Critical Azure Vulnerability Could Grant Global Admin Access
2025-09-19
Security researcher Dirk-jan Mollema discovered two critical vulnerabilities in Microsoft Azure Entra ID (formerly Azure Active Directory) that could have granted global administrator privileges to all Azure customer accounts. These vulnerabilities involved legacy systems within Entra ID, including Azure authentication tokens called "Actor Tokens" and an outdated API called "Graph". Mollema reported the flaws to Microsoft on July 14th, and Microsoft issued a global fix on July 17th. Microsoft stated they found no evidence of abuse. This highlights significant security challenges even for major cloud providers and underscores the importance of timely updates and migration to modern security protocols.