Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover

Summary

Microsoft patched a vulnerability in the Entra ID "Agent ID Administrator" role that allowed for unauthorized service principal takeover. The flaw enabled users assigned this role to gain ownership of arbitrary service principals, facilitating privilege escalation within the tenant.

Key Points

• The "Agent ID Administrator" is a built-in role designed to manage the identity lifecycle of AI agents, including authentication, resource access, and discovery.
• The vulnerability allowed users with this role to take ownership of arbitrary service principals and add their own credentials to authenticate as those principals.
• Microsoft deployed a remediation patch across all cloud environments on April 9, 2026.
• Following the patch, any attempt to use the Agent ID Administrator role to claim ownership of non-agent service principals results in a "Forbidden" error.
• The flaw specifically enabled privilege escalation paths for service principals holding high-impact Microsoft Graph permissions or privileged directory roles.

Technical Details

The vulnerability originated from a lack of strict scoping within the "Agent ID Administrator" role. While the role was intended to manage the identity lifecycle for AI agents, it lacked the necessary boundaries to prevent it from interacting with the broader service principal ecosystem. An attacker assigned this role could modify the ownership of any service principal in the tenant. Once ownership was established, the attacker could add new credentials—such as client secrets or certificates—to the target principal, effectively hijacking the identity.

This mechanism allowed for full service principal takeover. If the targeted service principal possessed elevated permissions, such as high-impact Graph app permissions or privileged directory roles, the attacker could extend their control across the entire tenant. The remediation implemented by Microsoft ensures that the role's permissions are strictly limited to agent-related identities, blocking any unauthorized ownership changes to other service principals.

Impact / Why It Matters

This vulnerability highlights the risk of privilege escalation when new identity types are built on top of existing identity primitives without strict scoping. Organizations should monitor service principal ownership changes and audit credential creation to prevent unauthorized access via hijacked identities.