Microsoft patches Entra ID flaw, improves security for identity and access. Microsoft is strengthening identity and access management to prevent cross-tenant exploitation and improving cloud security standards.

A serious vulnerability in Microsoft Entra ID (formerly Azure AD) has exposed the weaknesses in identity and access management (IAM) for many cloud tenants worldwide. Tracked as CVE-2025-55241, the flaw could have enabled threat actors to generate impersonation tokens and gain unauthorized cross-tenant access.

The problem, as reported by researcher Dirk-Jan Mollema, was related to the use of the Azure AD Graph API and undocumented ("actor") tokens that circumvent normal access controls and logging. The vulnerability sparked controversy in the information security community due to weaknesses in Microsoft's identity and access management protocols.

Microsoft patched the vulnerability last summer with code updates across the cloud platforms as part of its Secure Future Initiative (SFI). The company said there is no proof of exploitation in the wild and that it is still improving IAM standards. The initiative includes the adoption of SDKs for all IAM applications.

Despite the effort to fix this, experts caution that existing protocols promote risks due to a legacy of protocols and lack of transparency in the handling of tokens. Mollema said the lapse also shows the need for better identity and access control to avoid similar actions in the future.

This revelation arrives at a time other than when Microsoft's security posture has come under heavy scrutiny because of previous breaches, highlighting the pivotal role of identity and entry administration in plum security in the cloud.