Microsoft Roadmap, messagecenter and blogs updates from 14-03-2026

Updated November 24, 2025: This change is currently on hold. We will communicate via Message center when we are ready to proceed. We apologize for any inconvenience this may have caused and thank you for your patience. 

 We’re introducing a new sign-in experience that enhances flexibility and accessibility for a limited number of users on Microsoft Teams for the web. This change introduces new sign-in options—Continue with Apple and Continue with Google—on the sign-in page (teams.microsoft.com or teams.com) for users routed through login.microsoftonline.com/common.

NOTE: These options are intended for consumer Microsoft accounts and may be visible to both consumer and enterprise users, depending on your authentication configuration.

[When this will happen:]

Preview, General Availability: We will update this Message center post when we are ready to proceed.

[How this will affect your organization:]

After this rollout:

• Users can sign in or sign up for a Microsoft account using Apple or Google credentials.
• Some users will be prompted to confirm whether they are using a personal or work/school account.
• Existing sign-in methods remain unchanged, including entering an email/username or using Sign-in options to access organizational accounts.
• Organizations using custom URLs (such as login.microsoftonline.com/contoso.com) will not be affected.
• In the case of Teams on the web, the custom URLs will be https://teams.microsoft.com?tenantId=<YOUR_DOMAIN_NAME> or https://teams.microsoft.com?tenantId=<YOUR_TENANT_ID>

Screenshots of the new experience:

1. Users can select Continue with Apple or Continue with Google to sign in or sign up for a consumer Microsoft account using an Apple or Google credential. This image shows the Google option:

2. A subset of users who click these options will see a screen that confirms whether they are using a personal or work/school account. In this image, the user has selected the work/school option:

3. Users can still enter their email/username at the top of the sign-in screen, and sign into a specific organization with Sign-in options:

[What you need to do to prepare:]

No action is required. This feature is only being added to login.microsoftonline.com/common. Users accessing login.microsoftonline.com with a custom URL will not see this feature.

You can show a custom URL for your organization by passing a domain hint to apply company branding at the initial sign-in screen. Custom URLs for Teams on the web will be https://teams.microsoft.com?tenantId=<YOUR_DOMAIN_NAME> or https://teams.microsoft.com?tenantId=<YOUR_TENANT_ID>.

Learn more

• Add company branding to your organization’s sign-in page – Microsoft Entra | Microsoft Learn
• Adding branded URLs to authentication with Microsoft Entra External ID Custom URL Domains | Microsoft Entra Identity Platform

Updated March 13, 2026: We have updated the timeline. Thank you for your patience. 

[Introduction]

We’re introducing a private chat feature for organizers, co-organizers, and presenters in structured meetings and webinars in Microsoft Teams. This separate chat enhances collaboration by allowing key participants to communicate privately before, during, and after the event, without involving attendees. Additionally, we are unifying backroom chat behavior in town halls to ensure consistent functionality across all structured meetings. Currently, backroom chat behavior varies depending on whether streaming chat is enabled for town halls and whether the organizer has a Teams Premium license. This update removes that inconsistency.

This message is associated with Roadmap ID 392328 and applies to Teams for Windows desktop, Teams for Mac desktop, Teams for the web, Teams for iOS/Android, MTR-W and MTR-A devices.

[When this will happen:]

• Targeted Release: Rollout begins in early May 2026 (previously early April) and is expected to complete by mid-May 2026 (previously late April).
• General Availability (Worldwide and GCC): Rollout begins in mid-May 2026 (previously mid-April) and is expected to complete by late May 2026 (previously late April).

[How this affects your organization:]

Who is affected: Admins managing Microsoft Teams meetings, webinars, and town halls.

What will happen:

• New private chat for organizers, co-organizers, and presenters: This chat is separate from attendee chat and is available before, during, and after the event.
• Unified backroom chat policy for town halls: The default setting will be ON for all town halls, regardless of streaming chat availability or license type.
• Existing town halls will adopt the new policy once meeting options are updated.
• If admins turn the backroom chat policy OFF, previously enabled town halls will lose access after update.
• Non-TPre town halls (those without a Teams Premium license) will have backroom chat ON by default after rollout and update.

