Hijacking the Cloud: How a Misconfigured App Can Become a Global Admin in Entra ID

In a comprehensive and technically expose, Datadog Security Labs has unveiled a privilege escalation method that allows attackers to impersonate any hybrid Entra ID user—including those with Global Administrator rights—by hijacking the Office 365 Exchange Online service principal. The technique, which Microsoft has deemed “expected behavior,” highlights how identity misconfigurations can be just as dangerous as software vulnerabilities.

The research reveals that service principals (SPs) with the Cloud Application Administrator, Application Administrator, or Application.ReadWrite.All permission can escalate privileges dramatically by manipulating Microsoft’s own Office 365 Exchange Online application.

“An attacker can use this credential to authenticate as the application, granting them Domain.ReadWrite.All permissions to add a new federated domain,” the researchers explain. “The attacker can then use the federated domain’s certificate to forge a SAML token and authenticate as any hybrid user synchronized between the Entra ID tenant and an on-premises Active Directory (AD) domain.”

This effectively turns Entra ID’s trusted application model against itself. A single compromised SP with the right permissions can slip past traditional access controls and impersonate even the most privileged users.

The technique exploits a trusted Microsoft service principal—Office 365 Exchange Online (Client ID: 00000002-0000-0ff1-ce00-000000000000)—which was found to still accept local credentials despite Microsoft’s previous efforts to lock down first-party applications.

Using the assigned Domain.ReadWrite.All permission, the attacker can register a malicious domain, verify it, and configure federation settings that allow it to mint SAML tokens for any hybrid user.

“This is conceptually the same as a golden SAML attack: When an attacker has the certificate of a trusted authentication provider, they can create tokens as that provider,” the report explains.

Through federation abuse and forged tokens, the attacker gains seamless access to the Microsoft 365 and Azure portals—as if they were the legitimate user—complete with MFA claims, without ever knowing the user’s password or device.

The researchers reproduce the full attack path:

1. Add a Malicious Domain: Using Graph API to register a new domain with the tenant.
2. Verify the Domain: Add a DNS TXT record to pass Microsoft’s verification.
3. Configure Federation: Upload a certificate and federation metadata to allow SAML token signing.
4. Forge the Token: Use AADInternals to create a valid token for any hybrid user.
5. Access Everything: Log in as the Global Admin and pivot to other systems.

Datadog’s researchers even provided screenshots of successfully accessing the Microsoft 365 and Azure Portals using a forged token, emphasizing the severity of this method.

Datadog disclosed their findings to Microsoft on January 14, 2025. In May, Microsoft replied that the issue stemmed from “expected behavior”:

“This is an example of privilege use within the boundaries of an already highly privileged context, not an escalation beyond the user’s assigned role,” the Microsoft Security Response Center (MSRC) stated. “The scenario described reflects misconfiguration, not a security bypass.”

In other words, the power to add credentials to trusted apps like Exchange Online is inherent in the Application Administrator role. It’s not a flaw in Microsoft’s eyes—it’s a risk accepted by design.

“Organizations should be cautious when assigning the Application Administrator role and ensure that apps with high impact permissions are tightly governed, as these inherently carry high trust requirements,” Microsoft advised.

Related Posts:

• IBM X-Force Uncovers Azure Arc Flaws: Hybrid-Cloud Tool Becomes Stealthy RCE & Privilege Escalation Vector
• AWS Under Siege: Attackers Target Vaults, Buckets, and Secrets in Widespread Campaign
• Phishing for Profits: Attackers Mine Crypto & Spam Through OAuth Apps
• Stealthy Persistence: Microsoft Entra ID’s Administrative Units Weaponized
• Google ban fake ID apps on Play Store