New research suggests more than 10,000 SaaS apps could remain vulnerable to a nOAuth variant despite the basic issue being disclosed in June 2023.
nOAuth is best described as an abuse methodology used to target a misconfiguration or poor development practice in the interface between SaaS apps and Entra ID. The SaaS user is the victim.
It is effectively impossible for a SaaS user to know whether it is a nOAuth victim, and there are no mitigation options available. The victim may have its own extensive security controls, but nOAuth takes place between SaaS and Entra beyond the view of any local security.
Toward the end of 2024, researchers at Semperis began looking at SaaS applications included in the Microsoft Entra Gallery. The purpose was not to repeat the Descope research, but to see if the nOAuth methodology could be invoked via a cross-tenant approach rather than Descope’s multiple identity providers scenario.
The researchers selected 104 SaaS applications from the Microsoft Entra Gallery. “Essentially, the target (victim) customer is a Microsoft customer with an Entra ID tenant, and the attacker uses a different Entra ID tenant to perform the abuse,” they explain. It works. The SaaS application only needs to support Entra ID for authentication to be susceptible to nOAuth – and while many apps may have followed advice to close the door detected by Descope (involving multiple identity providers), relatively few are even aware that only the Entra ID is necessary to invoke nOAuth.
“The focus of the research from Descope was on account merging flows – for example, if the SaaS application supported Google and Microsoft (Entra ID). In our research, we found that the same sort of abuse can exist even if the application is only using Entra ID, and the application is only looking at the email claim,” explains Eric Woodruff, Chief Identity Architect at Semperis.
He continued, “Many developers could have read the Descope research and thought, ‘This doesn’t apply to us’. There was also some inaccurate reporting at that time, saying nOAuth was ‘fixed’. The headlines would make you believe that Microsoft did something to resolve it across the board.”
It wasn’t fixed. Microsoft provided advice on how to properly configure Entra ID. nOAuth can be prevented but it cannot be fixed.
From the 104 apps it investigated, Semperis found that nine were vulnerable to nOAuth (approximately 9%). It’s difficult to know how these results might translate across the whole SaaS ecosphere, but Woodruff comments, “If there are, say, 44,000 SaaS companies, and several of them have multiple products, it wouldn’t be outrageous to believe that there could be 150,000 SaaS applications out there.”
From those tested, 9% were vulnerable. “So, if that was extrapolated out against 150,000 applications, it would be 13,500 that could be vulnerable.” Among the vulnerable SaaS applications found by Semperis were a human resources management platform (likely filled with PII), and other applications that integrated back into Microsoft 365. In the latter case, successful nOAuth abuse would allow the attacker to access the SaaS data and potentially to pivot into Microsoft 365 resources.
Semperis informed Microsoft of its research. It opened an MSRC case in December 2024 but received little response from MSRC – which closed the case without providing details in April 2025. SecurityWeek has invited Microsoft to comment on the Semperis research but has received no reply at the time of writing (if we get a response, it will be included as an addendum to this article).
But this is not an issue that can be fixed by Microsoft – it’s fundamentally an architectural problem involving the authentication/authorization endpoint for all Entra tenants and the legitimate need for guest accounts with an email address, including unverified email addresses. Microsoft has built a platform that if configured and implemented correctly will not be vulnerable to nOAuth.
This is the problem. Developers are always under pressure to deliver at speed, and can easily misunderstand detailed instructions and make false assumptions on what is required. Details from the Semperis research suggest this is widespread.
In the final analysis, nOAuth is not a vulnerability that can be fixed, but a misconfiguration that can be exploited. Microsoft can offer advice and instructions on how to do things correctly, but it cannot force developers to follow the rules.
The bottom line is that nOAuth continues, victims don’t know they are victims, Microsoft cannot fix the problem, and the developers, who alone can prevent nOAuth, are so far failing to do so.
Related: TeamFiltration Abused in Entra ID Account Takeover Campaign
Related: OneDrive Gives Web Apps Full Read Access to All Files
Related: Descope Targets Customer Identity Market with Massive $53M Seed Round
Related: Researchers Flag Account Takeover Flaw in Microsoft Azure AD OAuth Apps