Two potential impacts:

• If an admin explicitly turns the new backroom chat policy OFF, any already-scheduled town hall that previously had backroom chat ON will lose access once the meeting options are updated.
• For non-TPre town halls where backroom chat was previously OFF, it will switch to ON by default after the rollout and a meeting options update.

[What you can do to prepare:]

• Review your Teams meeting policies and decide whether to enable private chat for organizers and presenters.
• Communicate this change to helpdesk staff and event organizers.
• Update internal documentation to reflect the new backroom chat behavior.
• If you want to disable backroom chat, adjust the policy in the Teams admin center.

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

Updated March 13, 2026: We have updated the timeline. Thank you for your patience. 

We’re improving SharePoint Online security via Content Security Policy (CSP) enforcement. Currently CSP is applied in reporting mode but as of March 1, 2026, the Content Security Policy will be enforced which will prevent the loading of script (e.g. JavaScript) from non-allowed sources. This message center post replaces MC1055557 (April 2024).

This change is associated with Microsoft 365 Roadmap ID: 485797

[When this will happen:]

This will be implemented starting March 1, 2026 and should complete by March 20, 2026.

[How this will affect your organization:]

If your organization extended SharePoint Online using SPFx then the created custom SPFx solutions could potentially load scripts from locations which are not allowed. In most cases SPFx solutions use and load script from allowed locations, but that’s not always the case. Any script from a not allowed location will be blocked, the same applies for any inline script usage. SPFx solutions whose script is getting blocked will not function anymore as designed, impacting business scenarios depending on those solutions.

To prevent solutions from breaking there you need to:

1. Ensure all used script locations are trusted script sources. This can be done without updating the SPFx solution
2. Move all inline script to script files which can then be defined as trusted source. This will require updating the SPFx solution!

If you need more time to review your SPFx solutions, there’s an option to postpone CSP enforcement by 90 days via below SPO Management Shell PowerShell cmdlet.

Set-SPOTenant -DelayContentSecurityPolicyEnforcement $true

Note:

This option will be available in the SPO Management Shell version 16.0.26712.12000 (November 2025) or higher.

[What you need to do to prepare:]

In addition to the default CSP settings, SharePoint Online will add locations listed in the Trusted Script Sources area of the SharePoint Online Admin Center as valid locations for CSP, thus enabling script loading from those locations. To add an entry, in a browser, go to the Trusted Script Sources via SharePoint Online Admin Center > Advanced > Script sources.

To understand which script location to add there are two options. First option is testing your SPFx solutions with the browser dev tools console open. As CSP is in reporting mode until March 1, 2026, there will be messages indicating script that will be blocked once CSP is enforced. These messages start with “Loading the script ‘<path to script>’ violates the following…” or “Executing inline script violates the following Content Security Policy directive…”.

Whenever the browser logs a CSP violation, that violation is also logged to Microsoft Purview. In the browser, navigate to the Audit solution in Microsoft Purview from the Microsoft 365 Admin Center. From the Search page, search for the Activity – friendly names value Violated Content Security Policy, or the Activity – operation names value ViolatedContentSecurityPolicy:

Selecting a search result opens the side panel with the audit details. Take note of the following properties:

• DocumentUrl: This indicates the page in the SharePoint Online site where the CSP violation occurred.
• BlockedUrl: This indicates the URL of the script that violated the CSP configuration or contains “inline” when the violation came from loading inline script

Important

In the case of inline script, the remediation requires updating the SPFx solution by moving inline script into a separate script file, which then can be added as a trusted source.

Learn more: Support for Content Security Policy (CSP) in SharePoint Online 

Updated March 13, 2026: We have updated the content. Thank you for your patience.

