Over the weekend, numerous organizations faced sudden Microsoft Entra account lockouts due to what the company has now confirmed was a mistake involving user refresh tokens.

The issue triggered a wave of alerts flagging credential leaks and led to accounts being automatically locked.

Initially, many suspected the problem stemmed from the rollout of a new enterprise app called “MACE Credential Revocation”. However, Microsoft later clarified in an internal advisory that the true cause was a logging error—the system had unintentionally recorded actual short-lived refresh tokens instead of just their metadata.


To mitigate potential risks, Microsoft invalidated the affected tokens. This action, however, inadvertently triggered Entra ID Protection alerts, warning of possible credential compromise between April 20, 4 AM to 9 AM UTC.

Microsoft assured users that there is no indication of unauthorized access, and advised affected customers to mark users as “safe” in Microsoft Entra to restore account access.

The company is preparing a Post Incident Review (PIR), which will be shared with all impacted clients after their investigation concludes.