Microsoft Entra Agent ID Flaw Enabled Tenant Takeover via Privilege Escalation

Microsoft Entra Agent ID was designed to give AI agents distinct identities, simplifying automation while preserving security boundaries. The Agent ID Administrator role, however, was granted overly broad permissions that extended beyond agent‑specific objects to any Application Service Principal. Researchers demonstrated that an attacker with this role could enumerate service principals via Microsoft Graph or Azure CLI, add themselves as owners, and inject new secrets—effectively hijacking the account and gaining the same rights as the original owner. This attack chain illustrates how a seemingly narrow administrative role can become a powerful foothold for privilege escalation.

The vulnerability’s impact is amplified by the ubiquity of privileged service principals in modern cloud environments. Industry surveys show that more than 99% of organizations maintain at least one high‑privilege service principal, and many have adopted dozens or even hundreds of agent identities for AI‑driven workloads. When an attacker commandeers a service principal, they inherit its permissions, which often include read‑write access to directory data, configuration changes, and the ability to create or delete resources. In the Silverfort proof‑of‑concept, the compromised service principal was used to seize a Global Administrator account, granting unrestricted control over the entire tenant and exposing the organization to data exfiltration, ransomware, or persistent backdoors.

Microsoft responded swiftly, confirming the issue on March 26 and deploying a fix by April 9 that restricts the Agent ID Administrator role from modifying owners of non‑agent service principals. Customers should audit recent ownership changes and secret creations in Azure AD AuditLogs, revoke any unnecessary Agent ID Administrator assignments, and enforce least‑privilege principles for service principals. Ongoing monitoring and conditional access policies will be critical as AI agents proliferate, ensuring that the convenience of autonomous identities does not outpace the security controls needed to protect enterprise cloud assets.