Microsoft fully patched a privilege escalation flaw in Entra ID’s Agent ID Administrator role on April 9, 2026, after Silverfort researchers demonstrated it could take over arbitrary service principals across an entire tenant. The fix blocks the role from modifying non-agent service principals. No user action is required.

The Scope Overreach

The Agent ID Administrator is a built-in privileged role Microsoft introduced as part of its Agent Identity Platform, designed to manage the lifecycle of AI agent identities within Entra ID tenants. The role was supposed to operate only on agent-related objects like blueprints and agent identities.

Silverfort researcher Noa Ariel found that users assigned the role could instead add themselves as owners of any service principal in the tenant, not just agent-related ones. Once an attacker owned a service principal, they could attach new credentials (client secrets or certificates) and authenticate as that application.

“That’s full service principal takeover,” Ariel told The Hacker News. “In tenants where high-privileged service principals exist, it becomes a privilege escalation path.”

Why Agent Identities Caused the Problem

The architectural root is that agent identities in Entra ID are built on top of the same primitives as regular applications: service principals. Microsoft introduced new agent-specific objects but did not properly enforce the boundary between “agent” and “non-agent” service principals at the role level, according to CSO Online.

The ownership action was blocked for application objects but not for service principals, suggesting the flaw was specific to the service principal layer rather than the broader identity model. The result: the Agent ID Administrator could effectively mimic capabilities of the much more powerful Application Administrator role.

Silverfort discovered the flaw on February 24, 2026, and reported it to Microsoft Security Response Center (MSRC) on March 1. MSRC confirmed the internal fix was fully rolled out by April 9, according to CSO Online.

Scale of Exposure

The Agent ID Administrator role is relatively new and not yet widely assigned. But the underlying attack path, service principal ownership escalation, is well-established. Silverfort reported that approximately 99% of tenants have at least one privileged service principal, and more than half of those use agent identities averaging around 100 per tenant, according to Hackread.

The Pattern for Agent Builders

The flaw illustrates a recurring problem as platforms add agent identity layers on top of existing infrastructure: new roles scoped to agent-specific objects can inherit unintended permissions from the primitives they share with broader systems. Any team building agent identity management on top of service principals, workload identities, or similar shared foundations should audit whether their role-based access controls actually enforce the boundaries they assume.

Silverfort recommends monitoring sensitive role usage related to service principal ownership or credential changes, tracking ownership changes on service principals, and auditing credential creation events.