Listen to this Post
Windows administrators across multiple organizations have reported widespread account lockouts due to false positives in Microsoft Entra ID’s “leaked credentials” detection feature, known as MACE. The issue stemmed from the accidental logging of short-lived user refresh tokens into internal systems, leading to unintended token invalidation and subsequent lockouts.
➡️ Learn more: BleepingComputer
You Should Know:
1. Understanding Microsoft Entra ID & MACE
Microsoft Entra ID (formerly Azure AD) includes a security feature called Microsoft Authenticator Credential Guard (MACE), designed to detect leaked credentials. However, misconfigured logging mechanisms led to false positives, locking legitimate users out of their accounts.
2. Commands to Check & Resolve Account Lockouts
If you’re affected, use these PowerShell commands to investigate:
Check locked-out accounts in Entra ID
Get-AzureADUser -Filter "accountEnabled eq true" | Where-Object { $_.AccountLocked -eq $true }
Unlock a specific user
Unlock-AzureADUserAccount -ObjectId "[email protected]"
For on-premises Active Directory (if synced with Entra ID):
Unlock-ADAccount -Identity "username"
3. Mitigating False Positives in MACE
To prevent future lockouts:
- Disable MACE temporarily (if necessary):
Set-MsolCompanySettings -AllowLeakedCredentialsDetection $false
- Enable Audit Logging to track token invalidation events:
Set-AzureADAuditLog -EnableTokenInvalidationAudit $true
4. Linux & Cross-Platform Security Checks
If managing hybrid environments, use these Linux commands to verify authentication logs:
Check failed login attempts (Linux) grep "authentication failure" /var/log/auth.log Check Azure AD-connected systems (via OAuth logs) journalctl -u azuread-auth -f
5. Windows Event Log Analysis
Check Windows Security logs for 4740 (Account Lockout) events:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4740}
What Undercode Say:
This incident highlights the risks of over-aggressive credential protection mechanisms. Administrators should:
– Monitor token expiration policies (Set-AzureADPolicy).
– Implement conditional access rules to reduce false positives.
– Use SIEM tools (Splunk, Sentinel) to correlate lockout events.
For forensic analysis, consider:
Extract Entra ID sign-in logs (CLI) az monitor activity-log list --query "[?operationName.value == 'MICROSOFT.AAD/LOGGEDCREDENTIALS']"
Expected Output:
A structured log of token invalidation events, helping identify affected users and root causes.
Stay updated: Microsoft Security Advisory | BleepingComputer
References:
Reported By: Bleepingcomputer Windows – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
