Windows administrators across various organizations have reported a surge in account lockouts following the recent rollout of Microsoft Entra ID’s new security application, MACE Credential Revocation. This new feature is intended to detect leaked credentials and proactively protect accounts, but its deployment seems to have triggered a wave of false positives.
Many administrators began receiving alerts last night, suggesting that their users’ credentials were compromised, even though these accounts used strong, unique passwords and showed no signs of being breached.
Admins Report False Positives as MACE Triggers Thousands of Unwarranted Account Lockouts
The issue gained attention in a Reddit thread where system admins shared their experiences. They reported that user accounts were being flagged as having leaked credentials found on the dark web, which led to immediate lockouts.
However, the affected accounts exhibited no suspicious behavior or unauthorized access attempts and were all secured with Multi-Factor Authentication (MFA). External breach alert platforms, such as “Have I Been Pwned,” showed no records of these accounts being exposed, further suggesting the alerts were likely false positives.
MACE Rollout Triggers Widespread Windows Account Lockouts Without WarningOne Reddit user, part of a Managed Service Provider (MSP), mentioned that about one-third of their accounts were affected in a short span, and they feared similar impacts on their clients.
The scope of the problem appears extensive, as a Managed Detection and Response (MDR) provider reported receiving more than 20,000 leaked credential notifications from Microsoft across various customers. These mass alerts created significant disruption and concern within the IT community, with many scrambling to determine the cause.
Silent MACE Rollout Triggers Lockouts, Leaves Admins Without Official Microsoft Response
While Microsoft has not issued an official public statement, some admins have shared updates from their support interactions with Microsoft engineers. According to these discussions, the issue was traced back to the rollout of the new MACE Credential Revocation app. The app, added silently to tenants, seems to have misfired and flagged legitimate accounts incorrectly.
The lockouts were associated with Error Code: 53003, tied to a conditional access policy, but Microsoft support has reportedly confirmed it was a misconfiguration during the rollout rather than a security breach.
Despite the uproar and confusion, Microsoft has yet to provide a formal explanation or guidance. In the meantime, administrators are advised to investigate any alerts to ensure accounts are genuinely secure. However, if organizations experienced an influx of alerts overnight, it’s likely linked to the flawed MACE implementation.
The incident highlights the potential unintended consequences of automated security tools and the importance of transparent communication during new rollouts. BleepingComputer has reached out to Microsoft for further comment, but no response has been received as of now.
