- Some Entra ID accounts were marked to have compromised credentials
- Seems it just was Microsoft “accidental generate[ing] [false] Alarms ”
- However, users got different explanations from Microsoft
Windows managers have reported mass account -Lockouts across different organizations following a Microsoft Entra ID update.
Many people believe that this was false positive things that were triggered in Entra ID’s new leaked credentials (a new feature called MACE credentials call) when affected accounts had unique and unused passwords.
A user sent to a Reddit wire that about half a dozen accounts had been blocked after the credentials were allegedly found on the dark web, but these users did not have much in common, which suggested it was not a targeted attack.
Entra ID may be marking fake positives
“There are no risky signins, no other risk lesson, everyone is MFA, it is literally the only thing that has appeared today, increasing the risk of these people from zero to high,” the Reddit user explained.
Under the original post, a number of comments from other system administrators who also experienced similar problems are with a user who shared a response from Microsoft that suggested that the accounts had been mistakenly marked:
“On Friday, 4/18/25, Microsoft identified that it logged a subgroup of short -term user update to a small percentage of users, while our standard logging process is only to log metadata on such tokens. The internal logging problem was immediately corrected and the team performed a procedure to raise these symbols to protect customers.”
The message sees Microsoft admit “unintentional generate[ing] Alarms in Entra ID protection ”of suspected compromised credentials between 04:00 UTC and 9 AM UTC on April 20.
Another user said they were quoted “Error code: 53003” for conditional access policy, while another was told it had to do with a power outage in their region – even if no power switch was reported or logged.
Techradar Pro Have asked Microsoft to clarify what happened this weekend and why users seem to have received different explanations. Any update will be published here.
