Microsoft has acknowledged a recent issue that triggered widespread alerts in its Entra ID Protection system, flagging user accounts as high risk due to supposed credential leaks on the dark web.
The alerts have been attributed to a combination of an internal token logging error and the rollout of a new security feature called MACE Credential Revocation, causing confusion among system administrators globally.
Token Logging Issue Sparks Alerts
Microsoft identified that it was inadvertently logging a subset of short-lived user refresh tokens for a small percentage of users, contrary to its standard practice of only logging metadata.
.png
)
The issue was promptly corrected, and Microsoft invalidated the affected tokens to protect users. However, this invalidation process unintentionally generated alerts in Entra ID Protection between 4:00 AM and 9:00 AM UTC on April 20, 2025, indicating that users’ credentials may have been compromised.
Microsoft has stated there is no evidence of unauthorized access to these tokens, but it will follow standard security incident response protocols if any is detected.
MACE Rollout Triggers False Positives
Compounding the issue, Microsoft rolled out a new security feature, MACE Credential Revocation, over the same weekend.
This feature is designed to detect and respond to potentially compromised credentials by checking for matches on the dark web and other sources.
However, the rollout led to widespread false positives, with accounts being flagged as high risk despite having strong, unique passwords and multi-factor authentication (MFA) enabled.
Social media posts and online forums, including Reddit, have reported similar experiences, with some administrators noting that even passwordless accounts were affected, suggesting the alerts were erroneous.
One administrator shared on Reddit: “I just got a half dozen alerts for accounts supposedly found with valid credentials on the dark web. … The six accounts don’t have much in common … There are no risky sign-ins, no other risk detections, everyone is MFA.”
The user noted that the accounts showed no matches on Have I Been Pwned (HIBP), raising suspicions of a Microsoft error.
Microsoft’s Response and Customer Actions
Microsoft has advised affected customers to use the “Confirm User Safe” feature in Entra ID Protection to resolve erroneous high-risk flags, as detailed in its documentation.
This feature allows administrators to manually clear the risk status for affected users. Additionally, Microsoft recommends resetting passwords for locked accounts and ensuring MFA is enabled, though many affected accounts already had these measures in place.
Administrators can also review sign-in logs in the Microsoft Entra admin center under Monitoring & Health for error codes like AADSTS50053, which indicate account lockouts.
Ongoing Investigation and Recommendations
Microsoft is conducting a Post Incident Review (PIR) to investigate both the token logging issue and the MACE rollout’s false positives. The PIR will be shared with affected customers through official channels and open support cases. Customers are encouraged to configure Azure Service Health alerts to receive updates on the PIR and future Azure service issues.
Administrators facing these alerts should:
- Confirm User Safe: Use the Entra ID Protection admin feature to clear false high-risk flags.
- Review Sign-In Logs: Check for lockout-related error codes and unusual activity.
- Reset Passwords: As a precaution, reset passwords for affected accounts, even if no breach is confirmed.
- Enable Dark Web Monitoring: Use third-party tools to independently verify credential leaks.
- Open Support Cases: Contact Microsoft support for further guidance if issues persist.
The incident has sparked frustration among IT professionals, with posts on X describing the MACE rollout as “ruining” their weekend due to false alarms.
One user remarked, “Microsoft rolled out a new dark web credential detection app called MACE this Easter weekend, which promptly ruined my Saturday with its false alarm on my primary M365/Entra ID account.” Another post highlighted the scale, noting an MDR provider received over 20,000 notifications overnight.
This incident follows other recent cybersecurity challenges, such as Microsoft’s April 2025 Patch Tuesday, which addressed 126 vulnerabilities, including an actively exploited zero-day (CVE-2025-29824). While unrelated to the Entra issue, it underscores the heightened scrutiny on Microsoft’s security processes.
Microsoft’s swift acknowledgment and corrective actions demonstrate its commitment to user security, but the false positives have highlighted the challenges of rolling out new security features at scale.
Administrators are urged to remain vigilant, follow Microsoft’s guidance, and leverage external monitoring tools to ensure their systems remain secure. For further updates, customers can monitor the Azure Service Health portal or contact Microsoft support directly.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
