Microsoft Entra ID Lockouts After MACE App Flags Legit Users

Was your Microsoft Entra ID account locked? Find out about the recent widespread lockouts caused by the new MACE Credential Revocation app and a Microsoft error in handling user refresh tokens.

Recently, many companies experienced a problem where their employees suddenly couldn’t log into their Microsoft Entra accounts and expressed concern in a Reddit thread. Microsoft, the company behind Entra ID (previously called Azure Active Directory), has explained what happened.

It seems that a newly introduced component of Microsoft Entra ID called the MACE Credential Revocation app, which is designed to enhance security by identifying compromised credentials, mistakenly flagged many regular users as high risk. This led to widespread account lockouts.

Microsoft has traced the root cause to an internal logging issue with a feature called refresh tokens (how users stay logged), which were being logged within Microsoft’s own systems. Specifically, the standard process is to only log metadata about these short-lived tokens, and the problem arose when a subset of these tokens themselves were being logged internally “for a small percentage of users,” beginning on Friday, April 18th, 2025.

As soon as they realized this mistake on Friday, April 18th, 2025, Microsoft took action to fix it. To keep their customers safe, they decided to make these specific tokens invalid, meaning they would no longer work.

However, this process of making the tokens invalid mistakenly triggered alerts in Entra ID Protection. These alerts, sent out on Sunday, April 20th, 2025, between 4 AM and 9 AM UTC, made it seem like users’ login details might have been stolen.

Microsoft has stated that they don’t have any proof that anyone gained unauthorized access to these tokens. “We have no indication of unauthorized access to these tokens – and if we determine there were any unauthorized access, we will invoke our standard security incident response and communication processes,” the tech giant noted.

For companies whose users were locked out because they were wrongly marked as high-risk, Microsoft suggests a solution. Administrators can use a feature called Confirm User Safe within Entra ID. This tells the system that even though an alert was raised, the user’s account is actually okay. Microsoft has provided a link to their help documentation that explains how to use this feature and understand the risk alerts.

Microsoft is still looking into exactly what went wrong and will share a detailed report, called a Post Incident Review (PIR), with all the affected customers and anyone who opened a support ticket.

To be notified when this report is available or to stay updated on any future problems with Azure services, Microsoft recommends setting up Azure Service Health alerts. These alerts can send notifications through email, text messages, and other methods.

Jim Routh, Chief Trust Officer Saviynt, shared his thoughts on the situation with Hackread.com. He pointed out that even though this caused problems for some Microsoft business customers over the weekend, there were some positive aspects.

“The positive news is that the disruption occurred over the weekend, and today (Monday), customers have the facts along with the fix (corrective actions) necessary for recovery,” he said. ”The vulnerability and the action taken (token invalidation) were ultimately shared by Microsoft in an advisory relatively quickly. This is a sign of health or resilience despite the inconvenience to some enterprise customers over the weekend,” Routh added.