Entra ID Allows Users to Update Principal Names
Published Fri, Jan 24th, 2025
Platforms
Summary
A configuration change in Entra ID allowed unprivileged users to update their own User Principal Names (UPNs) through interfaces like the Entra admin center and PowerShell. This could lead to impersonation risks. Microsoft quickly fixed the issue after it was reported. The vulnerability affected synchronized hybrid environments as well.
Affected Services
Entra ID
Remediation
Administrators should review UPN changes made during the vulnerability period and revert any unauthorized changes. Consider implementing access controls for the Entra admin center and Microsoft Graph PowerShell SDK.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
Fri, Jan 24th, 2025
Exploitability Period
Until 2025/01/24
Known ITW Exploitation
-
Detection Methods
Monitor audit logs for "Update User" events, particularly changes to the UPN field. Use tools like Search-UnifiedAuditLog cmdlet, Purview Audit solution, or AuditLogsQuery Graph API to review changes.
Piercing Index Rating
-
Discovered by
Tony Redmond, Office 365 for IT Pros
