I SPy: Escalating to Entra ID's Global Admin with a first-party app

Datadog SecurityLabs discovered and demonstrated that a privileged service principal (one assigned Application Administrator, Cloud Application Administrator, or Application.ReadWrite.All) could add credentials to the Office 365 Exchange Online service principal, authenticate as that Microsoft first-party app, and abuse Domain.ReadWrite.All to add a federated domain whose certificate enabled forging SAML tokens to sign in as any hybrid (on-premises-synced) user, including Global Administrators; the issue was reported to MSRC (Jan 2025) and mitigation was observed in Aug 2025.