Semperis Highlights Ongoing Security Threat in Microsoft Entra ID Affecting SaaS Applications

The Rising Threat of the nOAuth Vulnerability in Microsoft Entra ID

In an alarming new report, Semperis, a leader in AI-driven identity security and cyber resilience, has revealed ongoing vulnerabilities in Microsoft's Entra ID that could threaten enterprise-scale SaaS applications. The risk, related to a known issue with nOAuth, could allow attackers to take over accounts with minimal effort, leading to severe data breaches and losses. Eric Woodruff, Chief Identity Architect at Semperis, unveiled these findings during his recent presentation at Troopers 2025 in Heidelberg, Germany.

The nOAuth vulnerability was initially brought to light in 2023 by Omer Cohen of Descope, focusing on weaknesses in how certain SaaS applications implement OpenID Connect. Semperis' fresh investigation has raised concerns, demonstrating that as of 2025, a substantial number of applications within the Microsoft Entra Application Gallery remain critically exposed to this risk. According to the report, it was found that nearly 10% of over 100 tested Entra-integrated applications displayed vulnerabilities, allowing attackers to potentially gain full access to a user’s account once exploited.

How nOAuth Works and Why It’s Dangerous

The exploit relies on weak configurations within Entra ID apps that do not adequately verify email claims as user identifiers. This flaw, commonly referred to as an anti-pattern according to OpenID Connect standards, means that if attackers possess a target's email address and have access to an Entra tenant, they can easily hijack the associated SaaS account. The implications of such breaches can be severe; attackers can not only access sensitive data but can also maintain their presence in the network, potentially leading to lateral movement within the organization.

Traditional security measures like Multi-Factor Authentication (MFA), conditional access, and Zero Trust policies are rendered ineffective against such a versatile and stealthy attack vector. According to Woodruff, many developers—even those with good intentions—may inadvertently follow insecure practices without recognizing the inherent risks, often unaware of what vulnerabilities to look for.

Urgent Call to Action for Developers

Semperis strongly urges developers to adopt recommended practices to mitigate the nOAuth threat. As surface-level solutions can often overlook deeper issues, it is critical for developers to rigorously investigate and rectify vulnerable configurations. Semperis has already shared its findings with impacted vendors and Microsoft, pushing for prompt action to address the vulnerabilities in question. While some have made strides towards fixing the issues, others remain at risk, thus amplifying the urgency for immediate remediation. The lack of sophisticated log correlation capabilities across Entra ID and SaaS platforms exacerbates the challenge of detection, meaning organizations are often left in the dark about ongoing breaches.

In a related aspect of its research, Semperis recently unveiled new detection mechanisms within its Directory Services Protector platform aimed at defending against other serious vulnerabilities, such as the BadSuccessor privilege escalation technique targeting Windows Server 2025. Past revelations from Semperis have also spotlighted issues like Silver SAML, underscoring a trend of increasing sophistication in identity-based attacks.

Conclusion: The Need for Enhanced Cyber Security Practices

Given the growing challenges posed by vulnerabilities such as nOAuth, there is a pressing need for organizations to enhance their cyber defense strategies. As enterprises increasingly rely on cross-tenant integrations, the potential ramifications of unchecked vulnerabilities could become catastrophic. Moreover, the calls for developers to properly address these flaws are more urgent than ever. Ignoring the risks associated with nOAuth may lead to serious breaches that could impact data integrity, customer trust, and overall organizational security. By becoming more vigilant and proactive, developers can help safeguard not just their own platforms but also the broader ecosystem against these persistent threats.

For further insights and in-depth analysis, visit the full research blog at Semperis Blog.

Semperis remains committed to providing essential resources for organizations facing today's complex cyber threat landscape. With more than 100 million identities protected globally, their mission is clear: to ensure that critical enterprise identity services are secure and resilient amid evolving cyber threats.