[Introduction]

Starting in March 2026, Microsoft Entra ID will introduce passkey profiles and synced passkeys to General Availability (GA). This update allows administrators to opt in to a new passkey profiles experience that supports group-based passkey configurations and introduces a new passkeyType property.

Important: Only tenants that already have Passkeys (FIDO2) enabled are affected by this update. 

The passkeyType property enables admins to configure:

• Device-bound passkeys
• Synced passkeys
• Both

If your tenant already has Passkeys (FIDO2) enabled and you do not opt in to passkey profiles during the initial rollout window, your tenant will be automatically migrated to the passkey profiles schema at the date range specified below. When this occurs: 

• Existing Passkey (FIDO2) authentication method configurations will be moved into a Default passkey profile. 
• The passkeyType value will be set based on the tenant’s current attestation settings. Synced passkeys will be enabled for tenants with attestation enforcement disabled. 
• No new authentication methods are enabled as part of this migration. 
• This migration also impacts Authentication methods registration campaign set to “Microsoft managed” state, which uses passkey configuration settings to determine which registration prompts are shown to users.

Authentication Methods Registration Campaign changes (Microsoft-Managed Only)

Tenants are impacted when all the following conditions are met:

• The Passkeys (FIDO2) authentication method policy is Enabled
• Authentication methods registration campaign is set to “Microsoft managed” state
• Allow self-service setup is Enabled
• Target specific AAGUIDs is not selected (no AAGUID restrictions configured)
• The Authentication Methods Registration Campaign state is set to Microsoft-managed

For these tenants, Microsoft-managed registration campaign settings will be updated after passkey profile automatic migration is complete. We will roll out changes incrementally to in-scope tenants according to the timeline outlined below. 

[When this will happen]

Passkey profile and Synced passkeys General Availability

• Public cloud Worldwide: Rollout begins in early March 2026 and is expected to complete by late March 2026 
• GCC, GCC High, DoD clouds: Rollout begins in early April 2026 and is expected to complete by late April 2026 

Automatic migration for existing passkeys (FIDO2) enabled tenants

• Public cloud Worldwide: Rollout begins in early April 2026 and is expected to complete by late May 2026
• GCC, GCC High, DoD clouds: Rollout begins in early June 2026 and is expected to complete by late June 2026 

Authentication Methods registration campaign changes in Microsoft-Managed state (for in-scope tenants):

• Public cloud Worldwide: Rollout begins in early April 2026 and is expected to complete by late May 2026 

[How this affects your organization]

Automatic migration for existing passkeys (FIDO2) enabled tenants 

What will happen:

If you have not opted in to passkey profiles by your automatic enablement period, your tenant will be migrated to passkey profiles.

• Your existing Passkey (FIDO2) configurations will be migrated into a Default passkey profile
• New passkeyType property will be auto-populated
  • If enforce attestation is enabled, then device-bound allowed
  • If enforce attestation is disabled, then device-bound and synced allowed
• Any existing key restrictions will remain intact
• Any existing user targets will be assigned to the Default passkey profile

Authentication Methods registration campaign changes in Microsoft-Managed state (for in-scope tenants)  

What will happen:

Microsoft-managed registration campaign settings will be updated: 

• “Targeted authentication method” will change from Microsoft Authenticator to “passkeys (FIDO2)”. 
• “Days allowed to snooze” setting will change from 3days to “1 day”. This setting will no longer be configurable. 
• “Limited number of snoozes” setting will change from Enabled to “Disabled”. This setting will no longer be configurable. 
• The default user targeting will be updated from voice call or text message users to all multifactor authentication (MFA) capable users.  

What is the end user impact: 

Once the above changes have taken effect, users targeted in the registration campaign will begin to receive passkey registration nudges during sign-in flows after they have completed multifactor authentication. 

[What you can do to prepare]

If you want a configuration different from the migration defaults, review the timeline above and opt in to passkey profiles before your tenant’s automatic enablement window begins. Then configure the Default passkey profile’s passkeyType to your preferred values.

