Widespread Microsoft Entra Lockouts Disrupt Organizations Globally – April 2025

On April 20, 2025, organizations worldwide experienced widespread user account lockouts due to a silent rollout of Microsoft Entra ID's new MACE Credential Revocation feature. The incident, which began overnight, left IT teams scrambling as legitimate users were locked out en masse—sometimes up to a third of an organization's workforce—despite strong passwords and multi-factor authentication (MFA).

What Happened?

Microsoft Entra ID (formerly Azure Active Directory) introduced MACE Credential Revocation to proactively disable accounts suspected of credential compromise. However, a misconfiguration or bug in the rollout caused the system to generate false positives, flagging legitimate accounts as compromised. Affected organizations received error code 53003, typically associated with conditional access policy failures. Managed service and detection providers reported over 20,000 lockout alerts in a single night, with the impact spanning multiple tenants and global regions.

Community and Industry Response

• IT admins confirmed no evidence of actual compromise—tools like "Have I Been Pwned" showed no matches for affected accounts.
• The incident exposed a lack of transparency: the MACE feature was enabled without prior administrator notification or opt-in.
• Microsoft had not issued an official public statement as of April 20, leaving admins to rely on peer forums and unofficial channels for updates and workarounds.
• The event has reignited debate about the risks of automated security controls without sufficient human oversight and staged rollouts.

Key Takeaways for Organizations

• Balance Security and Usability: Automated credential revocation can prevent breaches, but false positives can disrupt operations and erode trust in security alerts.
• Demand Transparency: Organizations should insist on clear communication and opt-in for major security feature changes, especially those impacting user access.
• Incident Response: Admins should have manual override options and clear escalation paths when automation goes wrong.
• Security Burnout: Flooding IT teams with false alerts can lead to alert fatigue, diminishing vigilance for real threats.

Timeline

• April 19–20, 2025: Mass lockouts begin overnight; reports surge from global organizations and managed service providers.
• April 20, 2025: News and community sources confirm the incident; Microsoft remains silent publicly.

Sources

1. Undercode News: Mass Account Lockouts Hit Organizations Due to Microsoft Entra’s MACE Rollout Error
2. Microsoft Entra releases and announcements

Related Articles

• Critical Microsoft Zero-Day Vulnerability CVE-2025-29824: What You Need to Know
• Apple Patches Two Actively Exploited Zero-Days (CVE-2025-31200, CVE-2025-31201) – April 2025 Emergency Security Update
• Critical CrushFTP Authentication Bypass Vulnerability CVE-2025-31161: What You Need to Know