Research revealed that Microsoft first-party application service principals (SPs), specifically Office 365 Exchange Online’s SP, can be exploited for privilege escalation and persistence in hybrid Entra ID environments by abusing Domain.ReadWrite.All permissions. Attackers with Cloud Application Administrator or Application Administrator roles can add credentials to these SPs, add federated domains, and forge SAML tokens to impersonate any hybrid user, including Global Administrators. #Office365ExchangeOnline #ServicePrincipalHijacking
Keypoints
- Service principals (SPs) with Cloud Application Administrator, Application Administrator roles, or Application.ReadWrite.All permission can escalate privileges by hijacking hybrid users via the Office 365 Exchange Online SP.
- Attackers can add new federated domains using Domain.ReadWrite.All permission and forge SAML tokens to impersonate any hybrid user synchronized in Entra ID with on-premises AD.
- Datadog reported the issue to Microsoft Security Response Center (MSRC) in January 2025; MSRC classified this behavior as expected due to misconfiguration, not as a security vulnerability.
- Only SP identities assigned application management permissions can perform this attack, not user identities.
- Microsoft has implemented protective controls on most first-party app SPs, but Office 365 Exchange Online SP remains vulnerable to credential addition and privilege escalation attacks.
- Monitoring additions of credentials to app registrations and SPs, as well as changes to Entra ID tenant domains, is critical to detect potential abuse.
- Defensive recommendations include using cloud-only administrator accounts, enabling app instance property lock on app registrations, and implementing Conditional Access policies to restrict untrusted access.
MITRE Techniques
- [T1134] Access Token Manipulation – Attackers forge SAML tokens for any hybrid user by exploiting federated domain certificates. (“…the certificate that is associated with this federated domain can then be used to forge tokens as any user synced with an on-premises Active Directory (AD) user…”)
- [T1078] Valid Accounts – Leveraging service principals with privileged roles enables attackers to authenticate as applications and gain high-level permissions (“…an SP with the Application Administrator role adds a credential to the Office 365 Exchange Online SP and authenticates as the application…”)
- [T1190] Exploit Public-Facing Application – Adding credentials to first-party SPs allowed lateral movement and privilege escalation (“…this attack uses an SP backdooring or SP hijacking technique to escalate privileges within Microsoft Entra ID…”)
- [T1087] Account Discovery – Enumeration of Entra ID users and retrieval of onPremisesImmutableId enables token forging (“…the script gathered a target user’s onPremisesImmutableId by using the GET /v1.0/users/{id}?select=onPremisesImmutableId endpoint…”)
- [T1550] Use Alternate Authentication Material – Abuse of add credentials to SPs and use of federated domain certificates to authenticate (“…credentials added to SPs allow authentication as that application in that tenant; federated certificates allow token forging…”)
Indicators of Compromise
- [Service Principal ID] Office 365 Exchange Online SP – Client ID: 00000002-0000-0ff1-ce00-000000000000 (used for privilege escalation via credential addition)
- [Domain] Malicious federated domain – example: “maliciousdomain.com” added and verified in Entra ID (used to forge SAML tokens)
- [Certificate] Malicious signing certificate – used in federationConfiguration API to enable token signing and SAML token forgery
- [User Property] onPremisesImmutableId – base64 GUID used to target specific hybrid user accounts for token forging (retrieved via Microsoft Graph)
- [API Endpoints] Microsoft Graph API endpoints for domain and SP management – POST /v1.0/domains, GET /v1.0/domains/{domain}/verificationDnsRecords, POST /v1.0/domains/{domain}/federationConfiguration
Read more: https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-global-admin/