Key Findings

• Silverfort researchers discovered a critical privilege escalation vulnerability in Microsoft Entra Agent ID that allowed tenant takeover through Service Principal hijacking

• The Agent ID Administrator role had overly broad permissions, enabling attackers to modify any Application Service Principal instead of just agent-related objects

• Attackers could inject credentials into high-privilege Service Principals and authenticate as them, gaining full tenant control

• Vulnerability affected approximately 99% of business networks with at least one privileged Service Principal

• Microsoft patched the flaw on April 9, 2026, restricting Agent ID Administrator permissions to agent-backed objects only

Background

Microsoft Entra Agent ID is an identity and authorization framework that gives AI agents their own digital identities, allowing them to log into systems and access resources similar to human users. To manage this environment, Microsoft created a directory role called Agent ID Administrator. However, the role was designed without proper scope limitations, creating a significant security gap that went undetected until researchers at Silverfort identified it in February 2026.

The Vulnerability

The Agent ID Administrator role was intended to handle agent-related objects like Blueprints and Agent Identities. However, it actually possessed permissions to modify nearly any Application Service Principal within a tenant. A Service Principal functions as a digital ID card for software applications, and gaining control over one is essentially identity theft for that application. Since these digital accounts typically have high-level permissions to move data or change system settings, compromising one allows attackers to control infrastructure while remaining hidden.

Attack Methodology

An attacker with the Agent ID Administrator role begins by using the Microsoft Graph API or Azure CLI to enumerate accounts with elevated permissions. They specifically target Service Principals containing high-impact Graph permissions such as RoleManagement.ReadWrite.Directory. The attacker then adds themselves as an owner of a non-agent Service Principal, exploiting the fact that role permissions weren't strictly limited to agent-backed objects. Once ownership is established, they perform credential injection by adding a new password or certificate to the compromised account. The attacker then authenticates using these stolen credentials, gaining full tenant access. Researchers demonstrated this by successfully hijacking a Global Administrator account from the Agent ID Administrator role.

Security Impact and Scope

The vulnerability posed widespread risk because approximately 99% of business networks contain at least one privileged Service Principal. While the Agent ID Administrator role is relatively new, over half of companies studied already deploy agent identities, with some running more than 100 active agents simultaneously. This created a dangerous mismatch between the role's intended scope and its actual capabilities, putting massive numbers of organizations at potential risk.

Response Timeline and Remediation

Silverfort discovered the flaw on February 24, 2026, and reported it to Microsoft Security Response Center on March 1. Microsoft confirmed the vulnerability on March 26 and deployed a complete fix across all cloud environments by April 9. The patch prevents the Agent ID Administrator role from managing owners of regular, non-agent Service Principals. Organizations are advised to review their AuditLogs for any unauthorized changes to account ownership or creation of new secrets on sensitive accounts.

Sources

• https://hackread.com/microsoft-entra-agent-id-flaw-tenant-takeover/

• https://x.com/HackRead/status/2048484885405323610

• https://news.backbox.org/2026/04/26/microsoft-entra-agent-id-flaw-enabled-tenant-takeover-via-privilege-escalation/