Full Report
Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems. [...]
Analysis Summary
# Incident Report: Widespread Microsoft Entra Account Lockouts Due to Internal Logging Error
## Executive Summary
A significant operational incident occurred when Microsoft mistakenly logged live, short-lived user refresh tokens instead of just metadata for a subset of users within Microsoft Entra. The subsequent necessary procedure to invalidate these mistakenly logged tokens inadvertently triggered widespread security alerts, causing automated account lockouts across numerous organizations on Saturday morning. The impact was primarily operational disruption, resolved by users confirming their safety status within Entra ID Protection to restore access.
## Incident Details
- **Discovery Date:** April 20, 2025 (Saturday morning UTC, alerts sent between 4 AM and 9 AM UTC)
- **Incident Date:** April 18, 2025 (When the internal logging began)
- **Affected Organization:** Microsoft (Reported by numerous customer organizations)
- **Sector:** Technology/Cloud Services (Identity Management)
- **Geography:** Global (Affecting Entra ID customers worldwide)
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to Friday, April 18, 2025
- **Vector:** Internal system error/Misconfiguration during feature rollout.
- **Details:** Microsoft internally logged a subset of short-lived user refresh tokens for a small percentage of users, deviating from the standard practice of only logging metadata.
### Lateral Movement
- **Details:** Not applicable. This was an internal operational mishap, not a traditional external attack involving lateral movement.
### Data Exfiltration/Impact
- **Details:** User access disruption due to automatic account lockouts triggered by the platform's security mechanism reacting to the token invalidation process. No indication of unauthorized access to the tokens was found at the time of advisory.
### Detection & Response
- **How it was discovered:** Numerous organizations reported receiving Microsoft Entra alerts indicating leaked credentials tied to the automatic account lockouts occurring Saturday morning.
- **Response actions taken:**
1. The internal logging issue was immediately corrected.
2. A procedure was initiated to invalidate the mistakenly logged tokens to protect customer security.
3. This invalidation process inadvertently generated Entra ID Protection alerts flagging potential compromise.
4. Affected customers were advised to use the "Confirm User Safe" feedback option in Entra ID Protection to restore account access.
## Attack Methodology
*Note: This was an internal process failure masquerading as a security incident alerting mechanism.*
- **Initial Access:** N/A (Internal logging procedure error)
- **Persistence:** N/A
- **Privilege Escalation:** N/A
- **Defense Evasion:** N/A
- **Credential Access:** N/A (Actual credentials were not reported stolen, though refresh tokens were logged)
- **Discovery:** N/A
- **Lateral Movement:** N/A
- **Collection:** Internal logging systems mistakenly collected live user refresh tokens instead of metadata.
- **Exfiltration:** N/A
- **Impact:** The token invalidation process triggered platform security features causing automated lockouts.
## Impact Assessment
- **Financial:** Not disclosed, but likely involved internal staffing costs for both Microsoft and affected customers managing the resulting service disruption.
- **Data Breach:** No confirmed unauthorized access to the tokens was reported. Compromised artifact was the logging of **short-lived user refresh tokens**.
- **Operational:** Significant widespread organizational disruption due to unexpected and mass automatic account lockouts synchronized over a five-hour window (4 AM UTC to 9 AM UTC on 4/20/25).
- **Reputational:** Initial confusion as customers attributed the issue to the rollout of "MACE Credential Revocation."
## Indicators of Compromise
*Since this was an internal logging error, traditional IoCs are not clearly defined for external compromise, focusing instead on event indicators:*
- **Network indicators (Defanged):** N/A
- **File indicators:** N/A
- **Behavioral indicators:** Mass, unexpected lockouts in Microsoft Entra ID Protection alerts around April 20, 2025, 4:00 AM UTC to 9:00 AM UTC.
## Response Actions
- **Containment measures:** Immediate correction of the internal logging process.
- **Eradication steps:** Execution of a procedure to invalidate the tokens that had been mistakenly logged.
- **Recovery actions:** End-users/admins confirming users as "Safe" via the Entra ID Protection portal to reinstate access.
## Lessons Learned
- The automated security response mechanism (ID Protection) was highly sensitive to legitimate platform token revocation actions, leading to widespread false-positive lockdowns.
- Processes involving logging sensitive artifacts like user refresh tokens must undergo rigorous validation before production deployment to ensure adherence to specified logging scopes (metadata only).
## Recommendations
- Develop clearer, distinct alerting mechanisms for administrative actions (like necessary token invalidation) versus true external compromise events to prevent mass operational disruption.
- Implement robust pre-deployment testing for security feature rollouts, specifically ensuring that data handling (logging and subsequent invalidation) aligns with security policy expectations.
- Establish a faster internal communication channel to proactively notify administrators globally when platform failures trigger widespread security alerts.