Hardened Identity Management · Deep dive 01

No standing admin, nothing to steal

A 2025 Entra token flaw let attackers impersonate global admins across tenants. Time-bound elevation with PIM shrinks what a stolen session can ever reach.

Draft outline · Security lens
The anchor

In 2025 researchers disclosed an Entra ID flaw (CVE-2025-55241) abusing undocumented service-to-service actor tokens to impersonate Global Administrators across tenants. Standing privileged accounts are the blast radius; if elevation is time-bound and approved, there is far less standing privilege to steal or abuse.

Sources we build on
Primary
Researcher disclosure of CVE-2025-55241 (actor-token abuse)

Original technical write-up of the cross-tenant global-admin impersonation and its mechanics.

Journalism
BleepingComputer / The Register coverage

Independent reporting confirming impact and Microsoft's response, for a reader who saw the headline.

Article outline
  1. Standing privilege is the target. Why permanent admin roles are the prize.
  2. How the token abuse worked. Actor tokens, cross-tenant, global-admin impersonation.
  3. PIM in practice. Eligible-not-active roles, approval, time limits, justification.
  4. Not breaking operations. Making just-in-time elevation fast enough that people use it.
  5. The residual risk. What PIM does not solve.
How it aligns to what we do

A security piece, but it demonstrates the practitioner-led promise: we deploy PIM and change the operating model, and we are honest about residual risk. It ties identity hardening to a named 2025 event a reader will recognise.

Points to hit
Control it ratifies
ISM / E8 E8 Restrict administrative privileges; ISM privileged-access-management controls. Time-bound elevation reduces the standing privilege available to a stolen token or session.