The God Mode Vulnerability That Should Kill "trust Microsoft" Forever

dead link?

This article isn't just full of LLM-isms, it's unreadable because of it. When you completely delegate your editing to a machine, you're not just lazy, you're robbing yourself of the one thing that made you stand out --emdash-- your own voice.

Moreover, as we navigate this evolving paradigm, we must carefully consider the balance between efficiency, authenticity and a third thing in this list.

Maybe at the end of the day, the point of writing isn't delving into a topic and churning out text as fast as you can, but expressing your opinions in your own authentic voice.

Why not linking to the original site: https://dirkjanm.io/obtaining-global-admin-in-every-entra-id...

The real issue is, what do you use instead that you can make the non-technical users accept?

You can certainly move to google and get an overall improvement in track record and end user experience, but the fundamental issue raised in the article is still there

You can move to proton and get a pretty nice experience for mail and calendar, but it adds limitations regular users will be upset by. Their equivalent to word is very beta and they have nothing similar to excel.

You can move to nextcloud, and fix the fundamental issue, but every single piece of the solution will be even worse to use than microsoft's stack, and users will hate you.

If I could solve this, I could drop microsoft and google both

If that article isn't AI-massaged I'll eat my hat.

Same story, but directly with the reporter:

One Token to rule them all – Obtaining Global Admin in every Entra ID tenant (13 days ago - 51 comment): https://news.ycombinator.com/item?id=45282497

So, the premise that I was able to gather from their website before it went down is "cryptographic guarantees, not vendor trust", and they claim to be working towards that, apparently at https://github.com/tide-foundation, which is a tiny bit underwhelming right now.

Teaser for an undescribed and probably overhyped product.

As long as there is code their will remain a vulnerability.

All the security and compliances require that someone operates it, not everyone can design systems like Linux in an year or so.

The more darker truth is the entire existence of proprietary codebases and architectures, there's a saying either ask the question or forever remain foolish

It's time we ask it ourselves and the companies which we depend on to allow atleast open auditing their architecture

It's just one step but it prevents the level of exploits like these

No one in their right mind ever trusted microsoft with ANYTHING and the people that trust microsoft aren't ever going to change that.

> The root cause of this Microsoft vulnerability wasn’t poor coding or lack of testing. It also isn’t correct to say that it’s the need to trust Microsoft. It’s more accurately what we’re trusting Microsoft with — Authority.

> As long as someone or something holds it, it can be exploited.

Wide distribution, as opposed to centralization, seems to be the most reliable way to ensure continuity. Am I wrong in seeing this pattern in so many different areas? The distributed animal survives ecological or geological collapse in one region, the distributed activist group survives fed infiltration into one entity, the distributed army holds off the centralized one (with infinitely better funding and weaponry) for decades, the distributed political power survives demagogue takeover.

I might be abstracting way too far here, but it makes me wonder why we keep trying to centralize authority, when it keeps failing spectacularly.

The problem is the cloud. This sort of vulnerability is fundamentally impossible with an on-premise Exchange server and Active Directory. Once everyone's talking to and authenticating against one service, this sort of thing becomes difficult to avoid, especially when a company is bragging about how much code is written by LLMs now.

CVE-2025–55241, Azure EntraID had a problem that could have allowed attackers to impersonate any user, including Global Administrators, across any tenant. Its fixed now.

Is there any simple explanation or walk-through of a diagram showing how Tide works?

There are several bits in the article about how Tide and TideCloak demonstrates that authorityless auth works, but I'm not finding an explainer.