SilverFort — Microsoft Entra Agent ID Administrator Scope Overreach
AI relevance: Microsoft's Agent Identity Platform grants identities to AI agents using standard Azure AD primitives — and a newly patched scope-overreach flaw in the Agent ID Administrator role let any holder hijack arbitrary service principals across the entire tenant.
What happened
- SilverFort researchers discovered that the Agent ID Administrator role — introduced by Microsoft to manage agent identities (blueprints, agent identities, agent users) — could be abused to take ownership of any service principal in the tenant, not just agent-related objects.
- Agent identities are built on top of standard application and service principal primitives in Microsoft Entra ID, creating a critical scoping gap in the role's permission boundary.
- By using actions like
update agent identity owner, an attacker with the role could assign themselves as owner of a high-privileged, non-agent service principal. - Once ownership was established, the attacker could generate new credentials and authenticate as that service principal, inheriting any directory roles or Graph API permissions it held.
- The attack path provided a direct route to full tenant compromise if the targeted service principal had elevated privileges.
- Microsoft has patched the flaw across all cloud environments as of April 2026, preventing the Agent ID Administrator role from managing owners of non-agent service principals.
Why it matters
- This is a concrete example of non-human identity (NHI) risk in agentic AI deployments. As enterprises grant AI agents service-principal-backed identities, mis-scoped roles become tenant-level threats.
- Many tenants contain at least one privileged service principal — treating these as critical infrastructure is now mandatory.
- The pattern repeats: new identity roles for AI agents inherit legacy primitives (service principals, app registrations) and carry forward their attack surface.
What to do
- Audit your tenant for service principals holding privileged directory roles or high-impact Graph API permissions.
- Monitor Microsoft Entra audit logs for successful owner-addition and credential-creation events on service principals.
- Verify the Agent ID Administrator role scope is now restricted post-patch; test with a non-agent service principal.
- Consider implementing just-in-time (JIT) access and conditional access policies for any role that manages service principal ownership.