Critical Flaw Exposed All Corporate Cloud Accounts to Takeover

A security researcher discovered a critical vulnerability that could have allowed complete administrative access to any Microsoft Entra ID tenant globally. The issue stemmed from a combination of undocumented, high-privilege "actor tokens" and a validation flaw in the legacy Azure AD Graph API. This fatal mix enabled an attacker to use a token from their own environment to impersonate any user, including Global Administrators, in a target organization's tenant. Exploitation would have been nearly untraceable, as the initial steps left no logs in the victim's environment, bypassing all configured security policies. The company has since patched the vulnerability, which could have led to the full compromise of sensitive data and services authenticated through the widely-used identity management platform.