![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
levWhat Mollema discovered is that an API, Azure AD Graph API, did not check the tenant of an Actor token, meaning one could craft a token in their own test or low-privilege tenant and use it to impersonate an admin user in another unrelated tenant. Azure AD Graph is a legacy REST API that Microsoft introduced years ago for interacting programmatically with Azure Active Directory (Now Entra ID).
According to Mitiga, an Actor Token could be crafted using Tenant ID and netID values of target users, which can be accessed through guest accounts, leaked logs, or even brute force. The crafted (requested) Actor token, which Azure AD Graph does not scrutinize for source, could now be used to impersonate a Global administrator.
According to Mitiga, an Actor Token could be crafted using Tenant ID and netID values of target users, which can be accessed through guest accounts, leaked logs, or even brute force. The crafted (requested) Actor token, which Azure AD Graph does not scrutinize for source, could now be used to impersonate a Global administrator.