Microsoft has acknowledged a recent issue that triggered widespread alerts in its Entra ID Protection system, flagging user accounts as high risk due to supposed credential leaks on the dark web.
The alerts have been attributed to a combination of an internal token logging error and the rollout of a new security feature called MACE Credential Revocation, causing confusion among system administrators globally.
Microsoft identified that it was inadvertently logging a subset of short-lived user refresh tokens for a small percentage of users, contrary to its standard practice of only logging metadata.
The issue was promptly corrected, and Microsoft invalidated the affected tokens to protect users. However, this invalidation process unintentionally generated alerts in Entra ID Protection between 4:00 AM and 9:00 AM UTC on April 20, 2025, indicating that users’ credentials may have been compromised.
Microsoft has stated there is no evidence of unauthorized access to these tokens, but it will follow standard security incident response protocols if any is detected.
Compounding the issue, Microsoft rolled out a new security feature, MACE Credential Revocation, over the same weekend.
This feature is designed to detect and respond to potentially compromised credentials by checking for matches on the dark web and other sources.
However, the rollout led to widespread false positives, with accounts being flagged as high risk despite having strong, unique passwords and multi-factor authentication (MFA) enabled.
Social media posts and online forums, including Reddit, have reported similar experiences, with some administrators noting that even passwordless accounts were affected, suggesting the alerts were erroneous.
One administrator shared on Reddit: “I just got a half dozen alerts for accounts supposedly found with valid credentials on the dark web. … The six accounts don’t have much in common … There are no risky sign-ins, no other risk detections, everyone is MFA.”
The user noted that the accounts showed no matches on Have I Been Pwned (HIBP), raising suspicions of a Microsoft error.
Microsoft has advised affected customers to use the “Confirm User Safe” feature in Entra ID Protection to resolve erroneous high-risk flags, as detailed in its documentation.
This feature allows administrators to manually clear the risk status for affected users. Additionally, Microsoft recommends resetting passwords for locked accounts and ensuring MFA is enabled, though many affected accounts already had these measures in place.
Administrators can also review sign-in logs in the Microsoft Entra admin center under Monitoring & Health for error codes like AADSTS50053, which indicate account lockouts.
Microsoft is conducting a Post Incident Review (PIR) to investigate both the token logging issue and the MACE rollout’s false positives. The PIR will be shared with affected customers through official channels and open support cases. Customers are encouraged to configure Azure Service Health alerts to receive updates on the PIR and future Azure service issues.
Administrators facing these alerts should:
The incident has sparked frustration among IT professionals, with posts on X describing the MACE rollout as “ruining” their weekend due to false alarms.
One user remarked, “Microsoft rolled out a new dark web credential detection app called MACE this Easter weekend, which promptly ruined my Saturday with its false alarm on my primary M365/Entra ID account.” Another post highlighted the scale, noting an MDR provider received over 20,000 notifications overnight.
This incident follows other recent cybersecurity challenges, such as Microsoft’s April 2025 Patch Tuesday, which addressed 126 vulnerabilities, including an actively exploited zero-day (CVE-2025-29824). While unrelated to the Entra issue, it underscores the heightened scrutiny on Microsoft’s security processes.
Microsoft’s swift acknowledgment and corrective actions demonstrate its commitment to user security, but the false positives have highlighted the challenges of rolling out new security features at scale.
Administrators are urged to remain vigilant, follow Microsoft’s guidance, and leverage external monitoring tools to ensure their systems remain secure. For further updates, customers can monitor the Azure Service Health portal or contact Microsoft support directly.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
A sophisticated malware campaign utilizing multiple layers of AutoIT code has been discovered targeting Windows…
A newly identified phishing campaign deploys the Remcos Remote Access Trojan (RAT) using DBatLoader, leveraging…
Cyber attacks continue to plague organizations worldwide, with a staggering 67% of businesses reporting they…
Ivanti has disclosed two zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) solution. When chained…
Eric Council Jr., a 26-year-old man from Huntsville, Alabama, was sentenced on May 16, 2025,…
Web Application Firewalls (WAFs) have been a critical defense mechanism protecting web applications from malicious…