Full Report
An administrative role meant for artificial intelligence (AI) agents within Microsoft Entra ID could enable privilege escalation and identity takeover attacks, according to new findings from Silverfort. Agent ID Administrator is a privileged built-in role introduced by Microsoft as part of its agent identity platform to handle all aspects of an AI agent's identity lifecycle operations in a
Analysis Summary
# Vulnerability: Microsoft Entra ID Agent ID Administrator Privilege Escalation
## CVE Details
- **CVE ID**: Not explicitly listed in the report (Internal Microsoft logic flaw)
- **CVSS Score**: Not provided (Likely High/Critical due to full tenant impact)
- **CWE**: CWE-285 (Improper Authorization / Scope Overreach)
## Affected Systems
- **Products**: Microsoft Entra ID (formerly Azure AD)
- **Versions**: All cloud environments prior to April 9, 2026.
- **Configurations**: Tenants where the "Agent ID Administrator" role is assigned to users and where high-privileged Service Principals (e.g., those with Directory.ReadWrite.All or Global Administrator permissions) exist.
## Vulnerability Description
The flaw stems from a scope overreach in the then-newly introduced **Agent ID Administrator** role. While intended only to manage the lifecycle of AI agent identities, the role was erroneously granted permissions to assign ownership over *any* service principal within the tenant.
An attacker or malicious insider with this role could assign themselves as an "Owner" of a high-privileged Service Principal. Once ownership was established, the attacker could add their own credentials (certificates or secrets) to that Service Principal, effectively taking over its identity and inheriting all of its associated permissions and API access.
## Exploitation
- **Status**: Discovered by researchers (Silverfort); patched by vendor. No reports of exploitation in the wild.
- **Complexity**: Low (Requires only standard role-based actions within the Entra ID portal/API).
- **Attack Vector**: Network (Cloud-based Identity Provider).
## Impact
- **Confidentiality**: High (Can lead to full data access via Graph API).
- **Integrity**: High (Allows modification of tenant configurations and directory objects).
- **Availability**: High (Potential to delete resources or lock out users via hijacked permissions).
## Remediation
### Patches
- **Vendor Fix**: Microsoft implemented a server-side patch across all cloud environments on **April 9, 2026**. The role's permissions are now strictly scoped to exclude non-agent service principals. Attempts to exploit this now result in a "Forbidden" error.
### Workarounds
- **Role Audit**: Although patched, organizations should review who was assigned the "Agent ID Administrator" role during the vulnerable period (March – April 2026).
- **Principle of Least Privilege**: Limit the assignment of the Agent ID Administrator role to essential personnel only.
## Detection
- **Indicators of Compromise**:
- Unexpected ownership changes on sensitive Service Principals.
- New credentials (secrets or certificates) added to Service Principals by users holding the Agent ID Administrator role.
- **Detection Methods**:
- Monitor Entra ID Audit Logs for `Add owner to service principal` and `Add service principal credential` activities.
- Specifically filter logs for actions performed by users assigned the "Agent ID Administrator" role.
## References
- **Lead Researcher**: Noa Ariel (Silverfort)
- **Vendor Advisory**: hxxps[://]learn[.]microsoft[.]com/en-us/entra/identity/role-based-access-control/permissions-reference
- **Research Source**: hxxps[://]www[.]silverfort[.]com/blog/agent-id-administrator-scope-overreach-service-principal-takeover-in-entra-id/
- **News Report**: hxxps[://]thehackernews[.]com/2026/04/microsoft-patches-entra-id-role-flaw.html