Microsoft Entra account lockouts caused by user token logging mishap

Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.

On Saturday morning, numerous organizations reported that they began receiving Microsoft Entra alerts that accounts had leaked credentials, causing the accounts to be locked out automatically.

Impacted customers initially thought the account lockouts were tied to the rollout of a new enterprise application called "MACE Credential Revocation," installed minutes before the alerts were issued.

However, an admin for one of the impacted organizations shared an advisory sent by Microsoft stating that the issue was caused by the company mistakenly logging the impacted account's user refresh tokens rather than just their metadata.

After realizing they logged actual account tokens, they began invalidating them, which accidentally generated the alerts and lockouts.

"On Friday 4/18/25, Microsoft identified that it was internally logging a subset of short-lived user refresh tokens for a small percentage of users, whereas our standard logging process is to only log metadata about such tokens," reads an advisory from Microsoft posted on Reddit.

"The internal logging issue was immediately corrected, and the team performed a procedure to invalidate these tokens to protect customers.  As part of the invalidation process, we inadvertently generated alerts in Entra ID Protection indicating the user's credentials may have been compromised."

"These alerts were sent between 4/20/25 4AM UTC and 4/20/25 9AM UTC. We have no indication of unauthorized access to these tokens – and if we determine there were any unauthorized access, we will invoke our standard security incident response and communication processes."

Microsoft says impacted customers can give the "Confirm User Safe" feedback in Microsoft Entra for the flagged user to restore access to their accounts.

The company says they will publish a Post Incident Review (PIR) after the investigation is finished, which will be shared with all impacted customers.

Microsoft shared the following statement regarding the incident.

"We inadvertently generated security alerts for customers and have mitigated the issue.  We sent a notification to all impacted customers and will continue to provide support as needed," Microsoft told BleepingComputer.