Global Microsoft Entra ID Lockout: Step-by-Step Resolution

Introduction

On April 19, 2025, a Microsoft Lockout Incident occurred when organizations faced mass account lockouts due to the deployment of Microsoft Entra ID’s new MACE detection App. This feature, intended to revoke potentially compromised credentials, mistakenly identified legitimate accounts as compromised, resulting in Entra ID False Positives. Consequently, users were locked out, leading to disruptions in workflows and urgent administrative efforts to address the issue. The incident highlighted the risks associated with Leaked Credentials and the need for precise detection mechanisms.

Why Was This Feature Introduced?

The MACE Credential Revocation feature was introduced to address the escalating risks associated with credential-based attacks. With the rise of leaked credentials being sold on the dark web, organizations needed a proactive and automated solution to detect compromised identities. MACE uses advanced machine learning models and data sourced from Microsoft’s threat intelligence network to preemptively revoke compromised accounts before they can be exploited.

The feature aligns with Microsoft’s Zero Trust philosophy, which assumes breach scenarios as the default and enforces stringent identity-based security measures.

Netwoven SOC Team’s Proactive Approach

In alignment with their commitment to operational excellence, the Netwoven SOC team demonstrated outstanding agility and foresight during the incident. Recognizing the potential for widespread lockouts stemming from this feature, the team proactively:

1. Identified the Scope of Changes

They monitored the evolving updates and analyzed their impact on user accounts in real-time.

2. Flagged Affected Users

By leveraging their SIEM and SOAR capabilities, the team pinpointed affected user accounts and validated their authenticity.

3. Implemented Swift Resolutions

The team configured temporary policies, reset credentials, and ensured users regained access without undue delays.

4. Maintained Production Continuity

Their prompt and strategic response ensured there was no downtime in critical production environments.

Additionally, if anyone wants to understand if their tenant is affected with MACE credential revocation, they can use the KQL query below.

ClodAppEvents
| where ActionType has "Add service principal"
| where ObjectName contains "MACE"
| project TenantId, ObjectName, Timestamp

Through this proactive stance, Netwoven not only minimized the potential fallout but also upheld trust and reliability in its SOC operations. This approach serves as an excellent example of leveraging organizational expertise to mitigate the challenges of cutting-edge security features.

Remediations: Technical Steps for Resolution

Organizations can take the following steps to recover and fortify systems:

1. Adjust Credential Revocation Thresholds:
   • Access Identity Protection Settings in the Microsoft Entra Admin Center to review and refine the sensitivity of risk detection policies.
2. Leverage SIEM for Analysis:
   • Export logs from MACE to SIEM systems, such as Sentinel or Splunk, to conduct in-depth analysis and correlation.
3. Enable Conditional Access Exceptions:
   • Temporarily configure exception rules to allow secure access for known devices and locations while addressing policy misconfigurations.
4. User Education:
   • Train employees on spotting phishing attempts and maintaining strong passwords, complemented by MFA enforcement.
5. Stay Updated:
   • Regularly monitor Microsoft’s announcements regarding updates or patches to security features like MACE.

Conclusion

While the MACE Credential Revocation rollout posed unforeseen challenges, it underscores the importance of adaptive and proactive security measures in the modern threat landscape. Teams like Netwoven’s SOC exemplify how expert preparation and swift action can ensure the seamless adoption of advanced security technologies without compromising operational continuity.