Microsoft confirms that the weekend Entra account lockouts have been brought on by the invalidation of short-lived person refresh tokens that have been mistakenly logged into inside programs.
On Saturday morning, quite a few organizations reported that they started receiving Microsoft Entra alerts that accounts had leaked credentials, inflicting the accounts to be locked out mechanically.
Impacted prospects initially thought the account lockouts have been tied to the rollout of a brand new enterprise software referred to as “MACE Credential Revocation,” put in minutes earlier than the alerts have been issued.
Nonetheless, an admin for one of many impacted organizations shared an advisory despatched by Microsoft stating that the difficulty was brought on by the corporate mistakenly logging the impacted account’s person refresh tokens somewhat than simply their metadata.
After realizing they logged precise account tokens, they started invalidating them, which by chance generated the alerts and lockouts.
“On Friday 4/18/25, Microsoft recognized that it was internally logging a subset of short-lived person refresh tokens for a small share of customers, whereas our normal logging course of is to solely log metadata about such tokens,” reads an advisory from Microsoft posted on Reddit.
“The inner logging difficulty was instantly corrected, and the group carried out a process to invalidate these tokens to guard prospects. As a part of the invalidation course of, we inadvertently generated alerts in Entra ID Safety indicating the person’s credentials might have been compromised.”
“These alerts have been despatched between 4/20/25 4AM UTC and 4/20/25 9AM UTC. Now we have no indication of unauthorized entry to those tokens – and if we decide there have been any unauthorized entry, we’ll invoke our normal safety incident response and communication processes.”
Microsoft says impacted prospects may give the “Affirm Person Secure” suggestions in Microsoft Entra for the flagged person to revive entry to their accounts.
The corporate says they may publish a Publish Incident Evaluate (PIR) after the investigation is completed, which might be shared with all impacted prospects.
BleepingComputer additionally contacted Microsoft on Saturday however has not but obtained a reply to our questions concerning the incident.
