From the “Oops” department comes this story. Microsoft has reported that the Entra accounts that were locked out over the weekend were caused by the invalidation of user refresh tokens that were mistakenly logged into internal systems.
More details here: https://www.reddit.com/r/sysadmin/comments/1k2pmkz/comment/mo33q3f/
On Friday 4/18/25, Microsoft identified that it was internally logging a subset of short-lived user refresh tokens for a small percentage of users, whereas our standard logging process is to only log metadata about such tokens. The internal logging issue was immediately corrected, and the team performed a procedure to invalidate these tokens to protect customers. As part of the invalidation process, we inadvertently generated alerts in Entra ID Protection indicating the user’s credentials may have been compromised. These alerts were sent between 4/20/25 4AM UTC and 4/20/25 9AM UTC. We have no indication of unauthorized access to these tokens – and if we determine there were any unauthorized access, we will invoke our standard security incident response and communication processes.
Jim Routh, Chief Trust Officer at Saviynt, commented:
“It is not often that the identification of security vulnerabilities within a commonly used platform, which caused business disruption for some Microsoft enterprise customers, has some positive attributes for enterprises. The positive news is that the disruption occurred over the weekend, and today (Monday), customers have the facts along with the fix (corrective actions) necessary for recovery. The vulnerability and the action taken (token invalidation) were ultimately shared by Microsoft in an advisory relatively quickly. This is a sign of health or resilience despite the inconvenience to some enterprise customers over the weekend.”
I’ll give Microsoft credit for discovering this, fixing this, and admitting to it quickly. Hopefully something like this never happens again as this had the possibility of not ending well on multiple fronts.
Related
This entry was posted on April 22, 2025 at 8:26 am and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Microsoft Entra Account Lockouts Caused by User Token Logging Mistake
From the “Oops” department comes this story. Microsoft has reported that the Entra accounts that were locked out over the weekend were caused by the invalidation of user refresh tokens that were mistakenly logged into internal systems.
More details here: https://www.reddit.com/r/sysadmin/comments/1k2pmkz/comment/mo33q3f/
On Friday 4/18/25, Microsoft identified that it was internally logging a subset of short-lived user refresh tokens for a small percentage of users, whereas our standard logging process is to only log metadata about such tokens. The internal logging issue was immediately corrected, and the team performed a procedure to invalidate these tokens to protect customers. As part of the invalidation process, we inadvertently generated alerts in Entra ID Protection indicating the user’s credentials may have been compromised. These alerts were sent between 4/20/25 4AM UTC and 4/20/25 9AM UTC. We have no indication of unauthorized access to these tokens – and if we determine there were any unauthorized access, we will invoke our standard security incident response and communication processes.
Jim Routh, Chief Trust Officer at Saviynt, commented:
“It is not often that the identification of security vulnerabilities within a commonly used platform, which caused business disruption for some Microsoft enterprise customers, has some positive attributes for enterprises. The positive news is that the disruption occurred over the weekend, and today (Monday), customers have the facts along with the fix (corrective actions) necessary for recovery. The vulnerability and the action taken (token invalidation) were ultimately shared by Microsoft in an advisory relatively quickly. This is a sign of health or resilience despite the inconvenience to some enterprise customers over the weekend.”
I’ll give Microsoft credit for discovering this, fixing this, and admitting to it quickly. Hopefully something like this never happens again as this had the possibility of not ending well on multiple fronts.
Share this:
Like this:
Related
This entry was posted on April 22, 2025 at 8:26 am and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.