This past weekend, Microsoft faced a major hiccup when many organizations reported unexpected account lockouts in their Entra system. The culprit? A mishandling of user refresh tokens that were mistakenly logged into internal systems.

Starting Saturday morning, a wave of alerts hit businesses, signaling that accounts had leaked credentials and locking users out automatically. Initial suspicions pointed toward a recent rollout of a new enterprise application, "MACE Credential Revocation," which was installed just moments before the alerts started to flood in.

However, an administrator from one of these affected organizations shed light on the true cause after receiving an advisory from Microsoft. The advisory clarified that the issue stemmed from an error in logging—specifically, the logging of actual user refresh tokens instead of merely their metadata.

In a statement posted on Reddit, Microsoft confirmed, "On Friday, we discovered that we were incorrectly logging short-lived user refresh tokens for a small subset of users. Typically, our logging process only includes metadata associated with these tokens." They emphasized that upon realizing the mistake, they took immediate action, leading to the invalidation of those tokens to safeguard their customers.

This invalidation process inadvertently triggered alerts within Entra ID Protection, suggesting to users that their credentials might have been compromised. The alerts were sent between 4 AM and 9 AM UTC on April 20, 2025.

Microsoft reassured users, stating, "We have no evidence of unauthorized access to these tokens. Should we find any signs of breach, we will activate our standard security protocols to address the incident effectively."

To help affected users regain access, Microsoft advised that they can provide feedback indicating that the flagged user is safe. Furthermore, the tech giant has pledged to release a Post Incident Review (PIR) after their investigation wraps up, ensuring that all impacted organizations receive comprehensive information.

Inquiries sent by BleepingComputer to Microsoft regarding further details on the incident are still awaiting a response.