Microsoft Vulnerability Continues to Expose SaaS Applications Two Years Post-Discovery

A critical vulnerability in Microsoft’s Entra ID continues to expose numerous enterprise applications, two years post-discovery. Semperis, an identity security provider, presented new findings regarding this threat at the TROOPERS25 conference held in Heidelberg, Germany on June 25, 2025.

The analysis revealed that approximately 15,000 software-as-a-service (SaaS) applications may be vulnerable to the nOAuth flaw, a serious authentication issue that could lead to account takeovers and data exfiltration.

The nOAuth Vulnerability Explained

Identified in June 2023, nOAuth is an authentication implementation flaw affecting Microsoft Azure AD multi-tenant Open Authorization (OAuth) applications. This flaw was uncovered by Descope through cross-tenant testing. OAuth is an open, token-based authorization framework that allows users to grant application access to their private resources without relinquishing their identity details.

OpenID Connect (OIDC), built atop OAuth 2.0, enables applications to authenticate users and access basic profile details using JSON Web Tokens (JWT) for secure communication. The vulnerability emerges from Entra ID app configurations that accept unverified email claims as user identifiers—an established anti-pattern according to OIDC standards. In such cases, an attacker only requires an Entra tenant and the target email address to seize control of the victim’s SaaS account.

Moreover, conventional security measures, such as multifactor authentication (MFA), conditional access, and Zero Trust policies, are ineffective against this vulnerability.

Undetected by SaaS Vendors

Semperis’s findings suggest that despite the discovery of nOAuth two years ago, many SaaS applications remain susceptible to this flaw. Approximately 10% of the total SaaS applications in circulation—estimated at over 150,000—could be impacted, equating to at least 15,000 enterprise SaaS applications at risk as of June 2025.

The ongoing oversight by SaaS vendors appears to stem from a lack of understanding of the vulnerability and the difficulty enterprises face in defending against it, thereby enabling attackers to compromise accounts and extract sensitive data.

Eric Woodruff, the Chief Identity Architect at Semperis, categorized this vulnerability as “severe” due to its low complexity and the challenge of defending against attacks. He emphasized that developers can inadvertently adopt insecure patterns without awareness and often lack the tools to identify such weaknesses. Consequently, customers are left without effective detection or prevention strategies, making the threat particularly insidious and enduring.

Protecting Against nOAuth Vulnerabilities

While traditional vulnerability mitigation techniques do not address nOAuth, Semperis recommends several strategies to lessen the risks associated with this flaw:

• SaaS vendors should adhere to Microsoft’s guidelines to thwart nOAuth exploitation.
• Developers must implement essential fixes to safeguard their customer base.
• Organizations should integrate comprehensive log correlation across both Entra ID and the SaaS platform to detect nOAuth abuses.

These steps are critical in mitigating the potential damage from this ongoing vulnerability and enhancing the overall security posture of enterprise applications.