Microsoft on Sept. 18 patched a maximum-severity flaw in Entra ID — formerly known as Azure Active Directory — that security researchers said could have posed an enormous risk to millions of Microsoft users.The 10.0 flaw — CVE-2025-55241 — reportedly could have been exploited to take control of any Entra ID directory or tenant. Security researcher Dirk-jan Mollema discovered the issue in July and promptly reported it to Microsoft, which followed-up and fixed the bug.Lawrence Pingree, technical evangelist at Dispersive Holdings, said the Entra ID bug is scary given that it gives permission to be any user in a Microsoft trust domain.“Patch immediately, this one is very urgent,” said Pingree. “Bring your own trust to the cloud, with concepts like the "trusted cloud edge," which is all about converting the middle mile connectivity to modernize with preemptive defense of the connectivity. Anytime a credential is used in a strange way, this should prompt all SOC processes to validate trustability of the asset and the user.”Robert Coles, senior cybersecurity engineer at Black Duck, added that because it’s a maximum severity bug, Microsoft customers should ask the following:
- Impact verification: Can Microsoft confirm whether my tenant(s) showed any signs of attempted or successful exploitation of this vulnerability? Were any actor tokens issued for my tenant(s) that were used in unusual ways?
- Detection: What evidence is available to verify no misuse occurred in my environment(s)? Can Microsoft provide retroactive detection queries or logs?
- Remediation: Have all vulnerable paths to actor token misuse been blocked in my tenant(s)? Are there any tenant-side actions recommended, such as role review, token monitoring, Graph API deprecation)?
- Future prevention: What changes can Microsoft make to ensure internal tokens can't bypass conditional access policies? Will more granular logging be added for service-to-service token usage?





