Microsoft has revealed that recent account lockouts in Entra were due to an error involving the logging of user refresh tokens. This mishap led to the invalidation of these tokens, causing automatic lockouts for affected accounts.

Incident Overview

On Saturday morning, numerous organizations experienced alerts from Microsoft Entra indicating potential credential leaks, resulting in account lockouts. Initially, these incidents were thought to be linked to a new application rollout named "MACE Credential Revocation."

Root Cause Analysis

An advisory from Microsoft clarified that the issue stemmed from the accidental logging of user refresh tokens instead of just their metadata. This oversight prompted the invalidation of the tokens, inadvertently triggering alerts and subsequent lockouts.

Timeline and Response

  • On April 18, 2025, Microsoft identified the logging error affecting a subset of users.
  • The error was promptly corrected, and a procedure was initiated to invalidate the logged tokens.
  • Alerts were generated between April 20, 4 AM UTC and April 20, 9 AM UTC, indicating potential credential compromise.

Microsoft has assured that there is no evidence of unauthorized access to these tokens. If any unauthorized access is detected, standard security protocols will be enacted.

The link has been copied!