Hackers exploit Azure Agent role

Microsoft patched a Microsoft Entra Agent ID Administrator flaw after Silverfort found the role could take over non-agent service principals across a tenant. (silverfort.com) (csoonline.com) Service principals are app identities in Entra ID, the directory behind Azure and Microsoft 365. They let software sign in, get tokens, and act on cloud resources without a human password. (learn.microsoft.com 1) (learn.microsoft.com 2) Microsoft created Agent ID Administrator for Entra Agent ID, a preview system for assigning identities to artificial intelligence agents. Microsoft’s role reference says the role manages agent blueprints, agent service principals, agent identities, and agentic users. (learn.microsoft.com 1) (learn.microsoft.com 2) Silverfort said the boundary failed because agent identities are built on the same service-principal plumbing as ordinary enterprise applications. In testing, a user with Agent ID Administrator could add themselves as owner of arbitrary non-agent service principals in the tenant. (silverfort.com) (learn.microsoft.com) Ownership matters because an owner can usually add a new client secret or certificate to that application identity. Silverfort said that let an attacker mint fresh credentials, sign in as the hijacked service principal, and inherit whatever permissions that app already had. (silverfort.com) (semperis.com) If the targeted service principal already held powerful directory or Azure roles, the path became privilege escalation. Silverfort said many tenants have at least one privileged service principal, even if the Agent ID Administrator role is not yet widely assigned. (silverfort.com) Microsoft has now fixed the issue across all cloud environments, according to Silverfort. The company said Agent ID Administrator can no longer manage owners of non-agent service principals. (silverfort.com) (vpncentral.com) The episode lands as Microsoft pushes Entra Agent ID as part of Microsoft Agent 365 and keeps the feature in preview. Microsoft’s current admin guide still says Agent ID Administrator or Cloud Application Administrator can manage agent identities in a tenant. (learn.microsoft.com 1) (learn.microsoft.com 2) The underlying attack pattern is older than Agent ID. Researchers have spent years showing that control over service principals can become a shortcut to broader Entra and Azure access when application identities accumulate high privileges. (specterops.io) (wiz.io) This time, the twist was a new “agent-only” admin role that was broader than its name suggested. Microsoft closed that gap, but the fix leaves the same old lesson: app identities with standing privileges are still prime control-plane targets. (csoonline.com) (silverfort.com)