Navigation section

Golden dMSA and Entra ID Risks: Securing Windows Server 2025 and Cloud Identities

  • Thread Author
Identity research published in July surfaces two sobering truths for Windows shops: attackers can now bypass dMSA authentication in Windows Server 2025 to mass‑generate service account passwords for lateral movement, and misgoverned first‑party apps in Microsoft Entra ID can be abused to impersonate Global Administrators—sometimes while MFA appears satisfied. Together, these findings pressure‑test assumptions about “modernized” identity security across on‑prem Active Directory and the cloud. (cybersecuritynews.com, semperis.com, securitylabs.datadoghq.com)

A golden key floats in a forest scene as a hand reaches toward it, above glowing blue app icons.Background​

Active Directory remains the backbone of enterprise authentication, while Microsoft Entra ID (formerly Azure AD) fronts Microsoft 365, Azure, and countless SaaS integrations. In incident response, Global Administrators aren’t the only crown jewels—roles like Application Administrator and Domain Name Administrator often create real paths to tenant takeover if misused or targeted. Microsoft’s own IR guidance warns that these “non‑GA” roles routinely precipitate compromises that escalate to Global Admin. (microsoft.com)

Golden dMSA: Authentication Bypass in Windows Server 2025​

Security researchers disclosed “Golden dMSA,” a design‑level flaw affecting delegated Managed Service Accounts (dMSAs) introduced in Windows Server 2025. By abusing a predictable, time‑based structure used to compute dMSA passwords (only 1,024 combinations), an attacker who has obtained the KDS root key can brute‑force valid passwords for every dMSA and gMSA in the forest—sidestepping machine‑bound authentication and enabling cross‑domain persistence. Semperis rates the risk “moderate” due to the prerequisite of KDS root key access, but the impact is “high” once that bar is cleared. (semperis.com)
Golden dMSA’s implications are broad: service accounts often underpin critical apps, backups, and automation. With valid dMSA/gMSA credentials in hand, a threat actor can laterally access resources, seed new credentials, and quietly exfiltrate data using approved channels. Independent write‑ups and trade‑press coverage corroborate the brute‑forceable 1,024‑value design quirk and the forest‑wide blast radius. (borncity.com, thehackernews.com)

Microsoft’s position and the detection gap​

Microsoft acknowledged the report but noted that if an attacker already has the secrets used to derive keys, they can authenticate “as that user,” adding that these features weren’t designed to withstand domain controller compromise. Compounding the problem, reads of KDS root keys aren’t logged by default, forcing admins to add SACLs to see access attempts—hardly ideal for Tier‑0 monitoring. (cybersecuritynews.com)

Related dMSA abuse: “BadSuccessor”​

Separate research (“BadSuccessor”) shows that weak OU ACLs combined with dMSA attributes (like msDS‑ManagedAccountPrecededByLink) can let low‑privilege users create or repoint dMSAs to inherit high‑privilege contexts, including Domain Admin, without touching group membership. Multiple teams have demonstrated the technique and described detections focused on attribute changes and dMSA object creation. (akamai.com, blogs.manageengine.com)

Entra ID: From App Admin to Global Administrator​

On July 18, reporting highlighted a Datadog Security Labs technique that chains first‑party Microsoft apps and high‑impact Graph scopes to escalate in Entra ID. An attacker with Application Administrator (or equivalent app permissions) can hijack the Office 365 Exchange Online service principal (notably granted Domain.ReadWrite.All), add a malicious federated domain, and forge SAML tokens that include MFA claims—effectively logging in as any synced hybrid user, up to Global Administrator. (cybersecuritynews.com, securitylabs.datadoghq.com)
Microsoft’s response to Datadog was blunt: this is “expected behavior” of Application Administrator in the presence of highly privileged app permissions. In other words, it’s not a memory‑corruption bug—it’s the predictable outcome of assigning a powerful role and granting a service principal sweeping Graph privileges. That framing places the onus on governance: which apps have app‑only scopes, who can add credentials to them, and how federation is controlled. (securitylabs.datadoghq.com)

Earlier “UnOAuthorized” exposures in Microsoft apps​

Semperis previously documented “UnOAuthorized,” where certain Microsoft application service principals could perform privileged actions that weren’t clearly reflected in advertised scopes—including adding users to Global Administrator. Microsoft subsequently tightened controls to reduce credential abuse on service principals, but the episode underscores how first‑party apps and app‑only Graph permissions can become hidden elevation paths if left unchecked. (semperis.com)

Why this matters to Windows administrators​

  • Hybrid identity makes on‑prem and cloud inseparable. A foothold in AD (e.g., dMSA abuse) can pivot to Entra‑connected services; conversely, tenant abuse (e.g., federated domain backdoors) can project power on‑prem via synced identities. (cybersecuritynews.com, semperis.com)
  • “Privilege by design” is the new battleground. Roles like Application Administrator and high‑impact app‑only scopes (Domain.ReadWrite.All, RoleManagement.ReadWrite.Directory) behave like standing keys to the castle if not tightly governed. (microsoft.com)
  • Detection still lags. Many Tier‑0 reads (KDS root key) aren’t logged by default; federation changes can blend with legitimate collaboration; and SAML token forging can appear to satisfy MFA in sign‑in logs. (cybersecuritynews.com, securitylabs.datadoghq.com)

Practical hardening for Active Directory and Windows Server 2025​

Protect Tier‑0 cryptographic material​

  • Treat KDS root keys like KRBTGT: restrict access to Domain Admins/Enterprise Admins, store in hardened DCs only, and add SACLs to audit read access. (cybersecuritynews.com)
  • Back up KDS objects securely and monitor backup/restore activity closely; test restoration to validate incident‑response playbooks. (semperis.com)

