Microsoft patches privilege escalation flaw in Entra ID Agent ID Administrator role affecting agentic identities

An administrative role in Microsoft Entra ID intended for managing AI agent identities was mis-scoped to allow privilege escalation and potential tenant takeover. The 'Agent ID Administrator' role, scoped to agent-related objects like blueprints and agent identities, could take ownership of unrelated service principals across the tenant. Users assigned to this role could effectively gain capabilities similar to the Application Administrator role, but without being scoped specifically to agent use cases. Microsoft has patched the vulnerability following disclosure by Silverfort researchers.

An attacker with the Agent ID Administrator role could assign ownership over service principals beyond agent-related identities. By taking ownership of high-privilege service principals, the attacker could escalate privileges to tenant-wide Application Administrator capabilities, enabling lateral movement, persistence, and potential tenant compromise. The flaw exploited the growing deployment of agentic AI identities within enterprise identity systems, where boundaries between agent-scoped and tenant-scoped permissions were insufficiently enforced.

Microsoft Entra ID (formerly Azure AD) tenants using the Agent ID Administrator role for managing agentic AI identities and blueprints. Organizations deploying AI agents with Entra ID integration are affected.

Microsoft has patched the vulnerability. Organizations should verify that the Agent ID Administrator role is now correctly scoped to agent-related objects only. Review audit logs for any users assigned to this role and inspect service principal ownership changes during the exposure window. As agentic identities proliferate, implement least-privilege scoping for all agent-related administrative roles and regularly audit cross-tenant permission boundaries. Consider this a signal to review broader identity governance for non-human and agentic identities—many IAM platforms were not designed for high-velocity autonomous actors.