Cyber Security News

Microsoft Entra ID Bug Allow Unprivileged Users to Change Their User Principal Names

Microsoft has allowed unprivileged users to update their own User Principal Names (UPNs) in Entra ID, sparking concerns over security and administrative oversight.

To clarify, an unprivileged user can update the user principal name (UPN) for their own Entra ID account but not for others. However, it’s hard to see why any organization would intentionally allow users to modify such a fundamental attribute like a UPN, yet this capability exists.

This change, which can be executed through the Entra admin center or tools like the Microsoft Graph PowerShell SDK, has raised questions about its necessity and potential risks.

Previously, UPN updates were typically restricted to administrators. However, it is now possible for any user to modify their UPN, which is a critical identifier for accessing Microsoft services.

Testing confirmed that users could navigate to their account properties in the Entra admin center and directly edit their UPNs. A similar update can also be performed using the Microsoft Graph PowerShell SDK, as both interfaces rely on the Microsoft Graph Users API.

Properties of the Eric Hammond Entra account
Account properties after updating the user principal name and photo

The update also impacts related properties. For instance, changing a UPN automatically updates the primary SMTP address in Exchange Online due to the dual-write synchronization between Entra ID and Exchange Online. The old primary SMTP address remains as a proxy address to ensure email delivery continuity.

After validating that it is possible for a user to update their user principal name and photo via the Entra admin center, researcher tried with the Microsoft Graph PowerShell SDK.

Updating a user principal name with the Microsoft Graph PowerShell SDK

Allowing users to alter their UPNs raises several security red flags. For example, a user could temporarily change their UPN to impersonate someone else (e.g., CEO@domain.com), gain access to that email address, and then revert to their original UPN. If administrators are not actively monitoring audit logs, such changes could go unnoticed.

Additionally, reverting a UPN change does not automatically remove the extra email proxy address created during the process. This could lead to further complications or misuse if not explicitly addressed by administrators.

Blocking User Access

Organizations concerned about this capability can take steps to limit user access:

  • Restricting Access to the Entra Admin Center: Administrators can configure settings to block non-administrative users from accessing the Entra admin center. While this does not fully prevent users with low-level roles (e.g., Reports Reader) from making changes, it reduces casual access.
  • Securing Microsoft Graph PowerShell SDK: By default, any user can connect to the Microsoft Graph PowerShell SDK using the Connect-MgGraph cmdlet. Administrators can secure this by restricting access through the associated enterprise app’s settings. Without proper permissions, users attempting to connect will encounter an AADSTS50105 error.

The rationale behind enabling this capability remains unknown. While Microsoft typically implements changes with specific use cases in mind, no clear justification has been provided for allowing unprivileged users to modify such a fundamental property as their UPN. This has left IT administrators puzzled and concerned about potential misuse.

Until more information emerges about Microsoft’s reasoning for this change, organizations are advised to implement controls to mitigate risks. Blocking user access to both the Entra admin center and Microsoft Graph PowerShell SDK is a prudent step for maintaining security.

As of 14:00 UTC Jan 24, 2025, Microsoft has taken action to block users from updating their User Principal Names (UPNs). The Entra admin center now displays a notification restricting this functionality when such attempts are made, signaling a swift response to the issue.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

New Astaroth 2FA Phishing Kit Targeting Gmail, Yahoo, Office 365, and 3rd-Party Logins

A sophisticated phishing kit, known as the Astaroth 2FA phishing kit, has been identified targeting…

2 minutes ago

REF7707 Hackers Attacking Windows & Linux Machines Using FINALDRAFT Malware

A sophisticated hacking campaign has been unveiled recently by Elastic Security Labs, dubbed "REF7707," which…

1 hour ago

New Device Code Phishing Attack Exploit Device Code Authentication To Capture Authentication Tokens

A sophisticated phishing campaign, identified by Microsoft Threat Intelligence, has been exploiting a technique known…

3 hours ago

RedMike Hackers Exploited 1000+ Cisco Devices to Gain Admin Access

Researchers observed a sophisticated cyber-espionage campaign led by the Chinese state-sponsored group known as "Salt…

4 hours ago

AMD Ryzen DLL Hijacking Vulnerability Let Attackers Execute Arbitrary Code

A high-severity security vulnerability, identified as CVE-2024-21966, has been discovered in the AMD Ryzen™ Master…

5 hours ago

PostgreSQL Terminal Tool Injection Vulnerability Allows Remote Code Execution

Researchers have uncovered a high-severity SQL injection vulnerability, CVE-2025-1094, affecting PostgreSQL’s interactive terminal tool, psql. …

5 hours ago