According to the research team at Semperis, the vulnerability was discovered in the OAuth 2.0 scope (permissions) of Entra ID, which enabled attackers to perform actions beyond expected authorization controls. The most concerning discovery involved the ability to add and remove users from privileged roles, including the Global Administrator role.
The research team found that select Microsoft application service principals were allowed to perform certain actions that were not defined in the list of authorized permissions.
This enabled attackers to perform privileged actions, such as adding a user to the Global Administrator role, without appearing to have permission to do so.
Comments