Microsoft has confirmed that a recent wave of Entra ID (formerly Azure AD) account lockouts stemmed from an internal system error where short-lived user refresh tokens were mistakenly logged. This incident, which occurred in April 2025, triggered Entra ID Protection mechanisms to flag legitimate credentials as potentially compromised, resulting in widespread authentication failures across affected organizations1.
Incident Overview and Executive Summary
The lockouts occurred when Microsoft’s internal systems inadvertently recorded ephemeral refresh tokens that should never have been persisted. These tokens, designed for short-term use in authentication workflows, were incorrectly treated as leaked credentials by Entra ID’s security controls. Microsoft’s Post Incident Review (PIR) revealed the tokens were flagged through the same mechanisms that detect credential stuffing attacks, despite being valid authentication artifacts2.
Key technical details about the incident:
- Affected Components: Entra ID Protection’s leaked credential detection system
- Root Cause: Improper logging of refresh tokens with 4-hour lifespans
- Impact Duration: Approximately 48 hours during remediation
- Mitigation: Microsoft deployed backend fixes and provided admin guidance
Technical Deep Dive: Token Handling and Failure Mechanisms
The incident highlights critical aspects of Entra ID’s token management architecture. Refresh tokens, typically valid for 90 days, can have shorter lifetimes when configured for high-security scenarios. In this case, 4-hour tokens intended for temporary sessions were erroneously written to diagnostic logs, then processed by security systems unaware of their legitimate origin3.
Microsoft’s documentation explains that Entra ID Protection uses machine learning models to detect credential leaks across various sources, including:
| Detection Source | Typical Data |
|---|---|
| Dark web monitoring | Credential dumps from breaches |
| Phishing kits | Stolen credentials |
| Internal logging | Security telemetry (misconfigured in this case) |
Administrative Response and Remediation
For organizations affected by the lockouts, Microsoft provided specific remediation steps through the Entra ID portal. Administrators could review impacted users under the “Risky Users” dashboard and manually confirm account safety. The process required:
- Navigating to Entra ID Protection > Risky Users
- Filtering for users flagged with “Leaked credentials”
- Selecting “Confirm user safe” for each false positive
PowerShell automation was also available for large-scale remediation:
# Bulk confirmation script for affected users
Get-MgRiskUser -Filter "riskDetail eq 'MicrosoftEntraIDProtectionLeakedCredentials'" |
ForEach-Object {
Confirm-MgRiskUserCompromised -UserId $_.Id -Action "Dismiss"
}
Security Implications and Best Practices
This incident underscores several important considerations for identity management:
First, organizations should maintain clear separation between diagnostic logging and security monitoring systems. The unintended interaction between these systems created the cascade of false positives. Second, token lifetime policies require careful review – shorter token lifespans increase authentication frequency but may introduce new failure modes4.
Microsoft recommends these specific monitoring practices to detect similar issues:
// Kusto query for monitoring token-related anomalies
AADDomainServicesAccountManagement
| where TimeGenerated >= ago(1d)
| where OperationName contains "Token"
| summarize count() by OperationName, ResultType
Conclusion and Future Considerations
The Entra ID token logging incident demonstrates how complex identity systems can fail in unexpected ways. While Microsoft resolved the immediate issue, organizations should review their Entra ID Protection configurations and establish monitoring for similar anomalies. The company has committed to improving internal safeguards against such logging errors in future updates5.
For ongoing protection, administrators should:
- Regularly audit Entra ID Protection policies
- Monitor authentication logs for unusual token activity
- Establish clear escalation paths for widespread auth failures
References
- “Microsoft Entra account lockouts caused by user token logging mishap”, BleepingComputer, April 2025.
- “Troubleshoot account lockout in Microsoft Entra ID”, Microsoft Docs.
- “Accounts getting locked out in Azure AD after token refresh”, Spiceworks Community.
- “Certificate-based authentication in Microsoft Entra ID”, Microsoft Docs.
- “Microsoft Entra authentication problems and solutions”, University of Washington IT.
