Microsoft Addresses Entra ID Token Logging Issue, Alerts to Protect Users

Microsoft has acknowledged a recent issue that triggered widespread alerts in its Entra ID Protection system, flagging user accounts as high risk due to supposed credential leaks on the dark web. The alerts have been attributed to a combination of an internal token logging error and the rollout of a new security feature called MACE Credential Revocation, causing confusion among system administrators globally. One user remarked, “Microsoft rolled out a new dark web credential detection app called MACE this Easter weekend, which promptly ruined my Saturday with its false alarm on my primary M365/Entra ID account.” Another post highlighted the scale, noting an MDR provider received over 20,000 notifications overnight. Microsoft has advised affected customers to use the “Confirm User Safe” feature in Entra ID Protection to resolve erroneous high-risk flags, as detailed in its documentation. Administrators can also review sign-in logs in the Microsoft Entra admin center under Monitoring & Health for error codes like AADSTS50053, which indicate account lockouts. Compounding the issue, Microsoft rolled out a new security feature, MACE Credential Revocation, over the same weekend. Microsoft is conducting a Post Incident Review (PIR) to investigate both the token logging issue and the MACE rollout’s false positives. Social media posts and online forums, including Reddit, have reported similar experiences, with some administrators noting that even passwordless accounts were affected, suggesting the alerts were erroneous. Microsoft’s swift acknowledgment and corrective actions demonstrate its commitment to user security, but the false positives have highlighted the challenges of rolling out new security features at scale. The user noted that the accounts showed no matches on Have I Been Pwned (HIBP), raising suspicions of a Microsoft error. Microsoft identified that it was inadvertently logging a subset of short-lived user refresh tokens for a small percentage of users, contrary to its standard practice of only logging metadata. Microsoft has stated there is no evidence of unauthorized access to these tokens, but it will follow standard security incident response protocols if any is detected. Additionally, Microsoft recommends resetting passwords for locked accounts and ensuring MFA is enabled, though many affected accounts already had these measures in place. Confirm User Safe: Use the Entra ID Protection admin feature to clear false high-risk flags. However, the rollout led to widespread false positives, with accounts being flagged as high risk despite having strong, unique passwords and multi-factor authentication (MFA) enabled. However, this invalidation process unintentionally generated alerts in Entra ID Protection between 4:00 AM and 9:00 AM UTC on April 20, 2025, indicating that users’ credentials may have been compromised.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 21 Apr 2025 19:10:16 +0000


Cyber News related to Microsoft Addresses Entra ID Token Logging Issue, Alerts to Protect Users

Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
1 year ago Microsoft.com
How to manage a migration to Microsoft Entra ID - Microsoft Entra ID, formerly Azure Active Directory, is not a direct replacement for on-premises Active Directory due to feature gaps and alternative ways to perform similar identity and access management tasks. For some organizations, a move to ...
1 year ago Techtarget.com
How to secure on-prem apps with Entra Application Proxy - If your internal web applications are still internet-facing, then it's time to move away from turning your firewall into Swiss cheese just to externalize apps for your users. To reduce the attack surface, a traditional method, such as a VPN, has its ...
1 year ago Techtarget.com
New Microsoft Incident Response guides help security teams analyze suspicious activity - Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for ...
1 year ago Microsoft.com
Microsoft Addresses Entra ID Token Logging Issue, Alerts to Protect Users - Microsoft has acknowledged a recent issue that triggered widespread alerts in its Entra ID Protection system, flagging user accounts as high risk due to supposed credential leaks on the dark web. The alerts have been attributed to a combination of an ...
1 month ago Cybersecuritynews.com
Microsoft Breach - How Can I See This In BloodHound? - On January 25, 2024, Microsoft announced Russia's foreign intelligence service breached their corporate EntraID environment. We reviewed the information Microsoft's team provided in their post which contained details significant enough to explain ...
1 year ago Securityboulevard.com
How To Prioritize Threat Intelligence Alerts In A High-Volume SOC - This article explores practical strategies and frameworks for prioritizing threat intelligence alerts in high-volume SOC environments, helping security teams focus on what matters most while reducing alert fatigue and improving overall security ...
1 month ago Cybersecuritynews.com
Microsoft Entra account lockouts caused by user token logging mishap - However, an admin for one of the impacted organizations shared an advisory sent by Microsoft stating that the issue was caused by the company mistakenly logging the impacted account's user refresh tokens rather than just their metadata. "On Friday ...
1 month ago Bleepingcomputer.com
Iranian Hackers Developed a New Backdoor to Hack Windows - Peach Sandstorm, an Iranian Hackers group, targets diverse sectors globally, and this group is linked to:-. Using password spray campaigns, Peach Sandstorm exhibits opportunistic behavior, with a history of relying on this tactic. This custom ...
1 year ago Cybersecuritynews.com
Widespread Microsoft Entra lockouts tied to new security feature rollout - In a Reddit thread posted early this morning, Windows admins reported receiving multiple alerts from Entra indicating that some of their user accounts had been found with credentials leaked on the dark web or other locations. Windows administrators ...
1 month ago Bleepingcomputer.com
5 ways to secure identity and access for 2024 - 1 This increase is due in part to the rise of generative AI and large language models, which bring new opportunities and challenges for security professionals while affecting what we must do to secure access effectively. Learn how unified multicloud ...
1 year ago Microsoft.com
From Implicit to Authorization Code With PKCE, BFF - Lack of Refresh Token Support occurs when there are no refresh tokens, and frequent requests for new tokens are necessary, increasing the chances of token leakage and misuse. The Implicit Flow had several security vulnerabilities, such as token ...
11 months ago Feeds.dzone.com
Microsoft fixes Entra ID authentication issue caused by DNS change - "Between 17:18 UTC and 18:35 UTC on 25 February 2025, customers attempting to authenticate with Microsoft Entra ID using the Seamless SSO and Microsoft Entra Connect Sync features may have experienced DNS resolution failures when trying to access ...
3 months ago Bleepingcomputer.com
Crypto Deception Unveiled: Check Point Research Reports Manipulation of Pool Liquidity Skyrockets Token Price by 22,000% - Deceptive actors are manipulating pool liquidity, sending token prices soaring by a shocking 22,000%. 80,000 Heist Unveiled: The manipulation of pool liquidity resulted in a swift and calculated theft of $80,000 from unsuspecting token holders. Check ...
1 year ago Blog.checkpoint.com
15 PostgreSQL Monitoring Tools - 2025 - What is Good?What Could Be Better?Monitoring application performance, user experience, and errors.Some users find the pricing high, especially for larger environments.Continuous server, database, and infrastructure monitoring.The extensive feature ...
4 weeks ago Cybersecuritynews.com
Microsoft Boosts MSA Signing Service Security on Azure Following Storm-0558 Breach - “We have applied new defense-in-depth protections, migrated the Microsoft Account (MSA) signing service to run on Azure confidential VMs, and we are migrating the Entra ID signing service to Azure confidential VMs,” states the report, ...
1 month ago Cybersecuritynews.com
How Data Ingestion Works in SOAR - SOAR tools work as consolidation platforms for security alerts and incident response. Endpoint security tools, network security tools, email systems, and other tools collect logs, run detection rules and generate alerts. SOAR then ingests those ...
1 year ago Securityboulevard.com
Microsoft Entra ID DNS Resolution Failures Results in Authentication Issues - Organizations should configure Azure Service Health alerts for real-time incident updates and review filtering rules in Entra Connect Sync to minimize blast radius during future outages. This domain facilitates the silent Kerberos ticket exchange ...
3 months ago Cybersecuritynews.com
How Strata Identity and Microsoft Entra ID solve identity challenges in mergers and acquisitions - In particular, there is an immediate and profound impact on the identity and access management postures of both companies. While most combined organizations aspire to eventually consolidate their identity systems, this is a challenging and ...
1 year ago Microsoft.com
Microsoft will roll out MFA-enforcing policies for admin portal access - Microsoft will soon start rolling out Conditional Access policies requiring multifactor authentication from administrators when signing into Microsoft admin portals such as Microsoft Entra, Microsoft 365, Exchange, and Azure. The company will also ...
1 year ago Bleepingcomputer.com
Incident Response Teams Call For Unified Logging Standards In Breach Scenarios - In today’s rapidly evolving cybersecurity landscape, incident response teams are increasingly advocating for unified logging standards to effectively combat security breaches. When selecting logs for security incident response, organizations ...
1 month ago Cybersecuritynews.com
Microsoft Security Copilot improves speed and efficiency for security and IT teams - First announced in March 2023, Microsoft Security Copilot-Microsoft's first generative AI security product-has sparked major interest. With the rapid innovations of Security Copilot, we have taken this solution beyond security operations use cases ...
1 year ago Microsoft.com
CISA Warns of Compromised Microsoft Accounts - CISA issued a fresh CISA emergency directive in early April instructing U.S. federal agencies to mitigate risks stemming from the breach of numerous Microsoft corporate email accounts by the Russian APT29 hacking group. The directive is known as ...
1 year ago Securityboulevard.com APT29
How To Deploy HYAS Protect - HYAS Protect is an intelligent, cloud-based protective DNS solution that proactively detects and blocks communication with command and control infrastructure used in malware attacks. HYAS Protect also blocks communication with a host of other ...
1 year ago Securityboulevard.com
Microsoft: Hackers steal emails in device code phishing attacks - "The invitations lure the user into completing a device code authentication request emulating the experience of the messaging service, which provides Storm-2372 initial access to victim accounts and enables Graph API data collection activities, such ...
3 months ago Bleepingcomputer.com