An administrative role created for artificial intelligence (AI) agents within Microsoft Entra ID could enable privilege escalation and identity theft attacks, according to new findings from Silverfort.
Agent ID Manager is a built-in role privilege introduced by Microsoft as part of its identity platform to manage all aspects of AI identity lifecycle operations for the employer. The platform enables AI agents to securely authenticate and access needed resources, as well as to locate other agents.
However, a flaw discovered by the identity security platform meant that users granted the Agent ID Administrator role could arbitrarily assume service principals, including those outside of the identity associated with the agent, by having the owners then add their own credentials to authenticate as that principal.
“That’s the perfect principal’s take,” said security researcher Noah Ariel. “In jobs where there are principals with high rights, it becomes a way to increase the right.”
This service principal identity effectively opens the door for an attacker to operate within the scope of their existing permissions. If the principal of the targeted service holds elevated permissions – especially privileged directory roles and high-impact Graph application permissions – it can give an attacker extensive control over the host.
After the responsible disclosure on March 1, 2026, Microsoft released a patch to all cloud environments to fix the scope violation on April 9. After the fix, any attempt to grant ownership over non-agent service heads using the Agent ID Administrator role is now blocked, and leads to the “Not Allowed” error message being displayed.
Silverfort noted that the architecture issue highlights the need to ensure how roles are cut and permissions are used, especially when it comes to shared identity components and new identity types built on the foundations of existing artifacts.
In order to reduce the threat caused by this risk, organizations are advised to monitor the use of sensitive roles, especially those related to service principal ownership or authentication changes, track service principal ownership changes, protect service principals rights, and audit the creation of credentials for service administrators.
“Agent ownership is part of a wider shift towards non-human ownership, built on years of AI agents,” Ariel notes. “When role permissions are used on a shared basis without a strict scope, access can go beyond what was originally intended. In this case, that gap led to broader access, especially when privileged service principals were involved.”
“Furthermore, the overall risk is influenced by the position of the employer, especially privileged service principals, where abuse of ownership remains a known and effective form of attack.”
