One Token to Rule Them All: Why Cloud Identity Design Matters for Electronic Security

For those (dozen or so) people that follow my posts, here’s another installment of why I don’t think you should put sensitive security information on somebody else’s servers:

When security researcher Dirk-jan Mollema recently demonstrated how he could obtain Global Administrator access in any Microsoft Entra ID tenant, it sent shockwaves through the identity and cloud-security community. His discovery — detailed in his article called Obtaining Global Admin in Every Entra ID Tenant with Actor Tokens  wasn’t just another bug.  It was a glimpse into what happens when trust boundaries fail inside the cloud itself.

For those of us who design, host, or integrate electronic security systems — from access control to video management to AI-driven analytics — this is a wake-up call about how much trust we place in cloud platforms.

What Happened: Exploiting “Actor Tokens”

Microsoft uses Actor tokens to let backend services impersonate users or other services when communicating internally. In theory, that’s normal for large distributed systems.  But Mollema found a validation flaw in the legacy Azure AD Graph API that accepted these tokens across tenants — even when they came from a completely different organization.

By crafting his own Actor token, he could:

• Access another tenant’s directory through the Graph API

• Impersonate any user, including Global Admins

• Do so invisibly — with no logs in the victim tenant

That’s a total cloud takeover, without triggering a single alert.
Microsoft quickly patched the issue, but it underscored how identity flaws at the service-to-service layer can compromise entire environments.

The Bigger Lesson: Internal Trust Is Still Trust

This wasn’t a “user clicked a bad link” problem. It was an architectural flaw — a reminder that cloud doesn’t automatically mean secure.

The real issue was implicit trust inside the cloud’s own identity fabric:

• Tokens that could act across boundaries without cryptographic proof

• Legacy APIs that didn’t validate tenants properly

• No visibility for the customer whose data was accessed

In a Zero Trust world, that’s unacceptable — yet it still happens when services rely on outdated or opaque identity paths.

Why It Matters for Cloud-Hosted Electronic Security

As more electronic security systems move into the cloud — from video surveillance to credential management — we’re inheriting the same risks.

Your cloud VMS, access control, or identity sync service is only as trustworthy as its token validation, logging, and revocation model.
If a vendor’s backend can silently impersonate your users or devices, your cameras, credentials, and alarms could be compromised without your knowledge.

Cloud convenience doesn’t remove the need for architectural rigor — it increases it.

What to Do: Designing for Cloud Trustworthiness

Whether you’re deploying a Microsoft-based system, a private cloud stack, or a hosted security service, adopt these design and procurement principles:

1. Strong cryptographic validation – Every token or service credential should be signed, scoped, and tenant-bound.

2. Comprehensive logging and visibility – Both sides of a privilege escalation must generate audit events.

3. Eliminate implicit trust – Services must re-validate tokens at every boundary, even internal ones.

4. Sunset legacy APIs – Outdated authentication paths are where modern attacks start.

5. Short-lived, revocable credentials – Rotate and expire everything, especially machine tokens.

6. Assume internal compromise – Architect with segmentation and least privilege inside the platform.

Bottom Line

The Actor-token exploit wasn’t just a Microsoft issue — it’s a reminder that trust is the most dangerous dependency in cloud systems.

As our industry continues shifting electronic security infrastructure to the cloud, we need to demand transparent, verifiable identity architectures from our vendors — not black-box trust models. If you can’t see or control how authentication happens behind the scenes, you’re relying on faith, not security.