Microsoft Entra ID Flaw Let Attackers Hijack Any Service Principal

A privileged role Microsoft created for managing AI agent identities could be exploited to hijack arbitrary service principals across an entire Entra ID tenant. Silverfort researchers disclosed the vulnerability after Microsoft quietly patched it on April 9, 2026.

The Agent ID Administrator role—introduced as part of Microsoft's push to support AI agents in enterprise environments—was supposed to be scoped narrowly to agent-related identities. Instead, it granted far broader permissions that enabled complete service principal takeover.

How the Attack Worked

Silverfort researcher Noa Ariel discovered that users assigned the Agent ID Administrator role could add themselves as owners of any service principal in the tenant, not just AI agent identities. Once established as an owner, the attacker could inject new credentials and authenticate as that service principal.

"That's full service principal takeover," Ariel explained. "In tenants where high-privileged service principals exist, it becomes a privilege escalation path."

The attack chain followed a predictable pattern:

1. Attacker with Agent ID Administrator role enumerates service principals using Microsoft Graph API or Azure CLI
2. Attacker identifies service principals with elevated permissions—particularly RoleManagement.ReadWrite.Directory or other high-impact Graph permissions
3. Attacker uses the role to add themselves as owner of the target service principal
4. Attacker injects new credentials (password or certificate) for the compromised identity
5. Attacker authenticates as the service principal and inherits all its permissions

The vulnerability existed because Microsoft's permission model for the Agent ID Administrator role "was not strictly limited to agent-backed objects." The role could modify ownership for service principals it was never designed to manage.

Scope of Impact

Silverfort's research indicates about 99% of business Entra ID tenants have at least one privileged service principal. Many organizations use service principals for automation, CI/CD pipelines, and application integrations—often granting them broad permissions for convenience.

A compromised service principal with Global Administrator permissions would give an attacker complete control over the tenant. Even less privileged service principals could enable lateral movement, data exfiltration, or persistence mechanisms.

The vulnerability particularly threatens organizations that have adopted AI agent capabilities. These organizations are more likely to have provisioned the Agent ID Administrator role, creating the necessary precondition for exploitation.

This flaw adds to a pattern of identity management vulnerabilities we've tracked this year, where authentication and authorization systems fail to properly scope permissions.

Microsoft's Response

Microsoft rolled out fixes across all cloud environments on April 9, 2026—approximately six weeks after Silverfort's responsible disclosure on March 1. The patch prevents users with the Agent ID Administrator role from modifying ownership of non-agent service principals, returning a "Forbidden" error for such attempts.

Microsoft has not assigned a CVE to this vulnerability, treating it as a configuration issue rather than a software flaw. This is consistent with how cloud providers often handle identity and access management bugs—they can be patched server-side without customer action.

Detection and Mitigation

Organizations should audit their Entra ID environments for signs of exploitation during the vulnerable window:

1. Review Agent ID Administrator role assignments - Identify all users who held this role since its introduction
2. Audit service principal ownership changes - Look for unexpected owner additions between role introduction and April 9 patch
3. Check for credential additions - Review password and certificate additions to privileged service principals
4. Monitor for suspicious authentication - Look for service principal authentications from unexpected locations or applications

For organizations that detected suspicious activity, the compromised service principals should be rotated immediately. Simply removing attacker-added credentials is insufficient if the attacker established persistence through other means.

Why This Matters

Microsoft's AI agent infrastructure represents a new attack surface that security teams are still learning to monitor. The Agent ID Administrator role is just one component of Microsoft's broader Copilot and AI agent ecosystem, which introduces new privileged roles, API permissions, and identity types.

The vulnerability also highlights the recurring challenge of permission scope creep in cloud identity systems. Roles designed for narrow purposes often inherit broader permissions than intended, either through design oversight or implementation bugs.

This incident should prompt organizations to review all privileged role assignments in their Entra ID tenants—not just the Agent ID Administrator role. Microsoft's identity platform has grown increasingly complex, and misconfigured permissions remain one of the most common paths to cloud compromise.

Security teams managing Microsoft 365 or Azure environments should treat identity management as a critical control plane. When attackers compromise identity infrastructure, they gain persistent access that survives traditional incident response measures like endpoint reimaging.