Cybersecurity researchers at the identity protection firm Silverfort found a vulnerability in a Microsoft platform built to manage AI. The issue involved Microsoft Entra Agent ID, an identity and authorisation framework that gives AI agents their own identities.
These identities allow them to log into systems and access resources just like human users. To manage this environment, Microsoft created a specific directory role known as the Agent ID Administrator
The Attack Chain
Silverfort researchers Noa Ariel and Yoav S found that this directory role had a dangerous scope gap. It was meant to handle agent-related objects like Blueprints and Agent Identities, but it could actually modify nearly any Application Service Principal within a tenant.
Think of a Service Principal as a digital ID card for software. A Service Principal takeover is basically identity theft for apps; if a hacker becomes the owner of that ID, they can create their own secret key to log in. Since these digital accounts usually have high-level permissions to move data or change settings, stealing one allows a hacker to control the system while staying hidden.
During an attack, a user with the Agent ID Administrator role performs enumeration using the Microsoft Graph API or Azure CLI. This is done to find accounts with elevated permissions, specifically targeting Service Principals with high-impact Graph permissions like RoleManagement.ReadWrite.Directory.
The attacker then uses the role to add themselves as an owner of a non-agent Service Principal. This worked because the role permissions for updating owners were not strictly limited to agent-backed objects. After becoming the owner, they perform ‘credential injection’ by adding a new password or certificate to that account. They then authenticate as that Service Principal.
Researchers noted in the blog post shared with Hackread.com that “ownership is a takeover primitive,” which means that becoming an owner allows a user to steal the identity of the account entirely. This technique is a form of Privilege Escalation that gives an attacker total control over the tenant.
To prove the risk, researchers recorded a demo where an Agent ID Administrator successfully hijacked a Global Administrator account. By signing in with these stolen credentials, they gained full control over the entire network.
Security Impact
The danger was widespread. About 99% of business networks have at least one privileged Service Principal. While the Agent ID Administrator role is relatively new, over half of the companies studied already use agent identities. Some even run more than 100 active agents, thus creating a situation where the security rules for the role simply didn’t match its actual power.
Silverfort discovered the flaw on 24 February 2026 and reported it to Microsoft Security Response Center (MSRC) on 1 March. The company confirmed the vulnerability on 26 March, and by 9 April, a full fix was rolled out to all cloud environments, which blocked the Agent ID Administrator role from managing owners of regular, non-agent Service Principals. Companies are urged to check AuditLogs for any changes to account ownership or the creation of new secrets on sensitive accounts.
