Widespread Microsoft Entra lockouts tied to new safety characteristic rollout

0
378
Widespread Microsoft Entra lockouts tied to new safety characteristic rollout


Widespread Microsoft Entra lockouts tied to new safety characteristic rollout

Windows directors from quite a few organizations report widespread account lockouts triggered by false positives within the rollout of a brand new Microsoft Entra ID’s “leaked credentials” detection app known as MACE.

These alerts and lockouts started final night time, with some admins believing they had been false positives because the accounts have distinctive passwords that aren’t used on some other websites or functions.

Microsoft Entra ID, previously Azure Active Directory, is a cloud-based identification and entry administration service that helps organizations handle consumer identities and safe entry to sources.

In a Reddit thread posted early this morning, Windows admins reported receiving a number of alerts from Entra indicating that a few of their consumer accounts had been discovered with credentials leaked on the darkish net or different places.

These accounts had been mechanically locked out of the tenant, with quite a few customers impacted per group.

“Us as effectively… about 1/third of our accounts obtained locked out about ~1 hour in the past. We’re a MSP so I’m assuming that is occurring to our shoppers as effectively,” posted an admin on Reddit.

The locked-out accounts confirmed no indicators of compromise, similar to suspicious sign-ins, and had been protected with MFA. Furthermore, breach notification companies like Have I Been Pwned (HIBP) had no matches for these accounts.​

Another report on Reddit additional corroborated that this was widespread, with an MDR supplier stating they acquired over 20,000 notifications from Microsoft in a single day concerning leaked credentials from completely different clients 

While Microsoft has not publicly confirmed the reason for these lockouts, Microsoft advised one of many affected organizations it was brought on by a difficulty with the rollout of a brand new Enterprise software known as “MACE Credential Revocation.”

“Just obtained off with engineer. It is Tenant Lockout on account of this MACE ninja rollout they did. no indicators of compromise. He wants an hour to transform the ticket from compromise to lockout however can breathe a sigh of aid. It was Error Code: 53003 for conditional entry coverage,” an admin reported on Reddit.

Multiple individuals confirmed this software was added to tenants proper earlier than they started receiving the alerts.

MACE Credential Revocation app is a Microsoft Entra characteristic used to detect leaked credentials and lockout doubtlessly compromised accounts.

While all alerts of leaked credentials ought to be investigated to verify that an account was not compromised, in the event you acquired a flurry of alerts without delay this rollout probably triggered it.

BleepingComputer contacted Microsoft with questions on this incident however has not acquired a response right now.

LEAVE A REPLY

Please enter your comment!
Please enter your name here