Microsoft’s cloud ecosystem continues to underpin enterprise digital transformation—yet the discovery and persistence of the nOAuth vulnerability within Entra-integrated applications shines a harsh light on lingering risks at the intersection of identity management, software-as-a-service, and secure authentication standards. The latest research from Semperis, a leader in identity security, exposes both the technical nuances and wider implications of this vulnerability, highlighting the urgent need for remedial action across the SaaS landscape.
nOAuth first came to public attention in 2023, courtesy of researcher Omer Cohen at Descope. The vulnerability stems from improper implementation of the OpenID Connect (OIDC) protocol by some SaaS applications—specifically, the use of unverified email claims as unique user identifiers when integrating with Microsoft Entra ID (formerly Azure Active Directory).
OpenID Connect is widely used to enable single sign-on (SSO) experiences, allowing users in one domain (tenant) to access applications in another. Its design prescribes strict validation of claims (pieces of information about the user), but a surprising number of SaaS developers forgo proper verification in exchange for convenience or simplicity. This introduces a dangerous anti-pattern: trusting email addresses presented by an external identity provider without verification.
This flaw is particularly dangerous in cross-tenant scenarios. Entra’s application integration model enables organizations to offer services or collaborate with users from different tenants. Unless the SaaS app enforces robust validation—such as checking that the issuer (
The findings are sobering:
Independent sources corroborate the finding that the nOAuth method sidesteps protections like MFA and conditional access. Technical write-ups on security forums and trusted infosec sites echo the essence of the attack—namely, its low effort, high impact, and invisibility for most customers and admins. The core advice across these sources aligns with Semperis’ recommendations: Implement tight claim validation, avoid using email as the unique identifier, and enforce rigorous token checks on the SaaS side.
The implications are severe: data exfiltration (stealing sensitive documents or communications), persistence (creating backdoors or new admin users), and lateral movement (gaming connections to other services).
These detections don’t close the nOAuth loophole directly—because that flaw is in the SaaS app’s authentication logic—but they help organizations gain the telemetry and cross-system visibility necessary to spot suspicious behaviors that might otherwise slip through.
While Microsoft, security vendors, and conscientious SaaS providers have acted to address the risk, significant gaps remain. The episode serves not only as a warning about the perils of protocol misconfiguration, but also as a call to arms for the entire SaaS development community: security must not be bolted on after the fact, but engineered in from the outset, especially at the identity frontier.
In the meantime, enterprise customers are advised to press their application vendors for transparency, demand adherence to OpenID Connect standards, and partner with security providers capable of deep, cross-platform detection and response. The fight to harden the identity layer is one that will determine the safety and integrity of the cloud for years to come.
Source: Security Informed https://www.securityinformed.com/amp/news/semperis-unveils-critical-noauth-vulnerability-research-co-1686291773-ga.1750914661.html
nOAuth first came to public attention in 2023, courtesy of researcher Omer Cohen at Descope. The vulnerability stems from improper implementation of the OpenID Connect (OIDC) protocol by some SaaS applications—specifically, the use of unverified email claims as unique user identifiers when integrating with Microsoft Entra ID (formerly Azure Active Directory).OpenID Connect is widely used to enable single sign-on (SSO) experiences, allowing users in one domain (tenant) to access applications in another. Its design prescribes strict validation of claims (pieces of information about the user), but a surprising number of SaaS developers forgo proper verification in exchange for convenience or simplicity. This introduces a dangerous anti-pattern: trusting email addresses presented by an external identity provider without verification.
How nOAuth is Exploited
The attack vector is strikingly simple. An attacker with a Microsoft Entra tenant and knowledge of the target’s email address can impersonate the victim in any SaaS application that relies on unverified email claims from Entra ID. In these cases, the SaaS app considers whoever presents the correct (but unverified) email claim as the legitimate user—facilitating account takeover.This flaw is particularly dangerous in cross-tenant scenarios. Entra’s application integration model enables organizations to offer services or collaborate with users from different tenants. Unless the SaaS app enforces robust validation—such as checking that the issuer (
iss) and audience (aud) fields in tokens match expected values, and avoiding email addresses as sole identifiers—account boundaries become porous.Traditional Safeguards: Ineffective Against nOAuth
Perhaps most alarming, nOAuth entirely bypasses established security controls:- Multi-Factor Authentication (MFA): Since the SaaS app trusts the email claim outright, even the strongest authentication at the Entra level is rendered moot during exploitation.
- Conditional Access & Zero Trust Policies: These mechanisms are similarly bypassed. The attack occurs not at the authentication event within the identity provider, but in the SaaS application’s flawed validation logic.
- Detection & Logging: Most SaaS environments lack the log correlation necessary to spot this class of attack. Without deep integration and monitoring across both Entra ID and the SaaS platforms themselves, nOAuth abuse can go unobserved.
Semperis Study: Scope and Findings
At Troopers 2025 in Heidelberg, Semperis presented the results of its follow-up research. The team conducted broad testing across more than 100 SaaS applications in the Microsoft Entra Application Gallery, all of which employ some form of Entra integration.The findings are sobering:
- Nearly 10% of tested applications were confirmed vulnerable to nOAuth, with full account takeover possible upon exploitation.
- The issue persists despite a year of warnings since the original disclosure.
- In several cases, exploitation leaves almost no forensic trace, complicating both detection and incident response.
