Recent findings by Silverfort have uncovered a critical flaw in Microsoft Entra ID's Agent ID Administrator role, which could potentially enable privilege escalation and identity takeover attacks. This role, designed to manage AI agents' identity lifecycle within a tenant, inadvertently allowed users to assume control over arbitrary service principals beyond agent-related identities. By becoming an owner and adding their own credentials, a user could authenticate as that service principal, effectively taking over its permissions.
Security researcher Noa Ariel pointed out that this vulnerability could be exploited in environments where high-privileged service principals exist, creating a path for privilege escalation. If these principals possess elevated permissions, attackers could gain significant control over the tenant, posing a serious security threat.
After Silverfort disclosed the issue to Microsoft on March 1, 2026, the company acted promptly by releasing a patch on April 9. This update blocks any attempts to assign ownership over non-agent service principals using the Agent ID Administrator role, returning a "Forbidden" error instead.
The incident underscores the importance of carefully scoping roles and permissions, especially when dealing with shared identity components and new identity types. Organizations are urged to monitor and secure sensitive roles, particularly those involving service principal ownership, to mitigate the risk of such vulnerabilities being exploited in the future. Silverfort emphasized the growing significance of non-human identities in the age of AI, highlighting the need for precise role permissions to avoid unintended access.


