Microsoft acknowledges an issue that triggered widespread alerts in its Entra ID Protection system

Microsoft has acknowledged a recent issue that triggered widespread alerts in its Entra ID Protection system, flagging user accounts as high risk due to supposed credential leaks on the dark web.

Microsoft has confirmed an recent issue that led to widespread alerts in its Entra ID Protection system, warning of high-risk user accounts due to alleged credential leaks on the dark web.

The alerts, which impacted system administrators globally, were attributed to a combination of an internal token logging error and the rollout of a new security feature called MACE Credential Revocation, causing confusion among IT professionals.

Token Logging Issue Sparks Alerts

Microsoft identified that it was inadvertently logging a subset of short-lived user refresh tokens for a small percentage of users, deviating from its standard practice of only logging metadata.

This issue was promptly corrected, and the affected tokens were invalidated to protect users. However, this invalidation process unintentionally generated alerts in Entra ID Protection, indicating that users' credentials may have been compromised.

The alerts occurred between 4:00 AM and 9:00 AM UTC on April 20, 2025, and there was no evidence of unauthorized access to these tokens. If any is detected, Microsoft will follow standard security incident response protocols.

MACE Rollout Triggers False Positives

Concurrently, Microsoft rolled out its new security feature, MACE Credential Revocation, over the same weekend, aiming to detect and respond to potentially compromised credentials by checking for matches on the dark web and other sources.

However, the rollout led to widespread false positives, with accounts being flagged as high risk despite having strong, unique passwords and multi-factor authentication (MFA) enabled.

Social media posts and online forums, including Reddit, reported similar experiences, and some administrators noted that even passwordless accounts were affected, further suggesting that the alerts were erroneous.

One administrator shared on Reddit: "I just got a half dozen alerts for accounts supposedly found with valid credentials on the dark web. ... The six accounts don't have much in common ... There are no risky sign-ins, no other risk detections, everyone is MFA."

The user added that the accounts didn't show any matches on Have I Been Pwned (HIBP), fueling suspicions of a Microsoft error.

Microsoft's Response and Customer Actions

Microsoft has advised affected customers to use the "Confirm User Safe" feature in Entra ID Protection to resolve the erroneous high-risk flags, as detailed in its documentation.

This feature allows administrators to manually clear the risk status for affected users. Additionally, Microsoft recommends resetting passwords for any locked accounts and ensuring that MFA is enabled, although many affected accounts already had these measures in place.

Administrators can also review sign-in logs in the Microsoft Entra admin center under Monitoring & Health for error codes like AADSTS50053, which indicate account lockouts.

Ongoing Investigation and Recommendations

Microsoft is currently conducting a Post Incident Review (PIR) to investigate both the token logging issue and the MACE rollout's false positives.

The PIR will be shared with affected customers through official channels and open support cases. Customers are encouraged to configure Azure Service Health alerts to receive updates on the PIR and future Azure service issues.

Administrators facing these alerts are advised to:

The incident has sparked frustration among IT professionals, with posts on X describing the MACE rollout as "ruining" their weekend due to false alarms.

One user remarked, "Microsoft rolled out a new dark web credential detection app called MACE this Easter weekend, which promptly ruined my Saturday with its false alarm on my primary M365/Entra ID account."

Another post highlighted the scale, noting that an MDR provider received over 20,000 notifications overnight.

This incident follows other recent cybersecurity challenges, such as Microsoft's April 2025 Patch Tuesday, which addressed 126 vulnerabilities, including an actively exploited zero-day (CVE-2025_29824). While unrelated to the Entra issue, it underscores the heightened scrutiny on Microsoft's security processes.

Microsoft's swift acknowledgment and corrective actions demonstrate its commitment to user security, but the false positives have highlighted the challenges of rolling out new security features at scale.

Administrators are urged to remain vigilant, follow Microsoft's guidance, and leverage external monitoring tools to ensure their systems remain secure. For further updates, customers can monitor the Azure Service Health portal or contact Microsoft support directly.