MICROSOFT fixed a vulnerability in Entra ID where the Agent ID Administrator, a privileged built-in role for AI agents, could enable takeover of service principals and compromise a tenant. According to Silverfort, users assigned the Agent ID Administrator role could become an owner of arbitrary service principals and add credentials to authenticate as that principal, effectively allowing full service principal takeover in some tenants.
“That's full service principal takeover,” security researcher Noa Ariel said, highlighting how highly privileged service principals could become a path for privilege escalation. Microsoft rolled out the patch across all cloud environments on 9 April 2026, following responsible disclosure on 1 March 2026, and now ownership attempts over non-agent service principals using the Agent ID Administrator role are blocked.
The advisory also urges organisations to monitor sensitive role usage, track service principal ownership changes, secure privileged service principals, and audit credential creation on service principals to mitigate the risk.