A critical vulnerability in Microsoft Entra ID (formerly Azure Active Directory) could enable attackers to impersonate any user across tenants, including Global Administrators, according to researchers. The flaw is tracked as CVE-2025-55241 and carries the maximum CVSS score of 10.0. Microsoft said the issue has been patched and requires no customer action.
Security researcher Dirk-jan Mollema disclosed the vulnerability on July 14, noting that it could compromise every Entra ID tenant worldwide, with possible exceptions for national cloud deployments.
The root cause, according to researchers, is a combination of service-to-service (S2S) actor tokens issued by the Access Control Service and a flaw in the legacy Azure AD Graph API (graph.windows.net) that failed to validate the originating tenant, enabling cross-tenant use of tokens.
Because forged tokens could be evaluated under a tenant’s Conditional Access policies, a misused Graph API token could alter user accounts, grant additional permissions, or exfiltrate data across any service that relies on Entra ID, including SharePoint Online and Exchange Online. The Graph API also lacked API-level logging, making some abuse harder to detect.
Microsoft patched the flaw on July 17, 2025, and said no customer action was required. The finding has prompted renewed emphasis on moving from Azure AD Graph to Microsoft Graph, with officials urging migration to the newer API framework.
Security firm Mitiga warned that exploitation of CVE-2025-55241 could bypass MFA, Conditional Access, and logging, leaving little trace of an incident. Mitiga said the vulnerability arose because the legacy API failed to validate the token’s tenant source.
The Azure AD Graph API has since been deprecated and retired as of August 31, 2025, with Microsoft urging developers to migrate to Microsoft Graph. Applications that relied on Azure AD Graph APIs are expected to lose support by early September 2025.
Beyond Entra ID, cloud-security researchers highlighted related weaknesses in cloud connectors and API management that could enable cross-tenant access. For example, cloud-security firm Binary Security warned that an API Management (APIM) instance used to facilitate SaaS connectors could be invoked directly from the Azure Resource Manager to achieve cross-tenant access, potentially compromising keys and other resources.
The broader report also notes misconfigurations and weaknesses affecting OAuth, Known Folder Move, and SSRF chains that could expose cloud credentials and permissions across providers.