Microsoft Entra account lockouts caused by user token logging mishap

Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems. On Saturday morning, numerous organizations reported that they began receiving Microsoft Entra alerts that accounts had leaked credentials, causing the accounts to be locked out automatically. Impacted customers initially thought the account lockouts were tied to the rollout of a new enterprise application called "MACE Credential Revocation," installed minutes before the alerts were issued. However, an admin for one of the impacted organizations shared an advisory sent by Microsoft stating that the issue was caused by the company mistakenly logging the impacted account's user refresh tokens rather than just their metadata. After realizing they logged actual account tokens, they began invalidating them, which accidentally generated the alerts and lockouts. "On Friday 4/18/25, Microsoft identified that it was ... Read full article.