A flaw in Microsoft Entra ID let users with only the Agent ID Administrator role take over non-agent service principals and add credentials for them, according to a technical analysis from Silverfort. The company said Microsoft fixed the issue across all clouds after disclosure to its security response team.
KEY FACTS
- Role scope The Agent ID Administrator role was meant to manage agent-related objects.
- Impact The flaw could allow takeover of arbitrary service principals in a tenant.
- Fix Microsoft blocked the role from changing owners of non-agent service principals.
- Risk Takeover of a privileged service principal could create privilege escalation.
The report said the role could add itself or other principals as owners of service principals beyond agent identities, then add secrets or certificates and authenticate as those applications. It said the same behavior was not seen for applications, which suggests the issue was limited to the service principal surface.
Microsoft’s Entra Agent ID platform is designed to give AI agents their own identities, with new object types including blueprints, agent identities and agent users. The report said the Agent ID Administrator role was documented as agent-focused, but in practice it could manage ownership on broader service principal objects before the fix.
The company said the bug could matter most in tenants where service principals hold elevated rights, including directory roles or high-impact Microsoft Graph permissions. It said about 99% of tenants it examined had at least one privileged service principal, while more than half used agent identities.
Silverfort said it disclosed the issue to Microsoft Security Response Center on March 1 and that Microsoft confirmed the behavior later that month. The report said the problem was no longer reproducible after a fix reached pre-release stage in early April and that the fix had fully rolled out by April 9.
WHY IT MATTERS
The case shows how a role built for new AI agent controls could reach older identity objects if scoping is not strict enough. In environments that rely on privileged service principals for automation or administration, ownership changes can become a route to broader access.