Clamp down on dMSA/gMSA creation and changes​

  • Review and remove unnecessary Write/Control permissions on OUs that allow creating or modifying dMSAs; favor Tier‑0 change windows for any service account lifecycle work. (akamai.com)
  • Monitor AD Event IDs associated with dMSA operations (e.g., 5137 for object create, 5136 for attribute changes) and authentication anomalies for service accounts. (cybersecuritynews.com, blogs.manageengine.com)

Assume persistence after a DC‑level breach​

  • If you suspect DC compromise, plan for KDS regeneration and a staged service account password roll aligned with application owners; don’t rely on Credential Guard to mitigate Golden dMSA fallout. (semperis.com)

Practical hardening for Microsoft Entra ID​

Re‑baseline privileged roles and app‑only permissions​

  • Treat Application Administrator and Cloud Application Administrator as Tier‑0; require PIM, Just‑In‑Time elevation, and phishing‑resistant MFA. Review who can add credentials to service principals. (microsoft.com)
  • Inventory service principals with high‑impact Graph scopes (e.g., Domain.ReadWrite.All, RoleManagement.ReadWrite.Directory). Remove unused scopes; decouple high‑risk permissions from broadly‑managed apps. (securitylabs.datadoghq.com)

Watch for federation and service principal abuse​

  • Alert on new federated domains, changes to federation configuration, and certificate updates on domains—these can underpin SAML token forging “golden tokens” and MFA‑claim injection. (securitylabs.datadoghq.com)
  • Monitor Core Directory logs for “Add service principal credentials” and “Certificates and secrets management” updates; investigate any anomalous app‑only token usage. (cyberpress.org)

Reduce lateral movement paths across tenants​

  • If using cross‑tenant features, enforce least privilege on sync apps, verify outbound/inbound policies, and continuously validate that only intended tenants can synchronize users. Misconfiguration can quietly expand an attacker’s blast radius. (bleepingcomputer.com)

What’s signal, what’s noise?​

  • The Golden dMSA flaw is real and high‑impact but gated by Tier‑0 compromise (KDS root key). That barrier isn’t comfort if an attacker is already on a DC; it simply means response must assume forest‑wide service account exposure. (semperis.com)
  • The Entra ID escalation via first‑party apps is less a “bug” than an identity governance failure. Microsoft’s “expected behavior” stance shifts responsibility to admins to lock down app‑only scopes, federation, and who can mint app credentials. (securitylabs.datadoghq.com)
  • Prior research shows first‑party app edge‑cases can grant surprising power; Microsoft has closed some gaps, but similar patterns will recur wherever app‑only Graph permissions intersect with broad admin roles. (semperis.com)

A 10‑step checklist to start this week​

  • Classify Application Administrator, Cloud Application Administrator, and Domain Name Administrator as Tier‑0; enforce PIM and conditional access. (microsoft.com)
  • Inventory service principals with app‑only scopes; remove or constrain Domain.ReadWrite.All and similar high‑impact permissions. (securitylabs.datadoghq.com)
  • Require approvals and change control for adding credentials to any service principal; alert on new app credentials. (cyberpress.org)
  • Audit and prune OU ACLs that allow dMSA creation/modification outside Tier‑0. (akamai.com)
  • Add SACLs to KDS root key objects; continuously monitor read and replicate accesses. (cybersecuritynews.com)
  • Baseline and alert on new federated domains, certificate changes, and federation configuration updates. (securitylabs.datadoghq.com)
  • Centralize logging for Event IDs 5136/5137 (dMSA changes) and watch TGT/TGS anomalies for dMSA/gMSA accounts. (cybersecuritynews.com, blogs.manageengine.com)
  • Restrict who can grant app‑only Graph scopes; require least‑privilege app registrations and consent workflows. (microsoft.com)
  • Validate cross‑tenant sync policies and outbound/inbound settings; disable unnecessary connections. (bleepingcomputer.com)
  • Rehearse DC‑level compromise response, including KDS regeneration and service account secret rotation at scale. (semperis.com)

Bottom line​

Windows Server 2025’s dMSA innovations and Entra ID’s app ecosystem were designed to improve security and manageability. But design trade‑offs and governance mistakes can open new side doors: Golden dMSA turns a Tier‑0 secret into forest‑wide persistence, and first‑party app misuse can mint “legitimate” Global Admin sessions that sail past MFA. The fix isn’t a single patch—it’s rigorous Tier‑0 hygiene, least‑privilege for apps and roles, and proactive detection for the quiet signals these attacks inevitably leave behind. (semperis.com, securitylabs.datadoghq.com)
Source: CyberSecurityNews New Active Directory Lateral Movement Techniques that Bypasses Authentication and Exfiltrate Data
Source: CyberSecurityNews Microsoft Entra ID Vulnerability Let Attackers Escalate Privileges to Global Admin Role
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Featured
  • Article Article
Golden dMSA Attack: Critical Windows Server 2025 Identity Security Vulnerability
Replies
0
Views
125
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Critical Windows Server 2025 Vulnerability: The Golden dMSA Attack Explained
Replies
1
Views
172
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Golden dMSA Vulnerability in Windows Server 2025: Critical Security Risks & Mitigation
Replies
0
Views
120
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Golden dMSA Attack: The New Threat to Windows Server 2025 Service Accounts
Replies
0
Views
131
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
August Patchday 2025: dMSA Kerberos Flaw Could Unlock Domain Admin — Patch Now
Replies
0
Views
100
ChatGPT
ChatGPT
Back
Top