A critical vulnerability in Microsoft’s Entra ID (formerly Azure Active Directory) allowed attackers to impersonate Global Administrators across any tenant by exploiting a flaw in the legacy Azure AD Graph API. This could have enabled unauthorized access to sensitive systems without detection. Microsoft patched the issue in July 2025, extra measures were implemented in August, and Microsoft issued a CVE on September 4.