- Certain ENTE identification accounts were reported as having compromised identification information
- It seems that it was only Microsoft “inadvertently generat[ing] [false] Alerts “
- However, users obtained different explanations from Microsoft
Windows administrators have reported locking of mass accounts in various organizations according to an update of the Microsoft Entrance ID.
Many believe that these are false positives triggered in the detection application of the disclosed identification information of intra (a new feature called Mace Credential Revocation), because the affected accounts had unique and unused passwords.
A user posted on a Reddit thread that around half a dozen accounts had been blocked after the identification information was found on the Dark Web, but these users did not have much in common, suggesting that it was not a targeted attack.
Entra ID could report false positives
“There are no risky signs, no other risk detections, everyone is MFA, it is literally the only thing that appeared today, increasing the risk of these people from zero to high,” said the Reddit user.
Under the original post is a series of comments from other administrators of the system who also experienced similar problems, a user sharing a response from Microsoft suggesting that the accounts had been wrongly reported:
“Friday 18/04/25, Microsoft identified that he was in the internal journalist a subset of short-term refreshment tokens for users for a small percentage of users, while our standard journalation process is to journal only the metadata on these tokens.
The opinion sees Microsoft admit “by inadvertently generat[ing] Alerts in the protection of the ID ENTE »of supposed forecasts compromised between 4 h 00 UTC and 9h UTC on April 20.
Another user said he had been cited “Error code: 53003” for the conditional access policy, while another was informed that this was to be done with a breakdown in their region – even if no breakdown had been reported or recorded.
Techradar Pro asked Microsoft to clarify what happened during the weekend and why users seem to have received different explanations. Any update will be published here.
