Introduction
On April 19, 2025, numerous organizations experienced unexpected user lockouts from Microsoft Entra ID accounts. These incidents were linked to the rollout of a new security feature: the MACE Credential Revocation app.
What Happened?
The MACE (Microsoft Automated Credential Evaluation) app was designed to enhance security by detecting and revoking potentially compromised credentials. However, its deployment resulted in false positives, marking legitimate user credentials as leaked and triggering automatic account lockouts across various organizations.
The Cause
Microsoft confirmed that the issue stemmed from the inadvertent logging of short-lived user refresh tokens into their systems. Upon realizing this, Microsoft invalidated these tokens to protect customers, which inadvertently generated alerts in Entra ID Protection, indicating potential credential compromises.
Impact on Organizations
The lockouts affected a diverse range of tenants, regardless of size, management type, geographic location, or subscription type. Users encountered Error Code 53003, indicating blockage by Conditional Access policies triggered by the elevated risk status from the MACE feature.
Microsoft's Response
Microsoft issued an advisory acknowledging the issue and recommended that administrators use the “Confirm User Safe” feature within the Entra ID Protection portal to restore access for affected users.
Recommendations for Administrators
Review Risky Users
Check the Microsoft Entra admin center for users flagged as "High Risk" due to "User credentials leaked."
Inspect Enterprise Applications
Look for the presence of the "MACE Credential Revocation" app in your tenant's Enterprise Applications list.
Monitor Conditional Access Policies
Ensure that your policies are appropriately configured to handle such incidents.
Need assistance navigating Microsoft Entra ID configurations or addressing security concerns?
Conclusion
While the intention behind the MACE feature was to bolster security, its rollout underscores the importance of thorough testing and clear communication when deploying new security measures. Organizations are advised to stay informed about such updates and ensure their systems are prepared to handle unforeseen issues.
