Dirk-Jan Mollema discusses the historical context of pivoting from on-premises Active Directory to Microsoft Entra ID. After Microsoft locked down traditional Entra Connect Sync escalation paths in August 2024, Mollema hunted for new hybrid bridges, landing on Exchange hybrid setups. These configurations store exportable certificates on-premises that allow authentication as a highly privileged, Microsoft-managed Exchange Online service principal.

Extracting these certificates allowed them to use the client credentials flow to authenticate. While investigating the Test-OAuthConnectivity cmdlet, Mollema uncovered an undocumented legacy authentication flow relying on the Access Control Service (ACS). This service issues actor tokens meant for backend service-to-service communication. By taking a signed actor token from ACS and embedding it inside a locally generated, unsigned JSON Web Token utilizing the none signature algorithm, they could impersonate any user. This authentication method entirely bypassed conditional access policies, multi-factor authentication, and standard security logs.

Initially, this impersonation was limited to Exchange and SharePoint Online. However, Mollema discovered that requesting an actor token for the legacy Azure AD Graph API (graph.windows.net) expanded the impact dramatically. This legacy API relied on an attribute called the Net ID to identify users. By inserting a target Global Admin's Net ID into the locally forged unsigned token and pointing the request at a different tenant, they discovered the backend failed to validate the tenant boundary against the inner signed token.

This oversight allowed complete cross-tenant compromise. Because Net IDs are sequential and explicitly exposed in the AlternativeSecurityIds attribute of B2B guest accounts, an attacker could harvest them from invited guests and rapidly pivot across interconnected enterprise networks. This viral spread potential prompted an immediate response from Microsoft, who patched the vulnerability within three days of Mollema's disclosure by disabling shared service principals for Exchange and restricting the use of legacy ACS actor tokens.

• On-premises Exchange hybrid environments stored exportable certificates tied to a Microsoft-managed service principal, creating an initial bridge for cloud authentication.
• The legacy Access Control Service (ACS) issued highly privileged actor tokens designed for backend service-to-service impersonation without generating standard security logs.
• By wrapping a valid, signed ACS token inside a locally generated, unsigned JSON Web Token, an attacker could bypass conditional access and multi-factor authentication.
• Requesting an actor token for the legacy Azure AD Graph API enabled full impersonation of Global Admins simply by identifying their legacy Net ID.
• The vulnerability permitted cross-tenant escalation because the backend API failed to validate whether the targeted tenant matched the tenant specified in the signed inner token.
• Attackers could scale the exploit exponentially by extracting target Net IDs from the AlternativeSecurityIds attribute of existing B2B guest accounts.