A critical flaw in Microsoft Entra ID, involving undocumented actor tokens and a vulnerability in the Azure AD Graph API, allowed potential global access to any organization's tenant without leaving logs of the actions taken. Security researcher Dirk-jan Mollema discovered that these actor tokens could be exploited to impersonate users, including Global Administrators, leading to severe security risks. Microsoft has since patched the vulnerability and is in the process of deprecating the affected API service.