Widespread Microsoft Entra lockouts tied to new security feature rollout

The widespread lockouts of Microsoft Entra accounts, initially reported as being due to a new security feature rollout, are now confirmed by Microsoft to be caused by an internal logging issue. Here's a detailed analysis: 1. **Root Cause**: The issue stems from an internal logging error that occurred on April 20, 2025, between 4:00 AM and 9:00 AM UTC. Microsoft mistakenly logged short-lived user refresh tokens instead of just their metadata, which led to the invalidation of a small percentage of tokens. This invalidation triggered the alert system, resulting in account lockouts. 2. **Impact on Organizations**: The affected organizations experienced a sudden surge in leaked credential alerts, which led to the lockouts of numerous user accounts. These lockouts affected both Microsoft Entra ID and Azure Active Directory environments. 3. **Administrative Challenges**: System administrators reported no signs of actual compromise, and the lockouts affected only a fraction of the user accounts. However, the incident caused significant confusion and concern, leading to multiple alerts and notifications from Microsoft. 4. **Microsoft's Response**: Microsoft has acknowledged the issue and advised affected organizations to monitor their Entra environments closely. They have also provided guidance on how to mitigate the impact of the lockouts and are working to prevent similar incidents in the future. In conclusion, the widespread Microsoft Entra lockouts were indeed tied to a new security feature rollout, specifically the MACE Credential Revocation feature. However, the root cause was an internal logging issue that led to the invalidation of user tokens, resulting in the lockouts. Microsoft has taken steps to address the issue and is working to prevent similar incidents in the future.