Technical description
Microsoft's Agent ID Administrator role, introduced as part of the Entra ID agent identity platform, suffered from a scope overreach vulnerability allowing users with that role to take over arbitrary service principals beyond agent-related identities. Attackers could become owners of high-privileged service principals, add credentials, and authenticate as those principals, effectively gaining tenant-wide control if privileged directory roles or high-impact Graph permissions were present.
Attack vector
An attacker assigned the Agent ID Administrator role assigns ownership to a target service principal (including non-agent principals), then adds their own credentials to authenticate as that principal. If the service principal holds elevated permissions — such as privileged directory roles or high-impact Microsoft Graph app permissions — the attacker gains broader tenant control. The flaw stemmed from improper scoping when new identity types (AI agents) were built atop existing service principal primitives.
Affected systems
Microsoft Entra ID tenants using the Agent ID Administrator role introduced with the agent identity platform. Tenants with high-privileged service principals are at greatest risk for privilege escalation.
Mitigation
Microsoft patched the vulnerability across all cloud environments on April 9, 2026, following responsible disclosure by Silverfort on March 1, 2026. Post-patch, attempts to assign ownership over non-agent service principals using the Agent ID Administrator role are blocked with a 'Forbidden' error. Organizations should monitor sensitive role usage related to service principal ownership or credential changes, track service principal ownership changes, secure privileged service principals, and audit credential creation on service principals.