In the push to govern the next generation of AI agents, Microsoft recently introduced the Agent Identity Platform in Entra ID (formerly Azure AD). Central to this platform was the Agent ID Administrator role—a role intended to be strictly scoped to managing AI-driven identities.
However, a critical vulnerability discovered by researchers at Silverfort revealed that this “scoped” role was anything but restricted. Due to a fundamental scoping gap in how Microsoft Entra handles object inheritance, users with this role could leapfrog their intended boundaries to hijack any service principal in a tenant.+1
With a CVSS-equivalent impact of high-severity privilege escalation, this flaw allowed a low-tier admin to become the “owner” of the most powerful non-human identities in the network. Microsoft has since deployed a global fix as of April 9, 2026.
Technical Deep Dive: The Scoping Gap Explained
The vulnerability stems from the way AI agents are implemented in the Microsoft identity ecosystem. To maintain consistency, Microsoft built Agent Identities on top of the existing Application and Service Principal primitives.
The Permission Leak
The Agent ID Administrator role was granted the microsoft.directory/agentIdentities/owners/update permission. On paper, this should only apply to “Agent” objects. However, because an Agent Identity is essentially a specialized Service Principal, the Entra backend failed to distinguish between an “AI Agent” Service Principal and a “Global Admin” Service Principal.
[Image: Diagram showing Agent ID Admin role reaching across the boundary into General Service Principals]
The Attack Chain: 3 Steps to Tenant Takeover
- Assign Ownership: An attacker with the Agent ID Administrator role adds themselves as an “owner” of a high-privilege service principal (e.g., a CI/CD pipeline or a security tool).
- Generate Credentials: As an owner, the attacker can bypass MFA and generate a new Client Secret or upload a Certificate to that service principal.
- Impersonation: The attacker authenticates as the service principal, inheriting every permission it holds—including Microsoft Graph
Directory.ReadWrite.Allor administrative directory roles.
Risk Analysis: Targeted Identities
Attackers using this method don’t target random accounts; they look for the “God-mode” identities that power enterprise automation.
| Target Identity Type | Potential Impact |
|---|---|
| CI/CD Service Principals | Injection of malicious code into software production. |
| Backup/Storage Principals | Exfiltration of entire databases or sensitive cloud backups. |
| Security/EDR Principals | Disabling security monitoring or “blinding” the SOC. |
Export to Sheets
Expert Insight: Silverfort noted that the Entra UI failed to flag the Agent ID Administrator role as a “Privileged” role. This meant IT managers might have assigned it to junior staff or developers under the false impression that it was a low-risk, AI-specific permission.
Defense & Auditing: Identifying Vulnerable Principals
Microsoft’s April 2026 patch prevents the Agent ID Administrator from managing non-agent owners moving forward. However, organizations must still audit their environments for “stale” or unauthorized ownership assignments that may have occurred during the vulnerability window (February – April 2026).+1
Audit Script: Discovering Privileged Service Principals
Administrators can use the Azure CLI and jq to identify service principals that hold privileged directory roles. Run this script to find high-value targets in your tenant:
Bash
BASE="https://graph.microsoft.com"
# Fetch privileged role definitions
roles="$(az rest -m GET --url "${BASE}/beta/roleManagement/directory/roleDefinitions?\$filter=isPrivileged eq true&\$select=id,displayName" -o json)"
# Fetch role assignments and expand the principal details
u="${BASE}/beta/roleManagement/directory/roleAssignments?\$expand=principal(\$select=id,displayName)&\$top=999"
{
echo -e "SP_NAME\tSP_ID\tROLE"
echo -e "--------\t------\t----"
while :; do
j="$(az rest -m GET --url "$u" -o json 2>/dev/null)" || break
jq -r --argjson roles "$roles" '
($roles.value | map(select(.displayName|test("Reader";"i")|not) | {key:.id, value:.displayName}) | from_entries) as $r
| .value[]
| select(.principal."@odata.type"=="#microsoft.graph.servicePrincipal")
| select($r[.roleDefinitionId] != null)
| [.principal.displayName, (.principal.id // .principalId), $r[.roleDefinitionId]] | @tsv
' <<<"$j"
u="$(jq -r '."@odata.nextLink"//empty' <<<"$j")"
[[ -z "$u" ]] && break
done | sort -t$'\t' -k1,1
} | column -t -s $'\t'
Mandatory Security Best Practices
To prevent future service principal hijacking, security teams should implement a Zero Trust model for non-human identities:
- Monitor Audit Logs: Specifically watch for
Add owner to service principalandAdd service principal credentialevents. - Treat Service Principals as Tier-0: Any identity with administrative Graph permissions or directory roles should be treated with the same security rigor as a Global Admin account.
- Use Workload Identity Premium: Leverage Microsoft Entra’s “Conditional Access for Workload Identities” to restrict service principal logins to specific trusted IP ranges.
- Regular Ownership Reviews: Automate a monthly review of “Owners” for all service principals. No individual user should permanently own a privileged service principal.
FAQs
Q: Is the Agent ID Administrator role safe to use now? A: Yes. Microsoft’s patch has corrected the scoping gap. The role is now strictly limited to Agent-specific objects.
Q: Did this vulnerability affect the Global Application Object? A: No. Researchers found that while Service Principals could be hijacked, attempts to modify the top-level Application Objects were successfully blocked.
Q: How do I know if I was targeted? A: Audit your Entra ID sign-in logs for service principals and cross-reference them with any recent credential or ownership changes initiated by the Agent ID Administrator role.
Conclusion: The Danger of “Non-Human” Shadow IT
The Entra Agent ID flaw underscores a broader industry challenge: as we introduce complex new identity types like AI agents, we create “shadow” permission paths. Service principals are the silent backbone of modern cloud infrastructure, and as this incident proves, they are often the path of least resistance for an attacker.+1
Are you monitoring your workload identities? Secure your tenant today by auditing your privileged service principals and enforcing strict ownership governance.
