- Some Entra ID accounts were being flagged as having compromised credentials
- Seems it was just Microsoft “inadvertently generat[ing] [false] alerts”
- However, users were getting different explanations from Microsoft
Windows administrators have been reporting mass account lockouts across various organizations following a Microsoft Entra ID update.
Many believe these were false positives triggered in Entra ID’s new leaked credentials detection app (a new feature called MACE Credential Revocation), as affected accounts had unique and unused passwords.
One user posted to a Reddit thread that around half a dozen accounts had been blocked after credentials were supposedly found on the dark web, however those users didn’t have much in common, suggesting that it wasn’t a targeted attack.
Entra ID might be flagging false positives
“There are no risky signins, no other risk detections, everyone is MFA, it’s literally the only thing that’s appeared today, raising the risk on these people from zero to high,” the Reddit user explained.
Beneath the original post is a series of comments from other system admins who also experienced similar issues, with one user sharing a response from Microsoft suggesting that the accounts had been erroneously flagged:
“On Friday 4/18/25, Microsoft identified that it was internally logging a subset of short-lived user refresh tokens for a small percentage of users, whereas our standard logging process is to only log metadata about such tokens. The internal logging issue was immediately corrected, and the team performed a procedure to invalidate these tokens to protect customers.”
The notice sees Microsoft admit to “inadvertently generat[ing] alerts in Entra ID Protection” of supposed compromised credentials between 4AM UTC and 9AM UTC on April 20.
Another user said they were quoted “Error Code: 53003” for conditional access policy, while another was told that it was to do with an outage in their region – even though no outage had been reported or logged.
TechRadar Pro has asked Microsoft to clarify what happened over the weekend and why users appear to have received different explanations. Any update will be posted here.
