Rogue federation in Entra: forging tokens for any user in a domain
A Global Admin who adds a rogue token-signing trust to a domain can forge valid sign-ins for any user. You cannot revoke one forged token.
A federated domain trusts whatever its identity provider signs. Change that trust, and you can sign in as anyone in the domain.
How the attack works
An attacker holding Global Administrator modifies a custom domain’s federation settings, registering a rogue issuer and token-signing certificate. The tenant will now accept SAML or OIDC tokens the attacker signs for any user in that domain. A forged token for a privileged user appears as a normal federated sign-in with no preceding interactive authentication and no MFA challenge, and the session builds a durable backdoor independent of any password. This is Golden-SAML adjacent, but planted at the Entra federation configuration rather than on a stolen ADFS key. In ATT&CK terms it is T1556, Modify Authentication Process, enabling T1606, Forge Web Credentials.
Why it works
Forged federated tokens are indistinguishable from real ones to downstream applications, because the rogue trust signs them with material the tenant accepts. A privileged identity can silently change federation trust, and nothing downstream questions a validly signed token. The root cause is treating domain federation configuration as ordinary settings rather than Tier-0 trust.
How to fix it
The non-obvious move is that you cannot revoke a single forged token. Remove the rogue trust by reverting the domain to managed authentication or restoring the legitimate federation config, rotate the token-signing material, and force reauthentication or revoke sessions for every user in the domain. Scope which sign-ins were forged from the Entra sign-in logs, flagging federated sign-ins in the rogue-trust window with no interactive auth, no MFA, and the rogue issuer details. Then alert on every domain federation or authentication-type change and reconcile each domain’s config against a known-good baseline.
Practice it
We built this as a GraphLattice Range scenario so responders can spot the federation-setting change, remove the rogue trust, and rotate signing material for the whole domain.