Widespread Microsoft Entra Lockouts Disrupt Organizations Globally – April 2025

On April 20, 2025, organizations worldwide experienced widespread user account lockouts due to a silent rollout of Microsoft Entra ID's new MACE Credential Revocation feature. The incident, which began overnight, left IT teams scrambling as legitimate users were locked out en masse—sometimes up to a third of an organization's workforce—despite strong passwords and multi-factor authentication (MFA).¹

What Happened?

Microsoft Entra ID (formerly Azure Active Directory) introduced MACE Credential Revocation to proactively disable accounts suspected of credential compromise.² However, a misconfiguration or bug in the rollout caused the system to generate false positives, flagging legitimate accounts as compromised. Affected organizations received error code 53003, typically associated with conditional access policy failures. Managed service and detection providers reported over 20,000 lockout alerts in a single night, with the impact spanning multiple tenants and global regions.¹

Community and Industry Response

The incident prompted swift and widespread discussion among IT administrators and the broader security community¹:

• IT admins confirmed no evidence of actual compromise—tools like "Have I Been Pwned" showed no matches for affected accounts.
• The incident exposed a lack of transparency: the MACE feature was enabled without prior administrator notification or opt-in.
• Microsoft had not issued an official public statement as of April 20, leaving admins to rely on peer forums and unofficial channels for updates and workarounds.
• The event has reignited debate about the risks of automated security controls without sufficient human oversight and staged rollouts.

Key Takeaways for Organizations

Analysis of the incident highlighted several key lessons for organizations¹:

• Balance Security and Usability: Automated credential revocation can prevent breaches, but false positives can disrupt operations and erode trust in security alerts.
• Demand Transparency: Organizations should insist on clear communication and opt-in for major security feature changes, especially those impacting user access.
• Incident Response: Admins should have manual override options and clear escalation paths when automation goes wrong.
• Security Burnout: Flooding IT teams with false alerts can lead to alert fatigue, diminishing vigilance for real threats.

Timeline

The incident unfolded as follows¹:

• April 19–20, 2025: Mass lockouts begin overnight; reports surge from global organizations and managed service providers.
• April 20, 2025: News and community sources confirm the incident; Microsoft remains silent publicly.

Final Thoughts

The Microsoft Entra MACE lockout incident highlights the delicate balance between automated security controls and operational stability. While proactive credential security is crucial, this event demonstrates the risks of rolling out automated features without proper testing, communication, and administrator controls.

Organizations must remain vigilant in monitoring security automation and maintaining clear incident response procedures—because even trusted security features can sometimes create their own incidents.

Related Articles

• Critical Microsoft Zero-Day Vulnerability CVE-2025-29824: What You Need to Know
• Apple Patches Two Actively Exploited Zero-Days (CVE-2025-31200, CVE-2025-31201) – April 2025 Emergency Security Update
• Critical CrushFTP Authentication Bypass Vulnerability CVE-2025-31161: What You Need to Know