What Microsoft reported
CVE-2026-45480 affects Azure Active Directory, now Microsoft Entra ID. The vulnerability is rated as critical privilege escalation. The vector is network-based, with no user interaction and no prior privileges required.
Microsoft reports the issue as fully mitigated on the service side. For customers, there is no Windows patch, GPO change, or local agent version that closes this CVE. That does not make the advisory irrelevant: identity platforms control privileged roles, applications, Conditional Access, and hybrid sign-in paths.
What operators should check
- Preserve tenant audit evidence: Review audit and sign-in logs around publication and against your retention window. Export relevant events if retention is short.
- Review privileged changes: Check Global Administrator, Privileged Role Administrator, Conditional Access Administrator, Application Administrator, app roles, service principals, and consent events.
- Validate PIM and break-glass: Compare activations, permanent role assignments, excluded accounts, and emergency accounts against the documented target state.
- Assess application access: Track new secrets, certificates, redirect URIs, app permissions, and admin consent with an owner and business purpose.
- Update the risk register: Record the CVE as mitigated by Microsoft, but do not skip local evidence for roles, logs, and tenant changes.
For hybrid identities
In hybrid environments, the risk boundary does not stop at the cloud edge. Entra ID controls access to Microsoft 365, Azure resources, SaaS applications, and often privileged operating processes for on-premises AD teams. An unexplained role or application change can affect on-premises administration, Exchange, SharePoint, backup, automation, and helpdesk workflows.
Short term, this is not a panic-patch item. The important question is evidence: were privileged roles, application permissions, or Conditional Access exclusions changed in the relevant period, and are those changes approved by the right owner?
If only one step can be done immediately: review tenant audit logs for privileged roles, app consent, and service principals, then document the result with the retention window.
