TL;DR: Undocumented Actor tokens accepted by legacy Azure AD Graph let one tenant impersonate any user across tenants including GA (CVE-2025-55241).

Stub — to be filled in.

What it is

TODO

Preconditions / where it applies

TODO

Technique

TODO

Detection and defence

TODO

References

• https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/