Los Angeles, CA – Windows administrators across various organizations are grappling with account lockouts following the rollout of Microsoft Entra ID’s new “leaked credentials” detection app called MACE. The false positives triggered by the app have caused confusion and frustration for admins who believe their accounts are secure with unique passwords not used elsewhere.
Microsoft Entra ID, formerly known as Azure Active Directory, offers cloud-based identity and access management services to help organizations secure user identities and resources. Reports on Reddit indicate that admins received alerts from Entra indicating that some user accounts had been identified with leaked credentials from the dark web or other sources, leading to automatic lockouts within their organization’s tenant.
Accounts that were locked out showed no signs of compromise, such as suspicious activities or unauthorized sign-ins, and were even protected with multi-factor authentication. Despite checking with breach notification services like Have I Been Pwned (HIBP), no matches were found for these impacted accounts.
The widespread nature of these lockouts was further confirmed by reports from a managed detection and response provider, who received over 20,000 notifications from Microsoft overnight regarding leaked credentials from different customers. While Microsoft has not publicly addressed the cause of these lockouts, affected organizations were reportedly informed that it was due to issues with the rollout of the MACE Credential Revocation Enterprise application.
The MACE Credential Revocation app is a feature of Microsoft Entra designed to identify leaked credentials and lockout potentially compromised accounts. Although all alerts of leaked credentials should be investigated, the sudden influx of lockout notifications likely stemmed from the rollout of this new application.
Admins expressed relief upon learning the cause of the lockouts, as they were reassured that there were no signs of compromise and the issue could be resolved. Microsoft has been contacted for further clarification on the incident, but no response has been provided at this time. The situation serves as a reminder of the importance of thorough investigation and communication in the context of cybersecurity incidents to ensure the security and integrity of user accounts and data.