""If you are an Entra ID admin," wrote Mollema, "that means complete access to your tenant.""
""Effectively," wrote Mollema, "this means that with a token I requested in my lab tenant I could authenticate as any user, including Global Admins, in any other tenant.""
""requesting Actor tokens does not generate logs.""
""Even if it did, they would be generated in my tenant instead of in the victim tenant, which means there is no record of the existence of these tokens.""
A token-validation vulnerability in the legacy Azure Active Directory Graph API allowed undocumented service-to-service "Actor tokens" to be used across tenants. Actor tokens requested from one tenant could authenticate as any user, including Global Admins, in another tenant, granting full access to Entra ID tenants and associated services such as SharePoint Online, Exchange Online, and Azure-hosted resources. Requests for Actor tokens did not generate logs in the victim tenant and any records appeared in the originating tenant instead. Microsoft mitigated the flaw, confirmed the fix as effective, and assigned a CVE on September 4.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]