Technical description
A scope overreach vulnerability in Microsoft's Entra Agent Identity Platform allowed accounts with the Agent ID Administrator role to hijack arbitrary service principals and escalate privileges across an entire tenant. The vulnerability arose because agent identities, built on standard application and service principal primitives, lacked proper scoping boundaries. An attacker with the Agent ID Administrator role could assign themselves as owner of any high-privileged service principal, generate new credentials, and authenticate as that application. If the compromised service principal held elevated directory roles or Graph API permissions, this provided a direct path to full tenant compromise.
Attack vector
An attacker with Agent ID Administrator role uses owner-update actions to modify ownership of any service principal in the tenant, including those unrelated to agent identities. Once ownership is established, the attacker generates new credentials for the targeted service principal and authenticates as that application, inheriting all its permissions and directory roles.
Affected systems
Microsoft Entra ID tenants using the Agent Identity Platform preview feature. Organizations with service principals holding elevated directory roles (Global Administrator, Cloud Application Administrator, Privileged Role Administrator) or high-impact Graph API permissions are at greatest risk.
Mitigation
Microsoft deployed a fix in April 2026 that prevents the Agent ID Administrator role from managing owners of non-agent service principals. Organizations should audit logs for suspicious events involving addition of owners or credentials to service principals. Use the Azure CLI script provided by Silverfort to identify service principals with privileged directory roles and ensure appropriate monitoring is in place. Review and minimize the assignment of the Agent ID Administrator role.