nOAuth continues to go undetected by SaaS vendors, who may not even know what to look for and it is nearly impossible for enterprise customers to defend against, allowing attackers to take over accounts and exfiltrate data.
HOBOKEN, N.J., June 25, 2025 /PRNewswire/ — Semperis, a provider of AI-powered identity security and cyber resilience, today released new research into nOauth known vulnerability in Microsoft’s Entra ID that enables full account takeover in vulnerable SaaS apps with minimal attacker effort, posing a severe risk to enterprises relying on cross-tenant Entra integrations. Eric Woodruff, Semperis’ Chief Identity Architect, presented his findings this week at the Troopers 2025 in Heidelberg, Germany.
nOAuth was first disclosed in 2023 by Omer Cohen of Descope, highlighting a flaw in how some SaaS applications implement OpenID Connect. Semperis’ follow-up research focused on Entra-integrated applications in Microsoft’s Entra Application Gallery, identifying a wide range of applications still vulnerable to nOAuth abuse more than a year later.
Discovered through cross-tenant testing, nOAuth exploits Entra ID app configurations that permit unverified email claims as user identifiers, a known anti-pattern per OpenID Connect standards. In these scenarios, attackers need only an Entra tenant and the target’s email address to assume control of the victim’s SaaS account. Traditional safeguards like MFA, conditional access, and Zero Trust policies offer no protection.
“It’s easy for well-meaning developers to follow insecure patterns without realizing it and in many cases, they don’t even know what to look for,” said Woodruff. “Meanwhile, customers are left with no way to detect or stop the attack, making this an especially dangerous and persistent threat.”
Safeguarding Against the nOAuth Vulnerability
In a broad test of more than 100 Entra-integrated SaaS applications, Woodruff found nearly 10% were vulnerable to nOAuth abuse. Once the vulnerability is exploited, attackers can gain full access to a user’s account in the SaaS app, enabling data exfiltration, persistence, and potential lateral movement. The Microsoft Security Response Center (MSRC) advises SaaS vendors to follow its recommendations to prevent nOAuth abuse or risk expulsion from the Entra Application Gallery.
“nOAuth abuse is a serious threat that many organizations may be exposed to,” continued Woodruff. “It’s low effort, leaves almost no trace and bypasses end–user protections. We’ve confirmed exploitation is still possible in many SaaS apps, which makes this an urgent call to action. We encourage developers to implement the necessary fixes and help protect their customers before this flaw is exploited further.”
Semperis reported its findings to both affected vendors and Microsoft, beginning in December 2024. While some vendors have since remediated their applications, others remain vulnerable. Without deep log correlation across both Entra ID and the SaaS platform, detecting nOAuth abuse is nearly impossible.
Semperis researchers, pioneers in identity threat detection, recently announced new detection capabilities in the company’s Directory Services Protector platform to defend against BadSuccessor, a high-severity privilege escalation technique targeting a newly introduced feature in Windows Server 2025. Last year, Semperis researchers discovered Silver SAML, a new variant of the SolarWinds-era Golden SAML technique that bypasses standard defenses in Entra ID-integrated applications.
To read the full research blog, visit: https://www.semperis.com/blog/noauth-abuse-alert-full-account-takeover/
About Semperis Semperis protects critical enterprise identity services for security teams charged with defending hybrid and multi-cloud environments. Purpose-built for securing hybrid identity environments—including Active Directory, Entra ID, and Okta—Semperis’ AI-powered technology protects over 100 million identities from cyberattacks, data breaches, and operational errors.
As part of its mission to be a force for good, Semperis offers a variety of cyber community resources, including the award-winning Hybrid Identity Protection (HIP) Conference, HIP Podcast, and free identity security tools Purple Knight and Forest Druid. Semperis is a privately owned, international company headquartered in Hoboken, New Jersey, supporting the world’s biggest brands and government agencies, with customers in more than 40 countries.
Learn more: https://www.semperis.com Follow us: Blog / LinkedIn / X / Facebook / YouTube
Media Contact: Bill Keeler Senior Director, PR & Comms Semperis billk@semperis.com
View original content to download multimedia:https://www.prnewswire.com/news-releases/semperis-research-uncovers-ongoing-risk-from-noauth-vulnerability-in-microsoft-entra-id-affecting-enterprise-saas-applications-302490797.html
SOURCE Semperis