Exploiting Actor Tokens: High-Level Overview
This analysis builds on the original discovery and disclosure by Dirk-jan Mollema, who reported the issue to the Microsoft Security Response Center (MSRC). Microsoft patched the flaw and rolled out mitigations to prevent its exploitation (tracked as CVE-2025–55241).
The critical attack primitive in Microsoft Entra ID allowed legacy undocumented tokens to be abused, enabling impersonation of users across any tenant (including Global Admins). These undocumented impersonation tokens are referred to as “Actor tokens.” Actor tokens are undocumented impersonation tokens used as a special delegation mechanism, allowing a service to act on behalf of a user.
Due to weak validation in the deprecated Azure AD Graph API, tenant and issuer bindings were not strictly enforced, enabling these tokens to be accepted in the wrong tenant context and abused to impersonate users across tenants.
The result: attackers could craft a request that appeared to come from a legitimate Global Admin, thereby bypassing Conditional Access, while leaving almost no trace in tenant logs.
In this article, I’ll walk through the attack in five phases:
- Obtaining Actor Tokens
- Mapping Victim Tenants
- Abusing Actor Tokens
- Victim-Tenant Takeover
- Persistence & Cleanup Resistance
Phase 1: Obtaining Actor Tokens
The attack begins with acquiring an Actor Token, which can effectively grant full access to the Azure AD Graph API in any tenant while leaving almost no trace.
Actor Token creation leaves the victim tenant blind: the event is recorded in the attacker’s tenant, not the target’s. Also, suppose an attacker abuses it and impersonates a Global Admin. In that case, they can change anything in Entra ID — user data, groups, policies, apps, and permissions — and therefore access any dependent service (SharePoint, Exchange, Azure).
An attacker doesn’t need access to the victim tenant yet. They simply request an actor token in their own tenant, using a service that still supports this legacy flow.
Phase 2: Mapping Victim Tenants
An attacker with a valid Actor Token first finds the target tenant and a user in that tenant. Tenant IDs are public, and user identifiers (puid / netId) can be discovered from guest invites, shared links, or simply brute-forced — netId is incremental, not random.
Phase 3: Absuing Actor Tokens
The bug allows an Actor Token issued in the attacker’s tenant to be presented to the victim tenant. Actor Tokens have the following properties:
- They are unsigned JWTs.
- Their issuance is not logged in the victim tenant.
- They cannot be revoked during their validity period,
- They bypass Conditional Access policies.
The Azure AD Graph API accepted those tokens without checking that the token’s issuer and tenant match the request.
As such, an attacker can first find a valid netId for a regular user in the target tenant. Then, using the attacker-tenant Actor Token, the victim tenant ID, and that netId, the attacker can craft an impersonation token and present it to the bogus Graph API.
Phase 4: Victim Tenant Takeover
Once an attacker can present a forged Actor token for a victim netId, they can enumerate the tenant’s Global Admins and their netIds, forge an impersonation token for a chosen admin, and perform any read or write action via the Azure AD Graph API.
Phase 5: Persistence & Cleanup Resistance
After a takeover, an attacker can install durable backdoors: add long-lived secrets to service principals, create shadow apps with broad permissions, or give permanent admin roles to hidden accounts. Those changes look like normal admin work, so they’re easy to miss unless you hunt for them.
Defensive Guidance
- Verify CVE-2025–55241 patches have been applied.
- Migrate off Azure AD Graph — use Microsoft Graph exclusively.
- Enforce JIT admin — no permanent Global Admins.
Call to Action
Fabrix Security is contributing back to the community. Book your free Entra ID risk assessment:
- Service principal credential inventory.
- JIT transition to zero standing privileged access.
- Prioritized remediation plan.
Reach out to ensure your tenant is fully protected against Actor Token-style risks. Fabrix Security will help you uncover exposures, harden your defenses, and stay ahead of attackers.
