On or around April 19, 2025, numerous organizations experienced significant disruptions as their users were unexpectedly locked out of Microsoft Entra ID accounts. These lockouts were accompanied by alerts flagging users as "high risk" due to "leaked credentials". Community reports and subsequent investigations by third parties quickly associated these events with the appearance and activation of a new Microsoft Entra Enterprise Application named "MACE Credential Revocation". Affected administrators often reported observing Error Code 53003, indicating blockage by Conditional Access policies, apparently triggered by the risk elevation from the MACE feature.
Like many of you, our MSSP team at Helient Technologies actively monitored the situation, and we noted that some of the most immediate information was being shared within the broader IT community, specifically on platforms like Reddit.com, and windowsforum.com, bleepingcomputer.com and derdecker.at.
What We Understand About the Situation:
Based on our observations and emerging information, the impact appeared to be widespread, affecting a diverse range of tenants:
- Tenant Size: Both large and small organizations have reported issues.
- Management Type: This includes tenants managed by partners like us and those with direct Microsoft subscriptions.
- Geographic Location: Reports are coming in from tenants across the globe.
- Subscription Type: Users with various Microsoft 365 licenses, from Business Basic to E5, have been affected.
- Conditional Access: Both tenants with and without Conditional Access policies in place have experienced this.
Helient's analysis of the available information, drawn from official Microsoft channels and third-party technical reporting sources, yields the following key findings:
- Widespread "user high risk" alerts and associated account lockouts impacting numerous organizations utilizing Microsoft Entra ID did occur on or around April 19, 2025.
- Multiple independent technical reports and administrator accounts attribute this incident directly to the rollout of a new Microsoft Entra ID security feature, an Enterprise Application identified as "MACE Credential Revocation". This application appears to have generated a high volume of false positive "leaked credential" detections.
- These false positive risk detections subsequently triggered pre-existing Conditional Access policies within affected tenants, leading to account lockouts. Sign-in attempts during this period often resulted in Error Code 53003, which signifies blockage by a Conditional Access policy.
- A review of the provided information from official Microsoft Azure status pages, the Microsoft Security Response Center (MSRC), and relevant Microsoft blogs and documentation did not yield any evidence corroborating the specific hypothesis that the incident stemmed from internal logging and subsequent invalidation of user refresh tokens; we continue to investigate and analyze official channels for more information.
How to Identify if Your Tenant Was Affected:
While we await official confirmation and a full explanation from Microsoft, here are the indicators we've seen:
- Elevated User Risk: Check your Microsoft Entra admin center under Entra ID – Identity – Protection – Risky activities – Risky Users. Look for users with a "High Risk" status that was assigned on the morning of April 19th, 2025, accompanied by the warning: "User credentials leaked."
- Unexpected Enterprise Application: An Enterprise Application named MACE Credential Revocation may have been added to affected tenants. To check for this, navigate to Entra ID – Identity – Applications – Enterprise Applications and ensure you've removed any filters, especially the default "application type == Enterprise Applications" filter, before searching.
Recommended Next Steps for Our Customers:
Microsoft has provided the following immediate actions:
Staying Informed:
We strongly recommend that you take the following steps to stay updated on this and any future Azure service issues:
- Configure Azure Service Health Alerts: Helient can assist you with setting up alerts to receive notifications via email, SMS, push notifications, webhooks, and more for service issues, planned maintenance, and health advisories.
- Review Azure Service Health: Regularly check the Azure Service Health dashboard for a personalized view of potentially impacted Azure resources, downloadable Issue Summaries, and engineering updates: https://azure.status.microsoft/en-us/status.
- Reach out to Helient's support team for more information, reach us at service@helient.com
Our Commitment to You:
At Helient Technologies, we understand the critical importance of stable and secure Microsoft environments. We are actively monitoring this situation and will continue to provide updates as we receive more official information from Microsoft. Our Helient Managed Services and Helient Professional Services support teams are ready to assist you in identifying and mitigating any impact on your environment. Please don't hesitate to reach out to us at service@heient.com any concerns or require assistance.
3 minute read
