Microsoft承认了一个问题，该问题触发了其ENTRA ID保护系统中广泛的警报

微软已经确认了最近的一个问题，该问题触发了其ENTRA ID保护系统中广泛的警报，将用户帐户标记为高风险，这是由于在深色Web上的凭据泄漏而引起的。

Microsoft has confirmed an recent issue that led to widespread alerts in its Entra ID Protection system, warning of high-risk user accounts due to alleged credential leaks on the dark web.

微软已经确认了最近的一个问题，该问题导致其ENTRA ID保护系统中广泛的警报，警告高危用户帐户，这是由于据称在黑暗网络上的凭证泄漏。

The alerts, which impacted system administrators globally, were attributed to a combination of an internal token logging error and the rollout of a new security feature called MACE Credential Revocation, causing confusion among IT professionals.

该警报影响了全球系统管理员，这归因于内部令牌记录错误和推出名为MACE凭据撤销的新安全功能的组合，从而引起了IT专业人员的混乱。

Token Logging Issue Sparks Alerts

令牌记录问题火花警报

Microsoft identified that it was inadvertently logging a subset of short-lived user refresh tokens for a small percentage of users, deviating from its standard practice of only logging metadata.

Microsoft确定，它是无意间记录了一小部分用户的短寿命用户刷新令牌，这与仅记录元数据的标准实践偏离了。

This issue was promptly corrected, and the affected tokens were invalidated to protect users. However, this invalidation process unintentionally generated alerts in Entra ID Protection, indicating that users' credentials may have been compromised.

该问题得到了迅速纠正，受影响的令牌被无效以保护用户。但是，这种无意外地在ENTRA ID保护中生成的警报，表明用户的凭据可能已被损害。

The alerts occurred between 4:00 AM and 9:00 AM UTC on April 20, 2025, and there was no evidence of unauthorized access to these tokens. If any is detected, Microsoft will follow standard security incident response protocols.

警报发生在2025年4月20日UTC之间的4:00 AM至9:00 AM之间，并且没有证据表明未经授权访问这些令牌。如果检测到任何，Microsoft将遵循标准的安全事件响应协议。

MACE Rollout Triggers False Positives

狼牙棒推出触发误报

Concurrently, Microsoft rolled out its new security feature, MACE Credential Revocation, over the same weekend, aiming to detect and respond to potentially compromised credentials by checking for matches on the dark web and other sources.

同时，Microsoft在同一周末推出了其新的安全功能MACE凭证撤销，旨在通过检查Dark Web和其他来源上的比赛来检测并响应潜在的凭据。

However, the rollout led to widespread false positives, with accounts being flagged as high risk despite having strong, unique passwords and multi-factor authentication (MFA) enabled.

但是，推出导致了广泛的误报，尽管启用了强大，独特的密码和多因素身份验证（MFA），但帐户被标记为高风险。

Social media posts and online forums, including Reddit, reported similar experiences, and some administrators noted that even passwordless accounts were affected, further suggesting that the alerts were erroneous.

社交媒体帖子和在线论坛（包括Reddit）报告了类似的经验，一些管理员指出，即使是无密码帐户也受到影响，进一步表明警报是错误的。

One administrator shared on Reddit: "I just got a half dozen alerts for accounts supposedly found with valid credentials on the dark web. ... The six accounts don't have much in common ... There are no risky sign-ins, no other risk detections, everyone is MFA."

一位管理员在reddit上分享了：“我刚刚在黑暗网络上找到了有效凭据的帐户六个警报。...六个帐户没有太多共同点……没有风险的签名，没有其他风险检测，每个人都是MFA。”

The user added that the accounts didn't show any matches on Have I Been Pwned (HIBP), fueling suspicions of a Microsoft error.

用户补充说，这些帐户没有显示我的匹配项（HIBP），这加剧了对Microsoft错误的怀疑。

Microsoft's Response and Customer Actions

微软的回应和客户行动

Microsoft has advised affected customers to use the "Confirm User Safe" feature in Entra ID Protection to resolve the erroneous high-risk flags, as detailed in its documentation.

微软已建议受影响的客户在ENTRA ID保护中使用“确认用户安全”功能来解决错误的高风险标志，如其文档中所述。

This feature allows administrators to manually clear the risk status for affected users. Additionally, Microsoft recommends resetting passwords for any locked accounts and ensuring that MFA is enabled, although many affected accounts already had these measures in place.

此功能允许管理员手动清除受影响用户的风险状态。此外，Microsoft建议为任何锁定帐户重置密码，并确保启用MFA，尽管许多受影响的帐户已经采取了这些措施。

Administrators can also review sign-in logs in the Microsoft Entra admin center under Monitoring & Health for error codes like AADSTS50053, which indicate account lockouts.

管理员还可以查看Microsoft Entra Admin Center的登录日志，并在监视和健康状况下查看错误代码，例如AADSTS50053，这表示帐户锁定。

Ongoing Investigation and Recommendations

正在进行的调查和建议

Microsoft is currently conducting a Post Incident Review (PIR) to investigate both the token logging issue and the MACE rollout's false positives.

微软目前正在进行事件后审查（PIR），以调查令牌记录问题和MACE推出的误报。

The PIR will be shared with affected customers through official channels and open support cases. Customers are encouraged to configure Azure Service Health alerts to receive updates on the PIR and future Azure service issues.

PIR将通过官方渠道和开放支持案例与受影响的客户共享。鼓励客户配置Azure服务健康警报，以接收有关PIR和将来的Azure服务问题的更新。

Administrators facing these alerts are advised to:

面临这些警报的管理员建议：

The incident has sparked frustration among IT professionals, with posts on X describing the MACE rollout as "ruining" their weekend due to false alarms.

该事件引起了IT专业人员的挫败感，X上的帖子将梅斯的推出描述为由于错误的警报而“破坏”了周末。

One user remarked, "Microsoft rolled out a new dark web credential detection app called MACE this Easter weekend, which promptly ruined my Saturday with its false alarm on my primary M365/Entra ID account."

一位用户说：“在这个复活节周末，Microsoft推出了一个名为Mace的新的Dark Web凭据检测应用程序，该应用程序在我的主要M365/Entra ID帐户上迅速毁了我的星期六。”

Another post highlighted the scale, noting that an MDR provider received over 20,000 notifications overnight.

另一篇文章强调了规模，指出MDR提供商在一夜之间收到了20,000多个通知。

This incident follows other recent cybersecurity challenges, such as Microsoft's April 2025 Patch Tuesday, which addressed 126 vulnerabilities, including an actively exploited zero-day (CVE-2025_29824). While unrelated to the Entra issue, it underscores the heightened scrutiny on Microsoft's security processes.

该事件发生在其他最近的网络安全挑战之后，例如微软的2025年4月星期二，它解决了126个漏洞，包括积极利用的零日（CVE-2025_29824）。尽管与ENTRA问题无关，但它突显了对微软安全流程的审查。

Microsoft's swift acknowledgment and corrective actions demonstrate its commitment to user security, but the false positives have highlighted the challenges of rolling out new security features at scale.

微软的迅速确认和纠正措施表明了其对用户安全性的承诺，但是误报强调了按大规模推出新的安全功能的挑战。

Administrators are urged to remain vigilant, follow Microsoft's guidance, and leverage external monitoring tools to ensure their systems remain secure. For further updates, customers can monitor the Azure Service Health portal or contact Microsoft support directly.

敦促管理员保持警惕，遵循微软的指导，并利用外部监控工具，以确保其系统保持安全。有关进一步更新，客户可以监视Azure Service Health门户网站或直接联系Microsoft支持。