I SPy: Rethinking Entra ID research for new paths to Global Admin
Katie Knowles
fwd:cloudsec North America 2025 · Day 2 · Track 2 - Crestone
Katie Knowles, a cloud security researcher at Datadog, delivered a lightning talk dissecting the long and often frustrating history of **service principal hijacking** in Microsoft Entra ID (formerly Azure Active Directory). The presentation traced the attack technique from its initial disclosure in 2019 through to Knowles's own 2024-2025 research, where she demonstrated a path from Application Administrator to Global Admin by chaining service principal credential injection, domain federation abuse, and SAML token forgery -- all using one of Microsoft's own first-party applications. The talk matters because it highlights that despite years of incremental fixes, the fundamental trust model around Entra ID's application objects still harbors exploitable gaps, particularly when roles are assigned to service principals rather than users.
AI review
A well-executed walkthrough of chaining Entra ID service principal credential injection through domain federation abuse to SAML token forgery, achieving Global Admin from Application Administrator. The attack chain is real, the demo is live, and the MSRC dismissal adds a satisfying twist of institutional irony.