Cross-Referencing Industry Response
Microsoft’s Security Response Center (MSRC) updated its Entra Application Gallery guidelines in the wake of nOAuth, emphasizing the necessity for SaaS vendors to validate user claims according to OIDC specifications. The MSRC’s message is clear: Applications failing to heed these practices face expulsion from the gallery—a significant deterrent given the visibility, distribution, and credibility benefits conferred by gallery listing.Independent sources corroborate the finding that the nOAuth method sidesteps protections like MFA and conditional access. Technical write-ups on security forums and trusted infosec sites echo the essence of the attack—namely, its low effort, high impact, and invisibility for most customers and admins. The core advice across these sources aligns with Semperis’ recommendations: Implement tight claim validation, avoid using email as the unique identifier, and enforce rigorous token checks on the SaaS side.
Technical Analysis: Strengths and Weaknesses of the SaaS Identity Ecosystem
The Allure and Risk of OIDC
OpenID Connect has won broad adoption for bridging disparate identity domains and simplifying SSO, but its very flexibility can breed risk. OIDC allows custom configuration, and while the protocol documentation flags the dangers of using mutable, unverified claims (like email) as primary identifiers, this nuance is often missed in practice—especially among teams seeking frictionless deployment over robust security.Where the Breakdown Occurs
- Developer Awareness: Many app builders assume Entra ID’s OIDC tokens are always safe to trust. In reality, OIDC tokens are only as trustworthy as the app’s own logic for vetting claims.
- SaaS Vendor Practices: Some vendors, prioritizing time-to-market, reuse default configurations or sample code that contains the insecure claim pattern out-of-the-box.
- Tooling and Guidance: While Microsoft and the OIDC community provide guidance, the relative invisibility of this risk until high-profile disclosures means dangerous patterns have had years to proliferate.
End-User Exposure
Users and enterprise IT teams are alarmingly powerless against nOAuth. Since the attack can be launched from a legitimate Entra tenant managed by the attacker, traditional IT security levers—restricting access, requiring strong authentication, or even relying on alerting—are rendered ineffective.The implications are severe: data exfiltration (stealing sensitive documents or communications), persistence (creating backdoors or new admin users), and lateral movement (gaming connections to other services).
Detection and Defense: What Can Be Done?
Remediation Steps for SaaS Vendors
- Strict Claim Verification: Applications must refuse to map accounts based solely on unverified claims. Instead, they should use OIDC’s
sub(subject) claim, which uniquely identifies the principal in the issuing tenant. - Token Issuer Validation: Apps must ensure tokens are issued by the correct, trusted identity provider—not just any Entra tenant.
- Explicit Domain Whitelisting: Where feasible, SaaS apps should restrict access to known, vetted domains or tenants.
- Continual Monitoring: Vendors should implement deeper log correlation between the SaaS platform and Entra ID to flag anomalous account activations or suspicious cross-tenant access.
Microsoft’s Role
Microsoft has taken steps to strengthen guidelines and communication, pressing SaaS vendors to adhere to protocol standards. Nevertheless, given the decentralized and heterogeneous nature of the SaaS landscape, ensuring universal compliance remains a formidable challenge.What About Customers?
For enterprise customers, options are limited. The best defense is to demand that vendors provide technical documentation of OIDC implementation, transparency over claim validation logic, and third-party security attestations. Where possible, customers should also monitor for unexplained user activities or new account provisioning, though, as noted, most SaaS apps offer little native tooling to support this.Recent Developments: Semperis and New Threat Detection
Identity security providers like Semperis have stepped in to fill some of the monitoring gap. The company recently announced new detection capabilities in its Directory Services Protector platform, targeted primarily at directory and identity threats like BadSuccessor (a privilege escalation attack affecting Windows Server 2025) and Silver SAML (an evolution of the notorious Golden SAML technique that facilitated the SolarWinds attacks).These detections don’t close the nOAuth loophole directly—because that flaw is in the SaaS app’s authentication logic—but they help organizations gain the telemetry and cross-system visibility necessary to spot suspicious behaviors that might otherwise slip through.
Outlook: Toward a More Secure Identity Fabric
The nOAuth vulnerability underscores several existential truths for the modern SaaS identity ecosystem:- Integrations Are Only as Strong as Their Weakest Link: Even best-in-class identity providers like Microsoft Entra can be undermined by flawed implementations downstream.
- Developer Education is Paramount: OIDC’s flexibility and power must be matched by a deep understanding of its threat landscape; sample code and defaults ought to be treated with caution, and validated against current standards and best practices.
- Cross-Vendor Collaboration is Key: As attacks increasingly exploit integration gaps, defenders—be they SaaS vendors, platform providers, or security companies—must share data, disclose responsibly, and coordinate responses more aggressively.
Conclusion
The nOAuth vulnerability in Microsoft Entra-integrated SaaS applications represents a clear and present danger—one made all the more urgent by the relative ease of exploitation and invisibility to traditional defensive measures. As Semperis’ research reveals, a non-trivial percentage of popular SaaS platforms remain vulnerable, exposing organizations to data theft, privilege abuse, and persistent account compromise.While Microsoft, security vendors, and conscientious SaaS providers have acted to address the risk, significant gaps remain. The episode serves not only as a warning about the perils of protocol misconfiguration, but also as a call to arms for the entire SaaS development community: security must not be bolted on after the fact, but engineered in from the outset, especially at the identity frontier.
In the meantime, enterprise customers are advised to press their application vendors for transparency, demand adherence to OpenID Connect standards, and partner with security providers capable of deep, cross-platform detection and response. The fight to harden the identity layer is one that will determine the safety and integrity of the cloud for years to come.
Source: Security Informed https://www.securityinformed.com/amp/news/semperis-unveils-critical-noauth-vulnerability-research-co-1686291773-ga.1750914661.html