Creating immutable users through a bug in Entra ID restricted administrative units

Datadog discovered and reported a timing-based bug in Microsoft Entra ID's restricted management Administrative Units that can leave an account stuck in a restricted management state even after the AU is deleted, preventing administrators from performing containment actions (reset password, revoke sessions, delete user, clear MFA). Datadog provided a proof-of-concept, worked with MSRC through reproduction and remediation, and Microsoft fixed the issue on 2025-02-22; the vulnerability required Global Administrator or Privileged Role Administrator privileges to exploit and was rated moderate by MSRC.