Sempersis has released new research into nOAuth known vulnerability in Microsoft’s Entra ID that enables full account takeover in vulnerable SaaS apps with minimal attacker effort, posing a severe risk to enterprises relying on cross-tenant Entra integrations.
Eric Woodruff, Semperis’ chief identity architect, presented his findings this week at the Troopers 2025 in Heidelberg, Germany.
nOAuth was first disclosed in 2023 by Omer Cohen of Descope, highlighting a flaw in how some SaaS applications implement OpenID Connect.
Semperis’ follow-up research focused on Entra-integrated applications in Microsoft’s Entra Application Gallery, identifying a wide range of applications still vulnerable to nOAuth abuse more than a year later.
Discovered through cross-tenant testing, nOAuth exploits Entra ID app configurations that permit unverified email claims as user identifiers, a known anti-pattern per OpenID Connect standards.
In these scenarios, attackers need only an Entra tenant and the target’s email address to assume control of the victim’s SaaS account. Traditional safeguards like MFA, conditional access, and Zero Trust policies offer no protection.
“It’s easy for well-meaning developers to follow insecure patterns without realising it, and in many cases, they don’t even know what to look for,” said Woodruff. “Meanwhile, customers are left with no way to detect or stop the attack, making this an especially dangerous and persistent threat.”
In a broad test of more than 100 Entra-integrated SaaS applications, Woodruff found nearly 10% were vulnerable to nOAuth abuse. Once the vulnerability is exploited, attackers can gain full access to a user’s account in the SaaS app, enabling data exfiltration, persistence, and potential lateral movement.
The Microsoft Security Response Centre advises SaaS vendors to follow its recommendations to prevent nOAuth abuse or risk expulsion from the Entra Application Gallery.
“nOAuth abuse is a serious threat that many organisations may be exposed to,” continued Woodruff. “It’s low effort, leaves almost no trace and bypasses end‑user protections. We’ve confirmed exploitation is still possible in many SaaS apps, which makes this an urgent call to action. We encourage developers to implement the necessary fixes and help protect their customers before this flaw is exploited further.”
Semperis reported its findings to both affected vendors and Microsoft, beginning in December 2024. While some vendors have since remediated their applications, others remain vulnerable. Without deep log correlation across both Entra ID and the SaaS platform, detecting nOAuth abuse is nearly impossible.
Semperis researchers recently announced new detection capabilities in the company’s Directory Services Protector platform to defend against BadSuccessor, a high-severity privilege escalation technique targeting a newly introduced feature in Windows Server 2025.
Last year, Semperis researchers discovered Silver SAML, a new variant of the SolarWinds-era Golden SAML technique that bypasses standard defences in Entra ID-integrated applications.
