Microsoft Entra ID Authentication Flaw exposes Thousands of SaaS Applications
Table of Contents
A important security vulnerability within Microsoft’s Entra ID continues to jeopardize a vast number of enterprise applications, even two years after its initial finding. Security firm Semperis revealed new findings concerning this persistent threat on June 25 at the TROOPERS25 conference in heidelberg, Germany.
The report indicates that a minimum of 15,000 software-as-a-service (SaaS) applications are likely susceptible to nOAuth, a critical authentication flaw within Microsoft’s Entra ID. This flaw can facilitate account takeovers and the exfiltration of sensitive data.
Understanding the nOAuth Vulnerability
nOAuth, identified in June 2023 by Descope through cross-tenant testing, represents an authentication implementation flaw impacting Microsoft Azure AD multi-tenant Open Authorization (OAuth) applications.OAuth serves as an open, token-based authorization framework, enabling users to grant access to their private resources on one application to another without divulging their identity details.
OpenID Connect (OIDC), an identity layer built upon OAuth 2.0, allows applications to verify user identities and obtain basic profile information. The protocol employs JSON Web Tokens (JWT) to securely transmit this information between parties.
The vulnerability exploits Entra ID app configurations that permit unverified email claims as user identifiers, a practice considered an anti-pattern according to OpenID Connect standards. In these scenarios, attackers require only an Entra tenant and the target’s email address to sieze control of the victim’s saas account.
Did You Know? Multifactor authentication (MFA), conditional access, and Zero Trust policies are unable to protect against this specific vulnerability.
Widespread Vulnerability Persists
Semperis’ research indicates that many SaaS applications remain vulnerable to the nOAuth flaw two years after its initial discovery.
The company estimates that these vulnerable applications constitute at least 10% of the total SaaS applications in use, which they assess to be over 150,000.
This translates to at least 15,000 enterprise SaaS applications still vulnerable to nOAuth as of June 2025.
According to Semperis, the vulnerability “continues to go undetected by SaaS vendors, who may not even know what to look for, and it is nearly unachievable for enterprise customers to defend against, allowing attackers to take over accounts and exfiltrate data.”
Eric Woodruff,Semperis’ Chief Identity Architect,presented these findings at TROOPERS25,classifying the vulnerability as “severe” due to its low complexity and the inability to defend against it.
Pro Tip: Regularly audit your Entra ID configurations and SaaS application settings to identify and remediate potential nOAuth vulnerabilities.
Mitigating nOAuth Vulnerabilities
While traditional vulnerability mitigation measures are ineffective against nOAuth, Semperis offers the following recommendations:
- SaaS vendors should adhere to Microsoft’s recommendations to prevent nOAuth abuse.
- Developers should implement the necessary fixes to protect their customers.
- Organizations should implement deep log correlation across both Entra ID and the SaaS platform to detect nOAuth abuse.
| Vulnerability | Impact | Mitigation |
|---|---|---|
| nOAuth in Microsoft Entra ID | Account Takeovers, Data Exfiltration | Vendor fixes, deep log correlation, adherence to Microsoft’s recommendations |
Key Takeaways
- The nOAuth vulnerability in Microsoft Entra ID remains a significant threat to SaaS applications.
- Traditional security measures are ineffective against this flaw.
- Proactive measures are required by both SaaS vendors and organizations to mitigate the risk.
Evergreen Insights: Understanding OAuth and OIDC
OAuth (Open Authorization) is a standard protocol that enables secure delegated access.it allows users to grant third-party applications limited access to their resources without sharing their credentials. this is commonly used for “Login with Google” or “Login with Facebook” features.
OIDC (OpenID Connect) builds on top of OAuth 2.0 and provides an identity layer. It allows applications to verify the identity of a user based on the authentication performed by an authorization server, and also to obtain basic profile information about the user in an interoperable and standard manner.
Frequently Asked Questions About nOAuth
- What is the nOAuth vulnerability?
- nOAuth is an authentication implementation flaw affecting Microsoft azure AD multi-tenant Open Authorization (OAuth) applications. It exploits Entra ID app configurations that allow unverified email claims as user identifiers.
- How widespread is the Microsoft Entra ID vulnerability?
- As of June 2025,security researchers estimate that at least 15,000 software-as-a-service (SaaS) applications remain vulnerable to the nOAuth flaw.
- Why is the nOAuth vulnerability still a threat?
- The vulnerability often goes undetected by saas vendors, and enterprises lack effective defenses, making it easy for attackers to take over accounts and steal data.
- Can multifactor authentication protect against nOAuth?
- No, traditional security measures like multifactor authentication (MFA), conditional access, and Zero Trust policies are ineffective against the nOAuth vulnerability.
- What steps can be taken to mitigate nOAuth vulnerabilities?
- SaaS vendors should adhere to Microsoft’s recommendations to prevent nOAuth abuse, developers should implement necessary fixes, and organizations should implement deep log correlation across Entra ID and SaaS platforms.
Disclaimer: this article provides general information about a security vulnerability. It is indeed not intended as professional security advice. Consult with qualified security professionals for specific guidance.
Are you concerned about the security of your SaaS applications? What steps are you taking to protect your organization from authentication flaws like nOAuth?
Share your thoughts and experiences in the comments below and subscribe to World Today News for the latest cybersecurity updates.
