Microsoft Entra account lockouts caused by user token logging mishap

However, an admin for one of the impacted organizations shared an advisory sent by Microsoft stating that the issue was caused by the company mistakenly logging the impacted account's user refresh tokens rather than just their metadata. "On Friday 4/18/25, Microsoft identified that it was internally logging a subset of short-lived user refresh tokens for a small percentage of users, whereas our standard logging process is to only log metadata about such tokens," reads an advisory from Microsoft posted on Reddit. Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems. Microsoft says impacted customers can give the "Confirm User Safe" feedback in Microsoft Entra for the flagged user to restore access to their accounts. Impacted customers initially thought the account lockouts were tied to the rollout of a new enterprise application called "MACE Credential Revocation," installed minutes before the alerts were issued. On Saturday morning, numerous organizations reported that they began receiving Microsoft Entra alerts that accounts had leaked credentials, causing the accounts to be locked out automatically.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 21 Apr 2025 16:30:05 +0000

Cyber News related to Microsoft Entra account lockouts caused by user token logging mishap

Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
1 year ago Microsoft.com

How to manage a migration to Microsoft Entra ID - Microsoft Entra ID, formerly Azure Active Directory, is not a direct replacement for on-premises Active Directory due to feature gaps and alternative ways to perform similar identity and access management tasks. For some organizations, a move to ...
1 year ago Techtarget.com

How to secure on-prem apps with Entra Application Proxy - If your internal web applications are still internet-facing, then it's time to move away from turning your firewall into Swiss cheese just to externalize apps for your users. To reduce the attack surface, a traditional method, such as a VPN, has its ...
1 year ago Techtarget.com

New Microsoft Incident Response guides help security teams analyze suspicious activity - Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for ...
1 year ago Microsoft.com

Microsoft Entra account lockouts caused by user token logging mishap - However, an admin for one of the impacted organizations shared an advisory sent by Microsoft stating that the issue was caused by the company mistakenly logging the impacted account's user refresh tokens rather than just their metadata. "On Friday ...
2 months ago Bleepingcomputer.com

Microsoft Addresses Entra ID Token Logging Issue, Alerts to Protect Users - Microsoft has acknowledged a recent issue that triggered widespread alerts in its Entra ID Protection system, flagging user accounts as high risk due to supposed credential leaks on the dark web. The alerts have been attributed to a combination of an ...
2 months ago Cybersecuritynews.com

Widespread Microsoft Entra lockouts tied to new security feature rollout - In a Reddit thread posted early this morning, Windows admins reported receiving multiple alerts from Entra indicating that some of their user accounts had been found with credentials leaked on the dark web or other locations. Windows administrators ...
2 months ago Bleepingcomputer.com

Microsoft Breach - How Can I See This In BloodHound? - On January 25, 2024, Microsoft announced Russia's foreign intelligence service breached their corporate EntraID environment. We reviewed the information Microsoft's team provided in their post which contained details significant enough to explain ...
1 year ago Securityboulevard.com

Microsoft fixes Entra ID authentication issue caused by DNS change - "Between 17:18 UTC and 18:35 UTC on 25 February 2025, customers attempting to authenticate with Microsoft Entra ID using the Seamless SSO and Microsoft Entra Connect Sync features may have experienced DNS resolution failures when trying to access ...
3 months ago Bleepingcomputer.com

Iranian Hackers Developed a New Backdoor to Hack Windows - Peach Sandstorm, an Iranian Hackers group, targets diverse sectors globally, and this group is linked to:-. Using password spray campaigns, Peach Sandstorm exhibits opportunistic behavior, with a history of relying on this tactic. This custom ...
1 year ago Cybersecuritynews.com

5 ways to secure identity and access for 2024 - 1 This increase is due in part to the rise of generative AI and large language models, which bring new opportunities and challenges for security professionals while affecting what we must do to secure access effectively. Learn how unified multicloud ...
1 year ago Microsoft.com

From Implicit to Authorization Code With PKCE, BFF - Lack of Refresh Token Support occurs when there are no refresh tokens, and frequent requests for new tokens are necessary, increasing the chances of token leakage and misuse. The Implicit Flow had several security vulnerabilities, such as token ...
11 months ago Feeds.dzone.com

