Microsoft Entra and Microsoft Graph Broken API Authorization Flow Part 2: Evidence
A low-privileged user account was used to download tenant-wide authentication logs from Microsoft Entra ID without authorization. The account was assigned no roles and had no explicit permissions to access sign-in logs. The download was made possible by a client-side authorization bypass in the Entra admin portal and by Microsoft Graph Beta API Requests.
Microsoft Silently Patched a Critical Entra Bug and Won't Tell You If You Were Breached.
If your organization runs Microsoft Entra ID, any authenticated user in your tenant could obtain sign-in telemetry for the entire enterprise without holding a single role, group membership, or admin right. That telemetry includes user principal names, source IP addresses, geolocation, MFA status, application access patterns, and the Conditional Access policies applied to every sign-in, and the same broken API authorization flow affected 15 separate Entra services.
Cybersecurity Architect Handbook
In March of 2026, Francois Locoh-Donou, CEO of F5 stated, "Enterprise IT environments are not unlike a city. Every infrastructure environment, every data center, every cloud region, every colocation facility, is like a neighborhood in that city. Apps are like buildings. Traditional applications are monolithic structures. Microservices are like residential complexes. APIs are roads connecting buildings, crisscrossing neighborhoods. Your data: that is the power grid required in every thriving city."
The Hacking APIs Conference: 80% Preparation, 20% Chaos
API security has plenty of problems and the only way to solve them is to share knowledge. At your average conference, you might catch an API security talk somewhere in between a threat intel panel and a cloud security talk. Meanwhile every app, every AI model, every third-party integration depends on APIs. When secure, all is well. When they’re not… disaster.
That's where the Hacking APIs Conferences come in.
Hacking with Burp AI in the Chesspocalypse
In cybersecurity we are all finding our place with our new best frenemy AI. Will it displace us? Will it conquer us? Or will it just tell us that we are the smartest best hacker that ever hacked?