A recent Microsoft Entra ID update has caused widespread account lockouts across various organizations, with many administrators suspecting false positives triggered by the new leaked credentials detection feature, known as MACE Credential Revocation.
The issue began after the update, with multiple system administrators reporting that accounts were being flagged as having compromised credentials despite having unique and unused passwords. One Reddit user noted that around half a dozen accounts were blocked after credentials were supposedly found on the dark web, but the affected users didn’t share common characteristics, suggesting it wasn’t a targeted attack.
Microsoft later acknowledged the issue, stating that they had ‘inadvertently generat[ed] alerts in Entra ID Protection’ between 4AM UTC and 9AM UTC on April 20. According to Microsoft, the problem occurred when they internally logged a subset of short-lived user refresh tokens for a small percentage of users, contrary to their standard practice of logging only metadata about such tokens. The issue was immediately corrected, and the tokens were invalidated to protect customers.
However, users received different explanations for the lockouts, with some being quoted ‘Error Code: 53003’ for conditional access policy, while others were told it was related to an outage in their region, despite no outage being reported. TechRadar Pro has requested clarification from Microsoft on the incident and the varying explanations provided to users.
Impact and Response
The lockouts caused significant disruption, with affected accounts being flagged as high risk despite having no other risk detections or risky sign-ins. Many organizations use Entra ID with multi-factor authentication (MFA) enabled, making the false positives particularly puzzling. Microsoft’s admission of inadvertently generating alerts helps explain the widespread issue, but the varying explanations given to users remain unclear.
Conclusion
The incident highlights the challenges organizations face when implementing new security features. While leaked credentials detection is crucial for security, false positives can cause significant operational disruption. Microsoft’s prompt acknowledgment and corrective action are positive steps, but further clarification will be needed to prevent similar incidents in the future.
