Microsoft patches Entra ID bug that allowed principal takeover
Microsoft fixed an Entra ID Agent ID Administrator role flaw that let assigned users claim ownership of service principals and add credentials to authenticate as them.
Microsoft patched a flaw in its Entra ID Agent ID Administrator role that allowed assigned users to take ownership of service principals and add credentials to authenticate as those identities. Identity security firm Silverfort discovered the issue and disclosed it to Microsoft on March 1, 2026. Microsoft deployed a patch across its cloud environments on April 9, 2026; after the update, attempts by the Agent ID Administrator role to assign ownership of non-agent service principals return a “Forbidden” error.
Agent ID Administrator is a built-in privileged role Microsoft created for an agent identity platform that manages AI agents’ identities, including authentication, resource access and agent discovery. Silverfort found that users granted this role could make themselves owners of service principals beyond agent-related identities, then upload credentials and sign in as those principals.
Ownership of a service principal gives the owner the ability to manage that identity and use any permissions the principal already holds. Silverfort warned that if a targeted service principal has elevated permissions-such as privileged directory roles or high-impact Microsoft Graph app permissions-an attacker who gains ownership can use those permissions to move across a tenant or escalate privileges.
Silverfort traced the problem to how the platform layered new agent identity types on top of existing identity primitives without tightly scoping role permissions. The firm recommended that organizations monitor use of sensitive roles, track changes in service principal ownership, secure privileged service principals and audit credential creation on service principals.
Security researcher Noa Ariel described the finding as “That’s full service principal takeover.” Ariel added that where high-privileged service principals exist, the issue can serve as a path for privilege escalation. Silverfort noted tenant posture around privileged service principals affects the level of risk because ownership abuse is a known attack path.
