target the most powerful non-human identities in a network.<\/p>\n<p><a href=\"https:\/\/www.silverfort.com\/blog\/agent-id-administrator-scope-overreach-service-principal-takeover-in-entra-id\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">According to Silverfort research<\/a>, organizations should proactively identify service principals with admin-level directory roles and secure them appropriately.<\/p>\n<p>Administrators can utilize the Azure CLI alongside jq to query the <a href=\"https:\/\/cybersecuritynews.com\/m365pwned-red-team-gui-toolkit\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Microsoft Graph API<\/a> for these vulnerable configurations.<\/p>\n<p>The following script discovers service principals with privileged directory roles.<\/p>\n<p>BASE=&#8221;https:\/\/graph.microsoft.com&#8221;<br \/>roles=&#8221;$(az rest -m GET &#8211;url &#8220;${BASE}\/beta\/roleManagement\/directory\/roleDefinitions?\\$filter=isPrivileged eq true&amp;\\$select=id,displayName&#8221; -o json)&#8221;<br \/>u=&#8221;${BASE}\/beta\/roleManagement\/directory\/roleAssignments?\\$expand=principal(\\$select=id,displayName)&amp;\\$top=999&#8243;<br \/>{<br \/>echo -e &#8220;SP_NAME\\tSP_ID\\tROLE&#8221;<br \/>echo -e &#8220;&#8212;&#8212;&#8211;\\t&#8212;&#8212;\\t&#8212;-&#8220;<br \/>while :; do<br \/>j=&#8221;$(az rest -m GET &#8211;url &#8220;$u&#8221; -o json 2&gt;\/dev\/null)&#8221; || break<br \/>jq -r &#8211;argjson roles &#8220;$roles&#8221; &#8216;<br \/>($roles.value | map(select(.displayName|test(&#8220;Reader&#8221;;&#8221;i&#8221;)|not) | {key:.id, value:.displayName}) | from_entries) as $r<br \/>| .value[]<br \/>| select(.principal.&#8221;@odata.type&#8221;==&#8221;#microsoft.graph.servicePrincipal&#8221;)<br \/>| select($r[.roleDefinitionId] != null)<br \/>| [.principal.displayName, (.principal.id \/\/ .principalId), $r[.roleDefinitionId]] | @tsv<br \/>&#8216; &lt;&lt;&lt;&#8220;$j&#8221;<br \/>u=&#8221;$(jq -r &#8216;.&#8221;@odata.nextLink&#8221;\/\/empty&#8217; &lt;&lt;&lt;&#8220;$j&#8221;)&#8221;<br \/>[[ -z &#8220;$u&#8221; ]] &amp;&amp; break<br \/>done | sort -t$&#8217;\\t&#8217; -k1,1<br \/>} | column -t -s $&#8217;\\t&#8217;<\/p>\n<p>Microsoft acknowledged the issue and deployed a fix that prevents the Agent ID Administrator role from managing the owners of non-agent service principals.<\/p>\n<\/p>\n<p>While the immediate threat is resolved, the underlying risk of service principal ownership abuse remains a high-value attack path.<\/p>\n<p>Security teams must actively monitor their audit logs for successful events involving the addition of owners or credentials to service principals.<\/p>\n<p>Because many tenants contain at least one privileged service principal, treating these identities as critical infrastructure is essential to preventing future <a href=\"https:\/\/cybersecuritynews.com\/microsoft-defender-0-day-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">privilege escalation attacks<\/a>.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\">Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/p>\n","protected":false},"excerpt":{"rendered":"A critical scope overreach vulnerability was recently identified in the Microsoft Entra Agent Identity Platform. The newly introduced&hellip;\n","protected":false},"author":2,"featured_media":606319,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31],"tags":[74],"class_list":{"0":"post-606318","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"tag-technology"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/posts\/606318","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/comments?post=606318"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/posts\/606318\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/media\/606319"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/media?parent=606318"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/categories?post=606318"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/us\/wp-json\/wp\/v2\/tags?post=606318"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}