Microsoft Entra ID Vulnerability Exposes Internal Apps and Sensitive Data

Visha Bernard, ethical hacker and co-founder of I Security, reveals a vulnerability in Microsoft applications using Entra ID. By exploring aka.ms links, he discovered he could access internal Microsoft applications using his personal Microsoft account. The vulnerability exploits a misconfiguration in multi-tenant applications where the applications fail to validate the issuer or tenant ID in access tokens. Out of 102,672 Microsoft subdomains analyzed, 1,400 used Entra ID for authorization, and 172 were multi-tenant applications. Bernard identified 22 vulnerable applications exposing internal data, including the Microsoft Engineering Hub with 13,252 results containing the word "password," the emergency broadcast system, the ACE command center for Fortune 500 clients, and the risk registry containing information on unpatched zero-days. Microsoft resolved most cases within two months. Bernard recommends explicitly verifying the issuer or tenant ID in application logic when using multi-tenant applications.