We also recommend:

• Review your registration campaign configuration, especially if its set to Microsoft-managed. If you do not want registration campaign to target passkeys, you can: 
  • Switch the registration campaign state to Enabled and continue targeting Microsoft Authenticator, or 
  • Set the registration campaign state to Disabled.
• Update runbooks and help content so your help desk and end users understand any changes in passkey availability or behavior. 

Learn more:

• Enable passkeys for your organization – Microsoft Entra ID | Microsoft Learn 
• How to Enable Passkey (FIDO2) Profiles in Microsoft Entra ID (preview) – Microsoft Entra ID | Microsoft Learn
• How to Enable Synced Passkeys (FIDO2) in Microsoft Entra ID (preview) – Microsoft Entra ID | Microsoft Learn
• Synced passkeys FAQ – Microsoft Entra ID | Microsoft Learn

[Compliance considerations]

No compliance considerations identified. Review as appropriate for your organization.

Updated March 13, 2026: We have updated the timeline. Thank you for your patience. 

[Introduction]

Microsoft Teams is introducing simplified meeting passcodes to reduce friction when joining meetings, especially when participants must manually enter a passcode. This feature is off by default and must be explicitly enabled by a tenant administrator.

This message is associated with Microsoft 365 Roadmap ID 555858.

[When this will happen]

• Targeted Release: We will begin rolling out in early April 2026 (previously early March) and expect to complete by mid-April 2026 (previously mid-March).
• General Availability
  • Worldwide & GCC: We will begin rolling out in mid-April 2026 (previously mid-March) and expect to complete by late April 2026 (previously late March).
  • GCCH & DoD: We will begin rolling out in early May 2026 (previously early April) and expect to complete by mid-May 2026 (previously mid-April).

Note on rollout timing and admin experience:

As part of a phased rollout, some backend capabilities may become available earlier, including PowerShell configuration starting in mid-March, ahead of the Teams Admin Center UI, which will be released following timelines shared above.

The feature remains off by default, and no change to meeting security behavior occurs unless an administrator explicitly enables it.

[How this affects your organization]

Who is affected:

Tenant administrators who manage meeting security settings in Microsoft Teams.

What will happen:

• A new admin setting allows simplified 8‑digit numeric‑only meeting passcodes.
• The feature is off by default; admins must opt in.
• The setting can be applied to:
  • Specific users
  • Groups
  • The entire tenant
• Only newly scheduled meetings use numeric‑only passcodes.
• Existing meetings are not changed.
• If the feature remains off, Teams continues to use the default, more complex passcodes.

Security considerations:

• Numeric‑only passcodes reduce cryptographic strength relative to the default setting.
• The simplified passcode applies whether users join via meeting ID or by clicking a meeting link.
• Admins will see a security warning when enabling the setting.
• All other Teams meeting security controls remain unchanged, including:
  • Lobby and admission controls
  • Organizer and participant policies
  • Tenant authentication and access controls

[What you can do to prepare]

• Review your organization’s meeting security requirements.
• Decide whether simplified passcodes meet your policies.
• If enabling, determine appropriate scope (users, groups, or tenant‑wide).
• If maintaining current behavior, no action is required.
• Consider updating internal documentation and informing helpdesk staff if you enable the feature.

[Compliance considerations]

No compliance considerations identified. Review as appropriate for your organization.

Updated March 13, 2026: We have updated the content. Thank you for your patience. 

[What’s changing]

In Outlook, users can hide a suggested recipient while addressing an email. For example, selecting the X next to a name in the To/Cc/Bcc suggestions list. This behaviour is commonly referred to as “Contact Masking”.

We are retiring this feature for users. This does not impact admin controls for contacts.

The AutoComplete list for Outlook will not be impacted by this change. Users can still remove entries from their autocomplete history (for example, suggestions based on past emails they typed). Contacts are not being added, deleted, or modified as part of this change. Email delivery and addressing continue to work as before.

[When this will happen]

Contact masking will reach end of support on March 31, 2026.

