Mass Account Lockouts Hit Organizations Due to Microsoft Entra’s MACE Rollout Error

Introduction

A wave of unexpected account lockouts has struck organizations worldwide, leaving IT teams scrambling for answers. The culprit? A new feature within Microsoft Entra ID, known as MACE Credential Revocation. What was designed to protect against compromised credentials has seemingly gone awry, flagging legitimate accounts as compromised and locking out thousands of users.

This issue emerged overnight, catching both enterprises and managed service providers (MSPs) off guard. As businesses rely increasingly on cloud-based identity services like Microsoft Entra, any disruption can have cascading consequences. This article unpacks what happened, what the community is saying, and what it means for the broader IT landscape.

What’s Going On: Widespread Lockouts from Entra ID’s New Feature

Overnight, Windows administrators from numerous organizations began reporting mass user account lockouts triggered by Microsoft Entra ID. These lockouts, they believe, were not the result of actual data breaches or credential leaks but rather a false positive from a new application called MACE Credential Revocation.

Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management solution used by companies to manage user identities and secure access to corporate resources.

Here’s what unfolded:

Around midnight, Entra ID began sending alerts to administrators that user credentials had been found leaked — either on the dark web or other suspicious platforms.
As a result, affected accounts were automatically locked, some reports stating up to a third of an organization’s users were impacted.
A Reddit user, who works at an MSP, reported their organization and clients saw mass lockouts within the same hour.
Admins confirmed that these accounts had strong, unique passwords and were protected with Multi-Factor Authentication (MFA).
No evidence of suspicious activity was found. Tools like “Have I Been Pwned” (HIBP) showed no signs of compromise either.
A managed detection and response (MDR) provider stated they received over 20,000 alerts overnight across their client base.
Multiple users indicated the incident began after a new Microsoft application, MACE Credential Revocation, was silently added to their tenant configurations.

One administrator cited a Microsoft engineer who confirmed the issue stemmed from the MACE rollout, not from actual compromise. The error was classified under Error Code: 53003, which is associated with conditional access policies.

Microsoft has yet to officially acknowledge the incident, despite inquiries from media outlets.

What Undercode Say:

The sudden spike in account lockouts due to Microsoft’s MACE application rollout signals a crucial moment in the evolution of automated cybersecurity tools.

On one hand, Microsoft’s goal with MACE Credential Revocation is to proactively detect and respond to credential breaches. In an era where leaked credentials are a leading cause of enterprise breaches, automation is essential. However, this incident underscores the fragility of automation without human oversight and proper staging.

Key Takeaways:

Security vs. Usability – Microsoft’s MACE aims to enhance security but at the cost of user access. By locking accounts prematurely, it created significant operational disruptions.
False Positives Erode Trust – IT admins are now more skeptical of Microsoft’s security alerts. If legitimate users are flagged as compromised, future real threats might be downplayed or overlooked.
Rollout Transparency is Lacking – Silent rollouts of major features—especially those that can lock users out—should come with administrator warnings and opt-in options, not enforced defaults.
Error Code 53003 – This obscure error linked to conditional access policies has gained attention. Microsoft should improve documentation and visibility around such critical security mechanisms.
Redundancy in Detection – The fact that tools like HIBP showed no data breaches indicates that Microsoft might be relying on data sources not aligned with others, raising questions about the integrity of their intelligence feeds.
Third-Party Impact – MSPs and MDR providers were caught in the crossfire. With over 20,000 alerts sent in a single night, these providers faced not only tech but communication crises with their clients.
Need for Manual Override – There should always be a quick path for IT admins to validate and reinstate users locked out due to questionable alerts.
Communication Breakdown – With Microsoft not yet issuing an official explanation, IT departments are left relying on Reddit threads and peer communications—hardly an ideal crisis-response model.
Tenant-Level Impact – The issue wasn’t isolated to one or two clients—it spanned multiple tenants and regions, suggesting a systemic misconfiguration.
Security Burnout – Flooding admins with alerts—especially false ones—can lead to alert fatigue, which ultimately diminishes real security vigilance.

The MACE incident serves as a reminder that even with good intentions, cybersecurity tools can go rogue if not carefully deployed. It also highlights the importance of staged rollouts, transparent communication, and responsive support channels when things go wrong.

For enterprises, it’s a wake-up call: don’t rely solely on automation. Build processes around these tools to ensure you remain in control of your security posture, not at the mercy of a cloud provider’s backend tweaks.

Fact Checker Results:

The account lockouts were real, but the alerts were false positives.
MACE Credential Revocation was rolled out silently without proper alerts to admins.
Microsoft has yet to make an official public statement, fueling confusion.