An administrative role meant for artificial intelligence (AI) agents within Microsoft Entra ID could enable privilege escalation and identity takeover attacks, according to new findings from Silverfort.
Agent ID Administrator is a privileged built-in role introduced by Microsoft as part of its agent identity platform to handle all aspects of an AI agent’s identity lifecycle operations in a tenant. The platform enables AI agents to authenticate securely and access necessary resources, as well as discover other agents.
However, the shortcoming discovered by the identity security platform meant that users assigned the Agent ID Administrator role could take over arbitrary service principals, including those beyond agent-related identities, by becoming an owner and then add their own credentials to authenticate as that principal.
This ownership of a service principal effectively opens the door to an attacker to operate within the scope of its existing permissions. If the targeted service principal holds elevated permissions – particularly privileged directory roles and high-impact Graph app permissions – it can give an attacker broader control over the tenant.
Following responsible disclosure on March 1, 2026, Microsoft rolled out a patch across all cloud environments to remediate the scope overreach on April 9. Following the fix, any attempt to assign ownership over non-agent service principals using the Agent ID Administrator role is now blocked, and leads to a “Forbidden” error message being displayed.
Silverfort noted that the architectural issue highlights the need for validating how roles are scoped and permissions are applied, especially when it comes to shared identity components and new identity types are built on top of the foundations of existing primitives.
Leave a Reply