[How this affects your organization]

Who is affected

• All Outlook users (Desktop, Web, Mobile) who previously hid suggested recipients

[Why we’re making this change]

This feature has been a recurring source of customer confusion and escalations, because contacts can be accidentally hidden for one user but not others.

While the impact is felt across Microsoft 365 experiences (not just Outlook). It also isn’t managed as a contact entity setting, which creates transparency and compliance challenges.

[What will change in user experience]

• Previously hidden (masked) suggested recipients may reappear in: 
  • Addressing (To/Cc/Bcc suggestions)
  • People suggestions
  • Search

• No new feature will replace contact masking for users.
• The retirement resolves inconsistent cross‑app behavior, as masking previously applied beyond Outlook even though it was not a suite‑level contact setting.

[Is Admin Action Required?]

No action is required for this retirement. You may choose to:

• Inform users that any previously hidden suggestions may reappear after March 31, 2026.
• Update internal training or helpdesk materials if they reference contact masking.
• Review related admin controls that remain available for managing visibility and segmentation:
  • Address Book Policies (ABPs): Address book policies in Exchange Online | Address Books | Exchange Online | Microsoft Learn
  • Microsoft Purview Information Barriers: Learn about Information Barriers | Microsoft Purview | Microsoft Learn
  • Hide recipients from Global Address List / GAL (HiddenFromAddressListsEnabled): Hide recipients from address lists – Manage address lists in Exchange Online | Address list procedures | Microsoft Learn

Learn more about the retiring feature: (RETIRING March 31, 2006) Manage suggested recipients in the To, Cc, and Bcc fields in Outlook | Microsoft Support

[Compliance considerations]

No compliance considerations identified. Review as appropriate for your organization guidance to users on user level features.

We’re launching a user experience (UX) update that displays existing Awards and Certifications properties from Microsoft 365 profile schema on users’ profile cards.

[When this will happen:]

General Availability (Worldwide): We will begin rolling out mid-March 2026 and expect to complete by early April 2026.

[How this affects your organization:]

Who is affected:

All users whose organizations populate the Awards and Certifications properties in the M365 profile.

What will happen:

• A new Awards and Certifications section will be introduced on the profile card in the overview and contacts tab below the skills section.



• Each entry in this section will show the title and issuer by default. Selecting a badge reveals additional details such as the description and date awarded.
• The profile card will also feature highlights for recently earned awards or certificates (issued within the last 30 days) to improve discoverability.
• If these properties are not in use today, there will be no change — the new section will not appear on profile cards.

[What you can do to prepare:]

• Review your profile data: Check whether your organization is currently populating the Awards and Certifications properties in M365 user profiles. If so, inform users that these values will now be visible on their profile cards.
• Key points to note:
  • If your organization does not use Awards and Certifications fields in M365 profile schema today, no action is required.
  • The profile card experience is read-only—it displays data from the profile but does not provide any in-service editing or management of awards and certifications.

Before rollout, we will update this post with new documentation.

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

[Introduction]

Microsoft Teams is improving the copy and paste experience for messages that contain @mentions, shared contacts, and other supported @tags. Previously, when users copied and pasted messages containing mentions, those mentions could be converted into plain text and lose their interactivity.

With this update, Teams preserves supported tags during copy and paste whenever possible. If a tag is valid in the destination conversation, it remains interactive and behaves the same way as when originally authored. If the tag cannot be used in that context, it safely falls back to plain text while preserving the original display text. This ensures a more consistent and reliable messaging experience across chats and channels.

This message applies to Teams for Windows desktop, Teams for Mac desktop, and Teams for the web. It is associated with Microsoft 365 Roadmap ID 558254.

[When this will happen:]

• Targeted Release: Rollout begins early April 2026 and is expected to complete by mid-April 2026.
• General Availability (Worldwide): Rollout begins mid-April 2026 and is expected to complete by late April 2026.
• General Availability (GCC, GCC High): Rollout begins early May 2026 and is expected to complete by mid-May 2026.
• General Availability (DoD): Rollout begins mid-May 2026 and is expected to complete by late May 2026.

