Since final Saturday, the nineteenth of April, admins worldwide are coping with customers at Excessive Threat because of Leaked Credentials in Microsoft Entra. Most often, it’s solely round 30 to 40% of the customers which might be affected, however in some circumstances, all accounts are locked out from Microsoft 365.
The Leaked Credentials function checks if password hashes of your customers present up on the darkish net, paste websites, or different sources. If a match is discovered, the person is flagged as excessive danger and locked out.
Now, you would possibly assume at first that there could have been a breach in your community, or that attackers bought entry to the password hashes from a big supply. However even customers with passwordless accounts are impact by this situation, so this appears extra like a false constructive.
At the moment it appears to be like like the problem is trigger by a brand new app that rolled out this weekend, which is known as MACE Credential Revocation. A number of admins report that this app was robotically put in in Microsoft Entra simply earlier than the primary customers the place flagged as excessive danger.
Replace from Microsoft
Microsoft has launched an replace about this situation:
SUMMARY OF IMPACT:
On Friday 4/18/25, Microsoft recognized that it was internally logging a subset of short-lived person refresh tokens for a small share of customers, whereas our commonplace logging course of is to solely log metadata about such tokens. The interior logging situation was instantly corrected, and the crew carried out a process to invalidate these tokens to guard clients. As a part of the invalidation course of, we inadvertently generated alerts in Entra ID Safety indicating the person’s credentials could have been compromised. These alerts have been despatched between 4/20/25 4AM UTC and 4/20/25 9AM UTC. Now we have no indication of unauthorized entry to those tokens – and if we decide there have been any unauthorized entry, we’ll invoke our commonplace safety incident response and communication processes.
How one can Remedy the Challenge
In case your tenant is impacted by this points, you will have in the meanwhile mainly two choices to resolve the problems:
- Verify person Protected (advocate by Microsoft for this incident)
- Reset the person’s password
So usually, when a person is flagged as excessive danger because of leaked credentials, the plan of action is to revoke all of the classes of the person and reset the person’s password.
Nevertheless, as Microsoft now has acknowlegde the reason for this situation, we will mark the person(s) as secure in Microsoft Entra. Vital right here is that you simply test the Threat final up to date and be certain that you solely mark the person which might be effected by this incident.
- Open Microsoft Entra
- Develop Safety and click on on Dangerous Actions
- It will robotically choose the Dangerous Customers
- Choose the customers in query and mark them as secure
Personally I’d mark the person(s) as secure to attenuate the impression within the morning after an extended Easter weekend and have the person reset their password later within the day. If you happen to would reset all password now, you would want to ship the brand new passwords by SMS so the customers can login after the weekend.
