Mandiant discovered that ADFS environments with AutoCertificateRollover disabled and manually rotated certificates can expose active token-signing private keys in Machine DPAPI storage, creating a 'ghost certificate' drift condition where the WID database contains stale entries. A SYSTEM-level attacker can recover the active signing key from the machine CAPI key store using the DPAPI_SYSTEM LSA secret and machine masterkeys, bypassing LSASS and ADFS process monitoring. The recovered key enables forging valid SAML assertions for any user, including Global Administrator, which Entra ID accepts as legitimate authentication.