Microsoft Entra Lockouts Spark Concern Over New Security Feature Rollout 

• Users reported being locked out of their Microsoft Entra accounts over the weekend.
• These events appear to be caused by the automated rollout of the "MACE Credential Revocation" app.
• Administrators received false positive alerts from "leaked credentials" detection.

Microsoft administrators across multiple organizations are reporting widespread account lockouts following the deployment of a new security feature within Microsoft Entra ID, formerly Azure Active Directory. 

This unexpected disruption has raised concerns within the IT community, with many pointing to the recently launched "MACE Credential Revocation" application as the potential source of the problem. This application is designed to enhance enterprise security by detecting leaked credentials and locking compromised accounts.

The lockouts stem from alerts triggered by Microsoft Entra's new "leaked credentials" detection feature. These alerts identify accounts that appear to have credentials leaked on the dark web or other sources. Affected accounts are then automatically locked as a precautionary measure. 

However, administrators have noted that many flagged accounts appeared secure, with no evidence of suspicious activity or compromise. Importantly, these accounts were protected by multi-factor authentication (MFA), and checks against breach notification databases, such as Have I Been Pwned (HIBP), did not reveal any prior issues.

Reports on forums like Reddit indicate that the lockouts began suddenly, impacting significant portions of user bases. For instance, one managed service provider (MSP) noted that approximately one-third of their managed accounts were locked within an hour. 

Another administrator highlighted receiving over 20,000 alerts tied to leaked credentials overnight, further underscoring the scale of the issue.  

Although Microsoft has not yet publicly confirmed the root cause of these incidents, some affected organizations have allegedly received clarification from Microsoft representatives. 

Administrators reported seeing Error Code 53003, which indicates enforcement of conditional access policies, tied to the lockouts. Many also observed the MACE application being added to their Entra tenants shortly before the alerts began.