A serious vulnerability was found in the Microsoft Entra Agent Identity Platform. This issue arose from the new Agent ID Administrator role, which allowed users to take control of service principals and gain unauthorized access across the entire system.
Microsoft addressed this vulnerability with a patch released in April 2026, fixing the issue across all cloud environments.
The Microsoft Entra Agent Identity Platform is a tool for creating AI agents with specific identities. The Agent ID Administrator role was meant to allow control of these AI entities. However, the role had a flaw. It could manage elements beyond just agent-related objects.
Researchers from Silverfort discovered that an administrator could change the owner of any service principal, not just the agent identities. This means a user with this role could claim ownership of a powerful service principal, creating the potential for major security breaches.
Once in charge of the service principal, an attacker could create new credentials to access sensitive data or operations. If the targeted service principal had high-level permissions, it could lead to complete takeover of the system.
As noted by Silverfort, organizations should seek out service principals with admin-level roles and ensure they are properly secured. A useful way to do this is through the Azure CLI, which provides tools to check for vulnerable configurations.
Here’s a simple script to find service principals with elevated roles:
bash
BASE=”https://graph.microsoft.com”
roles=”$(az rest -m GET –url “${BASE}/beta/roleManagement/directory/roleDefinitions?\$filter=isPrivileged eq true&\$select=id,displayName” -o json)”
u=”${BASE}/beta/roleManagement/directory/roleAssignments?\$expand=principal(\$select=id,displayName)&\$top=999″
{
echo -e “SP_NAME\tSP_ID\tROLE”
echo -e “——–\t——\t—-”
while :; do
j=”$(az rest -m GET –url “$u” -o json 2>/dev/null)” || break
jq -r –argjson roles “$roles” ‘($roles.value | map(select(.displayName|test(“Reader”;”i”)|not) | {key:.id, value:.displayName}) | from_entries) as $r | .value[] | select(.principal.”@odata.type”==”#microsoft.graph.servicePrincipal”) | select($r[.roleDefinitionId] != null) | [.principal.displayName, (.principal.id // .principalId), $r[.roleDefinitionId]] | @tsv’ <<<“$j”
u=”$(jq -r ‘.”@odata.nextLink”//empty’ <<<“$j”)”
[[ -z “$u” ]] && break
done | sort -t$’\t’ -k1,1
} | column -t -s $’\t’
Microsoft has recognized this issue and implemented a fix, ensuring the Agent ID Administrator role cannot manage the ownership of non-agent service principals anymore.
Even with this fix, organizations must continue monitoring for suspicious activity. Security teams should regularly check audit logs for changes in service principal ownership or credential updates. Many organizations have at least one privileged service principal, making it crucial to treat these entities as vital components of their infrastructure.
In today’s digital landscape, where cyber threats are escalating, understanding and securing these vulnerabilities is more important than ever. For ongoing coverage and updates on cybersecurity topics, check trusted sources like Cybersecurity News.
