nOAuth Exploit Enables Full Account Takeover of Entra Cross-Tenant SaaS Applications

A severe security flaw, dubbed nOAuth, has been identified in certain software-as-a-service (SaaS) applications integrated with Microsoft Entra ID, potentially allowing attackers to achieve full account takeover across tenant boundaries.

Research conducted by Semperis, disclosed on June 26, 2025, revealed that 9 out of 104 tested applications approximately 9% within the Microsoft Entra App Gallery were vulnerable to this exploit.

Critical Vulnerability Exposes SaaS Apps

The nOAuth vulnerability exploits a critical authentication misconfiguration in OpenID Connect (OIDC) implementations, where developers use mutable attributes like email addresses as user identifiers.

Since Entra ID permits unverified email addresses, attackers can impersonate legitimate users by manipulating these attributes in a separate tenant, gaining unauthorized access to sensitive data and enabling persistence and lateral movement within the compromised application.

The nOAuth exploit is alarmingly straightforward, requiring only access to an Entra tenant and the target user’s email address to execute.

Semperis researchers classify this vulnerability as severe due to its low complexity, coupled with the near-impossible task of detection and the complete lack of customer-side mitigation options.

The attack leverages the ability to set unverified email addresses in Entra ID, combined with app registrations that permit such claims, to trick vulnerable applications into authenticating malicious actors as legitimate users.

Low Complexity Attack

Once inside, attackers can access all data available to the compromised account, including personally identifiable information (PII) in applications like human resources management systems (HRMS) or even pivot to integrated Microsoft 365 resources such as mail and calendar data.

Despite Microsoft’s efforts to mitigate this issue for app registrations created after June 2023 by default blocking unverified email claims thousands of pre-existing SaaS applications remain at risk, leaving customers defenseless unless vendors update their authentication mechanisms to adhere to OIDC best practices using immutable identifiers like issuer (iss) and subject (sub) claims.

Semperis’ investigation, initiated in late 2024, focused on OIDC integrations within the Entra App Gallery, testing applications with self-sign-up capabilities to ensure ethical boundaries.

Their findings underscore a broader industry challenge: many developers, especially those supporting only Entra ID authentication, may not implement necessary safeguards like email verification or account-merging logic, assuming no cross-tenant collision risks.

Following the discovery, Semperis reported the issue to the Microsoft Security Response Center (MSRC) in December 2024 under case 93209, alongside direct outreach to affected vendors.

While some vendors collaborated to resolve the flaw, MSRC closed the case in April 2025, reiterating that developers must follow OIDC guidelines, with non-compliant applications risking removal from the Entra App Gallery.

However, for customers, the lack of visibility into whether an application consumes unverified email claims, combined with ineffective traditional defenses like multifactor authentication (MFA) or conditional access, means their only recourse is to pressure vendors for fixes or abandon vulnerable applications.

As nOAuth remains a persistent threat in the SaaS ecosystem, this disclosure serves as a critical wake-up call for developers and organizations to prioritize secure authentication practices and rigorous testing to safeguard against such insidious exploits.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates