Hey everyone, I'm trying to figure out what's going on with Microsoft Entra. I received a few alerts today about valid credentials that supposedly leaked on the dark web. According to Microsoft's documentation, these alerts happen when they detect valid user credentials in compromised databases. However, these accounts don't share common services, and there are no other indications of risky sign-ins. All users have MFA enabled. I checked Have I Been Pwned, and there's nothing on those accounts. I'm wondering if this could be a Microsoft error or if anyone else has received similar alerts around 1:10 AM UTC on Saturday, the 19th? Aside from resetting passwords for now, what steps should I be taking?
5 Answers
We also had a surge of alerts. It's either a new Microsoft feature or a major screw-up on their end. I suspect misconfiguration leading to unnecessary false positives given that no other risk detections appeared.
I can confirm similar alerts hit our system too. I even opened a P1 support case with Microsoft about it. After eight hours, I was told it's just an automated flagging, and they can't provide further details about why it happened. They suggested we either trust this system blindly or go ahead with password resets without knowing if it's necessary. I also heard others received the same alerts, so it seems widespread.
Any updates from your case? I'm still waiting for a response on mine.
I got a call from support, and they hung up right away—super unhelpful.
We experienced massive lockouts too, about a third of our accounts got flagged as high risk. I think it might be affecting clients similarly but I've been scrambling to manage it all this morning.
How are you all tracking these flags? You must have a strategy in place for such a large workload.
Definitely wild over here too, seems like a chaotic Monday is ahead.
I appreciate this community of sysadmins! Back in the day, we had no real way to connect and share these issues, so having a place to discuss this is invaluable. Just interesting to see how these alerts are rolling out so widely.
Absolutely! Connection and sharing knowledge is key in our field.
Just chiming in—some accounts flagged in our tenant showed that a new Enterprise App was created coinciding with the alerts. Anyone else seeing a strange new addition like the 'MACE Credential Revocation' app?
Same! It raised a red flag for sure in our logs.
Yeah, we saw that too! It’s concerning how this all correlates.
That does make sense! I wonder if they launched a new patch or something similar that triggered this.