Summary: Microsoft has confirmed that recent account lockouts in Microsoft Entra resulted from mistakenly logging short-lived user refresh tokens instead of just their metadata. The indication of a potential credential leak led to automatic lockouts for many organizations. Microsoft has since invalidated these tokens and is working on a post-incident review to address the situation.
Affected: Microsoft Entra users and affected organizations
Keypoints :
- Account lockouts were triggered by the internal logging of actual user refresh tokens.
- Impacted organizations initially attributed lockouts to a new enterprise application rollout.
- Microsoft aims to restore access by allowing users to confirm their safety in Entra.
- A Post Incident Review will be shared with affected customers once completed.
- No indication of unauthorized access to tokens has been found as of yet.