Microsoft patches Entra ID role flaw that let a low-privileged service account impersonate any service principal in your tenant

Microsoft quietly patched a privilege escalation flaw in Entra ID (formerly Azure AD) that let an attacker with a low-privileged service account take over any service principal in the same tenant - including high-value ones with admin consent grants. The bug was in how Entra ID validated role assignments during certain API calls: the validator checked whether the caller had any role on a service principal but didn't check whether that role authorized the specific action. Microsoft fixed the flaw on the back end, so customers don't need a patch - but the takeover scenario means anyone who exploited it before the fix could have created persistent backdoors via OAuth grants.

Check

Audit your Entra ID tenant this week for unfamiliar service principals, unexpected admin consent grants, and OAuth tokens issued to apps you don't recognize.

Affected

Microsoft Entra ID tenants with multiple service principals where any low-privileged account had role assignments on those service principals. The fix is server-side, so you don't need to apply a patch - but you do need to assume any attacker with foothold access before the fix could have abused this to escalate.

Fix

Run a Microsoft Graph audit on your tenant: list all service principals, OAuth grants, and app role assignments created since January 2026. Investigate any unfamiliar app, any grant from a service account, and any service principal whose roles changed unexpectedly. Revoke and re-issue admin consent for high-privilege apps. Enable audit logging for application registrations.