Blog

Windows administrators across various organizations are experiencing widespread account lockouts due to false positives from the newly rolled out “leaked credentials” detection app, MACE, in Microsoft Entra ID. These alerts and lockouts started last night, with some admins suspecting false positives since the affected accounts have unique passwords not used elsewhere.

Early this morning, a Reddit thread revealed that Windows administrators were receiving numerous alerts from Entra, indicating that some user accounts had credentials leaked on the dark web or other sources.

These accounts were automatically locked out of the tenant, with numerous users impacted per organization. The locked-out accounts showed no signs of compromise, such as suspicious sign-ins, and were protected with MFA. Additionally, breach notification services like Have I Been Pwned (HIBP) found no matches for these accounts.

A Reddit report further confirmed the widespread nature of the issue, with an MDR provider stating they received over 20,000 notifications from Microsoft overnight regarding leaked credentials from various customers.

Although Microsoft has not publicly confirmed the cause of these lockouts, they informed one affected organization that the issue stemmed from the rollout of a new Enterprise application called “MACE Credential Revocation.”

“Just spoke with an engineer. The issue is a Tenant Lockout caused by the MACE rollout. There are no signs of compromise. He needs an hour to change the ticket from compromise to lockout, but we can breathe a sigh of relief. The error code was 53003 for the conditional access policy,” an admin shared on Reddit.

Several users confirmed that this application was added to tenants just before the alerts started.

The MACE Credential Revocation app is a Microsoft Entra feature designed to detect leaked credentials and lock out potentially compromised accounts.