Crypto Deception Unveiled: Check Point Research Reports Manipulation of Pool Liquidity Skyrockets Token Price by 22,000% - Deceptive actors are manipulating pool liquidity, sending token prices soaring by a shocking 22,000%. 80,000 Heist Unveiled: The manipulation of pool liquidity resulted in a swift and calculated theft of $80,000 from unsuspecting token holders. Check ...
1 year ago Blog.checkpoint.com

Microsoft Boosts MSA Signing Service Security on Azure Following Storm-0558 Breach - “We have applied new defense-in-depth protections, migrated the Microsoft Account (MSA) signing service to run on Azure confidential VMs, and we are migrating the Entra ID signing service to Azure confidential VMs,” states the report, ...
2 months ago Cybersecuritynews.com

How Strata Identity and Microsoft Entra ID solve identity challenges in mergers and acquisitions - In particular, there is an immediate and profound impact on the identity and access management postures of both companies. While most combined organizations aspire to eventually consolidate their identity systems, this is a challenging and ...
1 year ago Microsoft.com

Microsoft will roll out MFA-enforcing policies for admin portal access - Microsoft will soon start rolling out Conditional Access policies requiring multifactor authentication from administrators when signing into Microsoft admin portals such as Microsoft Entra, Microsoft 365, Exchange, and Azure. The company will also ...
1 year ago Bleepingcomputer.com

Microsoft Entra ID DNS Resolution Failures Results in Authentication Issues - Organizations should configure Azure Service Health alerts for real-time incident updates and review filtering rules in Entra Connect Sync to minimize blast radius during future outages. This domain facilitates the silent Kerberos ticket exchange ...
3 months ago Cybersecuritynews.com

CISA orders agencies impacted by Microsoft hack to mitigate risks - CISA has issued a new emergency directive ordering U.S. federal agencies to address risks resulting from the breach of multiple Microsoft corporate email accounts by the Russian APT29 hacking group. It requires them to investigate potentially ...
1 year ago Bleepingcomputer.com APT29

CVE-2023-50713 - Speckle Server provides server, frontend, 3D viewer, and other JavaScript utilities for the Speckle 3D data platform. A vulnerability in versions prior to 2.17.6 affects users who: authorized an application which requested a 'token write' scope or, ...
1 year ago Tenable.com

Incident Response Teams Call For Unified Logging Standards In Breach Scenarios - In today’s rapidly evolving cybersecurity landscape, incident response teams are increasingly advocating for unified logging standards to effectively combat security breaches. When selecting logs for security incident response, organizations ...
2 months ago Cybersecuritynews.com

Hackers Abuse OAuth Applications to Automated Finacial Attacks - OAuth is an industry-standard protocol that allows third-party applications to access a user's data without exposing login credentials. This standard protocol facilitates secure authorization and authentication, commonly used to access resources on ...
1 year ago Cybersecuritynews.com

Microsoft links recent Microsoft 365 outage to buggy update - While Microsoft resolved the Microsoft 365 authentication problems over the weekend, another advisory published on the admin center states that Exchange Online users still have issues accessing their calendar entries and email messages using the iOS ...
3 months ago Bleepingcomputer.com

Microsoft: Hackers steal emails in device code phishing attacks - "The invitations lure the user into completing a device code authentication request emulating the experience of the messaging service, which provides Storm-2372 initial access to victim accounts and enables Graph API data collection activities, such ...
4 months ago Bleepingcomputer.com

CVE-2025-49012 - Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Himmelblau versions 0.9.0 through 0.9.14 and 1.00-alpha are vulnerable to a privilege escalation issue when Entra ID group-based access restrictions are configured using ...
2 weeks ago

CSO's Guide: Water-Tight Account Security For Your Company - In today's escalating threat landscape, account takeover and credential compromise remain top attack vectors for data breaches. CSOs must mandate and implement robust account security to protect critical assets. This comprehensive guide examines ...
1 year ago Securityboulevard.com