Was your Microsoft Entra ID account locked? Discover out in regards to the latest widespread lockouts brought on by the brand new MACE Credential Revocation app and a Microsoft error in dealing with consumer refresh tokens.
Just lately, many corporations skilled an issue the place their staff instantly couldn’t log into their Microsoft Entra accounts and expressed concern in a Reddit thread. Microsoft, the corporate behind Entra ID (beforehand known as Azure Lively Listing), has defined what occurred.
Evidently a newly launched element of Microsoft Entra ID known as the MACE Credential Revocation app, which is designed to boost safety by figuring out compromised credentials, mistakenly flagged many common customers as excessive danger. This led to widespread account lockouts.
Microsoft has traced the basis trigger to an inner logging difficulty with a function known as refresh tokens (how customers keep logged), which have been being logged inside Microsoft’s personal programs. Particularly, the usual course of is to solely log metadata about these short-lived tokens, and the issue arose when a subset of those tokens themselves have been being logged internally “for a small proportion of customers,” starting on Friday, April 18th, 2025.
As quickly as they realized this error on Friday, April 18th, 2025, Microsoft took motion to repair it. To maintain their clients secure, they determined to make these particular tokens invalid, that means they’d now not work.
Nevertheless, this course of of creating the tokens invalid mistakenly triggered alerts in Entra ID Safety. These alerts, despatched out on Sunday, April twentieth, 2025, between 4 AM and 9 AM UTC, made it look like customers’ login particulars may need been stolen.
Microsoft has said that they don’t have any proof that anybody gained unauthorized entry to those tokens. “We have now no indication of unauthorized entry to those tokens – and if we decide there have been any unauthorized entry, we are going to invoke our commonplace safety incident response and communication processes,” the tech large famous.
For corporations whose customers have been locked out as a result of they have been wrongly marked as high-risk, Microsoft suggests an answer. Directors can use a function known as Affirm Consumer Protected inside Entra ID. This tells the system that though an alert was raised, the consumer’s account is definitely okay. Microsoft has offered a hyperlink to their assist documentation that explains find out how to use this function and perceive the danger alerts.
Microsoft remains to be trying into precisely what went improper and can share an in depth report, known as a Put up Incident Evaluation (PIR), with all of the affected clients and anybody who opened a assist ticket.
To be notified when this report is accessible or to remain up to date on any future issues with Azure providers, Microsoft recommends organising Azure Service Well being alerts. These alerts can ship notifications by e-mail, textual content messages, and different strategies.
Jim Routh, Chief Belief Officer Saviynt, shared his ideas on the scenario with Hackread.com. He identified that though this brought about issues for some Microsoft enterprise clients over the weekend, there have been some optimistic elements.
“The optimistic information is that the disruption occurred over the weekend, and at the moment (Monday), clients have the info together with the repair (corrective actions) obligatory for restoration,” he stated. ”The vulnerability and the motion taken (token invalidation) have been finally shared by Microsoft in an advisory comparatively shortly. This can be a signal of well being or resilience regardless of the inconvenience to some enterprise clients over the weekend,” Routh added.
