July 7, 2026
The 403 That Wasn’t: How I Ended Up Accessing 100K Azure AD Users : My Microsoft Research Story
Hi again,

By Hamzadzworm
2 min read
This is Abdelkader Mouaz, also known as Hamzadzworm.
Today I want to share one of the most interesting reports I've ever submitted to the Microsoft Security Response Center (MSRC). Even though the report was ultimately classified as "Not a Vulnerability," I think the research process itself is worth sharing.
The Target
I was invited to a private bug bounty program, where the company provided me with Microsoft credentials to test their environment.
As I usually do, I didn't limit myself to a single application.
I started logging into different Microsoft services using the same account, looking for anything interesting.
Eventually, I found one.
When I navigated to the Users section, I was greeted with exactly what I expected:
403 Forbidden.
So I started inspecting every request made by the application, one by one.
After a while, one request caught my attention.
It was a permission validation request.
Out of curiosity, I simply dropped the request using Burp Suite.
The result surprised me.
Instead of stopping, the application continued loading.
A few seconds later, I was looking at a directory containing more than 64,000 Azure Active Directory users.
And 40k Deleted User
Not only could I browse the users, but I could also view information associated with each account and export full directory data and download it.
At that moment, I genuinely believed I had found a serious authorization issue. So I documented everything, recorded a proof of concept, and submitted the report to Microsoft. Their first response wasn't what I expected.
this is was Microsoft triage response :
And One other thing After i submit this to microsoft they just added a note saying:
What do you think?
If a restricted account is denied access to a page but can still reach the underlying directory after manipulating its own client requests, would you consider that a security vulnerability?
I've experienced a similar situation with PayPal as well, and I'll be sharing that write-up soon. Stay tuned -.-