[How this affects your organization:]

Who is affected:

• All users of Microsoft Teams who copy and paste messages containing @mentions, shared contacts, or other supported tags in chats and channels.

What will happen:

• Supported tags are preserved during copy and paste when the tag is valid in the destination conversation.
• Preserved tags remain interactive and behave the same way as when originally authored.
• If a tag cannot be used in the destination context (for example, due to membership, permissions, or scope limitations), it automatically falls back to plain text while preserving the original display text.
• This reduces confusion, preserves message context, and minimizes the need for users to manually recreate mentions after pasting content.

There is no change to how mentions or notifications behave after a message is sent.

[What you can do to prepare:]

• No admin action is required.
• This feature is enabled by default and will be available automatically once the rollout reaches your tenant.
• Consider notifying helpdesk staff or end users about the improved copy and paste behavior to set expectations.

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

[Introduction]

We’re introducing a refreshed Copilot‑inspired new tab page in Microsoft Edge for Business.  This update brings search, chat, and web exploration together into a single search box, along with Copilot‑suggested actions and curated work content designed to help users stay focused and complete tasks more efficiently.

This message is associated with Microsoft 365 Roadmap ID 558256.

[When this will happen]

• Public preview: Rollout began in mid-November 2025 and will complete by early April 2026.
• General availability (Worldwide): Rollout will begin in early April 2026 and will complete by late April 2026.

[How this affects your organization]

Who is affected

• Admins managing Microsoft Edge for Business
• Users who choose to enable the Copilot new tab page experience

What will happen

• Admins will see a new configuration option in Edge Management service to enable or manage the Copilot new tab page experience.
• Users will continue to see their existing new tab page unless they opt in to the Copilot new tab page.
• The new tab page provides a single search box, Copilot‑suggested actions, and curated work content when enabled:

   

• Users without a Microsoft 365 Copilot license may see limited content in the Copilot Prompt Card.
• Existing Microsoft Edge policies remain supported; no policy changes are required.
• No default experience changes will occur without admin or user enablement.

[What you can do to prepare]

No admin action is required before this rollout.

If you want to configure the experience or prepare your organization, you can:

• Review configuration options for the new tab page in Edge Management service when available.
• Inform helpdesk staff or users as needed.
• Update internal guidance if you maintain documentation about the Microsoft Edge new tab experience.

Learn more: Configuring Copilot Mode | Microsoft Edge | Microsoft Learn

[Compliance considerations]

No compliance considerations identified. Review as appropriate for your organization.

Updated March 13, 2026: We have updated the content. Thank you for your patience. 

[Introduction]

Beginning in mid‑March 2026, Microsoft Planner will update the agent experience to align naming with Microsoft 365 Copilot and expand availability. As part of this update, the Project Manager agent will be renamed to Planner Agent, the Planner Agent icon will be changed to match the Planner icon, and the agent will become available to users with a Microsoft 365 Copilot license across both Planner premium and Planner basic plans.

This update aligns Planner’s agent experience with Microsoft 365 Copilot and expands access to Copilot-powered capabilities.

This message is associated with Microsoft 365 Roadmap ID 511820.

[When this will happen]

• Targeted Release: Rollout will begin in early to mid-March 2026 and is expected to complete between mid- and late March 2026. 
• General Availability (Worldwide): Rollout will begin in mid‑March 2026 and is expected to complete by early May 2026.
• Availability to basic plans: Planner agent will begin rolling out to Planner basic plans starting in mid‑March 2026.

[How this affects your organization]

Who is affected

• Users with a Microsoft 365 Copilot license
• Organizations using Planner premium or Planner basic plans
• Users who previously used the Project Manager agent

What will happen

• The Project Manager agent will be renamed to Planner Agent across Planner interfaces and documentation.
  • There are no functional or behavioral changes associated with this rename.
• Planner Agent will be available to Microsoft 365 Copilot–licensed users in both premium and basic plans.
• Planner Agent will remain enabled by default for licensed users where it is available.
• Existing users will continue to have access to all current capabilities. No action is required.
• The Planner agent provides:
  • Status reporting: Automated creation and management of status reports based on plan data.
  • Task execution: First‑draft task output generation, progress tracking, and iterative refinement.

