Research has shown that Microsoft Entra ID (formerly Azure AD), a cloud identity and access management solution, can be manipulated to bypass security measures. Malicious actors can manipulate the credential validation process, transforming the pass-through authentication (PTA) agent into a tool allowing malicious actors to log in as any AD user. As a result, malicious actors could potentially gain access to a global admin user.
Security leaders weigh in
Sarah Jones, Cyber Threat Intelligence Research Analyst at Critical Start:
“A critical vulnerability exists within the PTA agent, a critical component of the Azure AD environment. This vulnerability allows malicious actors with local administrative privileges on the PTA agent server to bypass authentication controls, gaining unauthorized access to any synchronized Active Directory user. Such compromised access facilitates lateral movement within the network and potentially elevates privileges to the level of a Global Administrator, if such an account exists. While this vulnerability does not inherently grant global administrative rights, it provides a pathway for attackers to exploit existing privileged accounts. To mitigate this risk, organizations must implement stringent security measures including restricted access to PTA agent servers, robust password policies and mandatory multi-factor authentication.”
Rom Carmel, Co-Founder and CEO at Apono:
“What we are seeing more than ever over the last few years are what vulnerability research calls logical bugs. Unlike stack overflows or other "technical" bugs, logical bugs are typically harder to find with fuzzers or automated tools. Therefore, these bugs are often discovered by attackers or researchers (hopefully the latter). Logical bugs are faults in "decisions" (path of codes) are directed and therefore can be validation faults or inconsistencies. (i.e., a function that fails to validate correctly in certain scenarios).
“In terms of the specific reference in the research that ‘this could potentially grant access to a global admin user if such privileges were assigned, regardless of their original synced AD domain,’ I believe this means an attacker could elevate privileges, themselves, to that of a global admin user by using the same credentials. It sounds like this could be caused by an out-of-sync error in which the on-prem Active Directory (AD) and the Azure AD (Entra) perceive the same identity (credentials) in different ways. This is just my interpretation, however, since I have not researched this bug.”
Tal Mandel Bar, Product Manager at DoControl:
“The recent vulnerabilities in Microsoft Entra ID are concerning, but not entirely surprising. As cloud identity services become more central to enterprise operations, they’re naturally becoming prime targets for attackers. It’s like finding the master key to an entire building — once you’ve got it, you can access everything. In this case, the Cymulate researchers have essentially found a way to turn a trusted component — the PTA agent — into a backdoor. It’s a classic case of abusing legitimate functionality for malicious purposes.
“What’s particularly worrying is how this vulnerability could enable lateral movement across different on-premises domains. In a complex enterprise environment with multiple subsidiaries or departments, an attacker could hop from one domain to another, potentially compromising the entire organization. This discovery, along with the other recent Entra ID issues, highlights the critical importance of robust SaaS security measures.
“The takeaway here is clear: while cloud identity services offer tremendous benefits in terms of streamlining access and management, they also create new security challenges. Organizations need to be proactive in monitoring and securing these critical systems, because they’ve become the keys to the kingdom in our cloud-first world.”
