Vulnerability in Microsoft Entra Subscription Management Access Control

A vulnerability in the access control of Microsoft Entra subscription management allows guest users to create and transfer subscriptions within the tenant to which they are invited, while retaining full ownership of these subscriptions. Guest users only need permissions to create subscriptions. This vulnerability exposes Entra environments to an unexpected risk.