[What you can do to prepare]

No admin action is required. These updates will roll out automatically.

Admins may optionally:

• Notify users and helpdesk staff about the rename from Project Manager agent to Planner Agent.
• Update internal documentation that references the previous agent name.
• If you want to receive changes earlier, configure Targeted Release for your organization: Set up the Standard or Targeted release options | Microsoft 365 | Microsoft Learn

Learn more: Use Microsoft Purview to manage data security & compliance for Microsoft 365 Copilot & Microsoft 365 Copilot Chat | Microsoft Learn

[Compliance considerations]

[Introduction]

Starting March 31, 2026, Viva Engage communities will support Microsoft Purview sensitivity labels applied to Microsoft 365 groups and their connected SharePoint sites. This update aligns Engage community privacy and governance with existing Microsoft 365 labeling capabilities, helping organizations apply consistent privacy and access controls across all three surfaces.

[When this will happen]

General availability (Worldwide): We will begin rolling out in late March 2026 and expect to complete by early April 2026.

[How this affects your organization]

Who is affected

• Admins managing Viva Engage communities, Microsoft 365 groups, and SharePoint sites
• Organizations that use sensitivity labels or classification labels today

What will happen

• Viva Engage communities will support Microsoft Purview sensitivity labels assigned to the underlying Microsoft 365 group and connected SharePoint site:

   

• Labels and their access restrictions will synchronize across all three surfaces: Viva Engage, Microsoft 365 groups, and SharePoint.
• Existing Engage communities will not automatically receive sensitivity labels.
• Existing Engage classification labels in your tenant will not be automatically disabled.
• Tenant admins must manually apply labels to existing communities if they want to use this capability.

[What you can do to prepare]

Admin checklist:

• Review existing Viva Engage communities to determine the appropriate sensitivity label for each.
• Assess whether to continue using existing Engage classification labels or transition communities to sensitivity labels.
• Prepare PowerShell scripts to assign sensitivity labels to existing communities’ connected SharePoint sites once rollout completes.
• Notify helpdesk or governance teams that support labeling, provisioning, or access‑control workflows.
• Update internal documentation where you manage community governance or label usage.

Learn more: Use PowerShell to apply a sensitivity label to multiple sites – Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites | Microsoft Purview | Microsoft Learn

[Compliance considerations]

No compliance considerations identified. Review as appropriate for your organization.

• CAE-enabled Conditional Access policies applied to users.
• Location-based conditions in user CAE policies.
• Sign-in frequency, session controls, or risk-based policies for Dataverse users.

1. Review user-targeted CAE Conditional Access policies
1. Ensure policies allow Dataverse user traffic from locations which are compliant as per your CAE policies.
2. Avoid overly restrictive location conditions that could unintentionally block user sessions.
2. Validate interactive user sign-in scenarios
1. Test Dataverse access for end users under current CAE policies.
2. Review the policies enforcing location, device, or risk conditions.

• Read the full hardening guidance: Windows Deployment Services (WDS) Hands-Free Deployment Hardening Guidance related to CVE-2026-0386.
• Learn more about the related vulnerability: CVE-2026-0386.
• See deployment alternatives: Windows Deployment Services (WDS) boot.wim support.
• Explore cloud-based solutions: Windows Autopilot and Windows Autopilot device preparation documentation.

• Your devices receive standard Windows updates.
• If you are not using the RRAS management tool on Windows devices running versions 25H2 or 24H2.

Out-of-band update released for Windows Enterprise client devices running hotpatch updates

Microsoft has identified a security issue in the Windows Routing and Remote Access Service (RRAS) management tool that could allow remote code execution when connecting to a malicious server. This issue only applies to a limited set of scenarios involving Enterprise client devices running hotpatch updates and being used for remote server management.

