Microsoft patched a vulnerability in Entra ID tied to the Agent ID Administrator role that could let an attacker escalate privileges and take control of arbitrary service principals beyond agent identities.

In a demo, researchers showed an Agent ID Administrator hijacking a Global Administrator account to gain full network control.

The Agent ID Administrator role, which governs AI agent identities, was demonstrated to allow ownership takeover of arbitrary service principals, credential injection, and authentication as those principals, enabling full compromise.

The vulnerability was identified on February 24, 2026, with a case opened a week later and a fix rolled out by April 9, 2026, following an earlier pre-release fix confirmed on April 4, 2026.

The incident underscores broader risks in new identity models built on existing components, highlighting the need to validate role permissions, audit ownership changes, and monitor privileged assets.

This incident elevates tenant posture concerns around privileged service principals and ownership abuse as a known attack vector.

Impact could include API access, integrations, and directory-level permissions, especially in environments with privileged service principals.

The flaw was disclosed responsibly on March 1, 2026, prompting a focus on strict scoping and validation of roles and permissions for shared identity components and new identity types.

Security impact estimates show about 99% of business networks have at least one privileged Service Principal, with many organizations running 100+ agent identities, intensifying risk.

Experts note agent identities reflect a shift to non-human identities, and lax scope on role permissions can extend access beyond intended boundaries when privileged service principals are involved.

Guidance includes monitoring sensitive role usage, auditing service principal ownership changes and credential rotations, securing privileged service principals, and reviewing AuditLogs for ownership or secret creation changes.

Organizations should closely track service principal ownership changes and credential events, treating privileged service principals as critical assets to mitigate risk.