Microsoft recently encountered a significant issue within its Entra ID Protection system, leading to widespread alerts that flagged numerous user accounts as high risk due to alleged credential leaks on the dark web. This situation arose from an internal token logging error and the concurrent deployment of a new security feature, MACE Credential Revocation, causing confusion among system administrators globally.
Token Logging Issue Leads to Alerts
The core of the problem was Microsoft’s inadvertent logging of a subset of short-lived user refresh tokens for a small percentage of users. Typically, Microsoft logs only metadata, not the tokens themselves. Upon identifying this deviation, Microsoft promptly corrected the error and invalidated the affected tokens to safeguard user security. However, this invalidation process unintentionally triggered alerts in Entra ID Protection between 4:00 AM and 9:00 AM UTC on April 20, 2025, suggesting that users’ credentials might have been compromised.
Microsoft has stated that there is no evidence of unauthorized access to these tokens. Nonetheless, the company is committed to following standard security incident response protocols should any unauthorized access be detected.
MACE Rollout Induces False Positives
Compounding the situation, Microsoft simultaneously rolled out a new security feature named MACE Credential Revocation. This feature is designed to detect and respond to potentially compromised credentials by cross-referencing them against data from the dark web and other sources. Unfortunately, the rollout led to widespread false positives, with accounts being flagged as high risk despite having strong, unique passwords and multi-factor authentication (MFA) enabled.
Reports from social media platforms and online forums, including Reddit, highlighted similar experiences. Some administrators noted that even passwordless accounts were affected, indicating that the alerts were erroneous. One administrator shared on Reddit:
I just got a half dozen alerts for accounts supposedly found with valid credentials on the dark web. … The six accounts don’t have much in common … There are no risky sign-ins, no other risk detections, everyone is MFA.
The user also mentioned that the accounts showed no matches on Have I Been Pwned (HIBP), raising suspicions of a Microsoft error.
Microsoft’s Response and Recommended Actions
In response to these issues, Microsoft has advised affected customers to utilize the Confirm User Safe feature in Entra ID Protection to resolve erroneous high-risk flags. This feature allows administrators to manually clear the risk status for affected users. Additionally, Microsoft recommends resetting passwords for locked accounts and ensuring that MFA is enabled, even though many of the affected accounts already had these security measures in place.
Administrators are also encouraged to review sign-in logs in the Microsoft Entra admin center under Monitoring & Health for error codes like AADSTS50053, which indicate account lockouts.
Ongoing Investigation and Recommendations
Microsoft is conducting a Post Incident Review (PIR) to thoroughly investigate both the token logging issue and the false positives resulting from the MACE rollout. The PIR will be shared with affected customers through official channels and open support cases. Customers are encouraged to configure Azure Service Health alerts to receive updates on the PIR and future Azure service issues.
Administrators facing these alerts should:
1. Confirm User Safety: Use the Entra ID Protection admin feature to clear false high-risk flags.
2. Review Sign-In Logs: Check for lockout-related error codes and any unusual activity.
3. Reset Passwords: As a precautionary measure, reset passwords for affected accounts.
4. Ensure MFA is Enabled: Verify that multi-factor authentication is active for all user accounts.
By following these steps, administrators can help mitigate the impact of these issues and maintain the security of their systems.