An out-of-band (OOB) hotpatch update (KB5084597) was released today, March 13, 2026, to address this issue. This cumulative update includes all protections and improvements from the March 2026 Windows security update released March 10, 2026. No action is required if:

• Your devices receive standard Windows updates.
• If you are not using the RRAS management tool on Windows devices running versions 25H2 or 24H2.

This OOB hotpatch update is available for Windows 11, versions 25H2 and 24H2 devices enrolled in hotpatch updates and managed by Windows Autopatch. This update will install automatically through Windows Update and take effect without requiring you to restart your device. Learn more about hotpatch updates.

For more information, refer to the KB article March 13, 2026—Hotpatch KB5084597 (OS Builds 26200.7979 and 26100.7979) Out-of-band.

[Introduction]

As part of the final phase of the Viva Engage rebranding, we’re updating the email sender domains used for Viva Engage communications. This change ensures a consistent and secure brand experience across all surfaces and completes the transition from Yammer to Viva Engage.

This update was previously communicated in MC1117814, Microsoft Viva Engage | Email sender domain migration from @yammer.com to @engage.mail.microsoft, in September 2025.

[When this will happen:]

• The email sender domain rollout began in early September 2025 for U.S. and EU tenants that were receiving messages from @yammer.com and @eu.yammer.com, respectively.
• The rollout is expected to complete by mid‑April 2026.
• A fallback/coexistence period will be in place between September 2025 and April 2026, during which some tenants will remain on the old experience while others transition to the new one.

[How this affects your organization:]

Who is affected:

• All Microsoft Viva Engage tenants in U.S., EU, and global regions.
• All users who receive Viva Engage emails, including notifications, announcements, and digests.
• Microsoft 365 administrators who manage:
  • Exchange Online mail flow rules
  • Email security gateways
  • Journaling, archiving, or third-party mail integrations that reference the @yammer.com domain.

What will happen:

The sender domain for Viva Engage emails will change as follows:

• From @yammer.com to @engage.mail.microsoft for U.S. and global regions.
• From @eu.yammer.com to @eu.engage.mail.microsoft for European regions.

These new domains are secured with industry standard authentication protocols (e.g., SPF) to help prevent spoofing and ensure reliable delivery.

To enhance security and reduce cross-tenant spam, sender addresses will now include a tenant-specific prefix. You may see emails from:

• [email protected] (digests, delegates, leader identification, community expert, and other notifications)
• [email protected] (community, storyline, and activity notifications)
• [email protected] (leadership announcements)

These changes apply to all Viva Engage tenants, regardless of license tier (e.g., Viva P1, P2), and affect all Viva Engage emails, including notifications, announcements, and digests.

Third-party integrations (e.g., journaling, archiving, or routing systems) that rely on the @yammer.com domain for classification or authentication may be impacted. Any such configurations should be reviewed and updated to recognize the new domains.

Screenshot: An example of a new Viva Engage email notification sent from the updated @engage.mail.microsoft domain:

[What you can do to prepare:]

Review and update the following configurations:

• Transport rules and email gateways: Update any rules that reference @yammer.com to include the new domains.
• Exchange filtering: Ensure filtering rules remain effective with the new sender domains.
• Outlook rules: Inform users that any rules based on @yammer.com will no longer apply. Users can manually update or remove these rules.

No admin action is required unless your organization has custom configurations based on the old domain.

Learn more: Yammer is evolving to Viva Engage | Viva Engage Blog

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

[Introduction]

We’re improving how totals are displayed in Activity Explorer to reduce confusion and improve trust in exported results. Today, the total count shown in the Activity Explorer UI can appear higher than the number of records exported due to duplicate records being included in the UI count. While exported data already removes duplicates and maintains full data integrity, this discrepancy can give the impression that data is lost during export. To address this, we’re updating the UI to display a more accurate count based on results currently loaded in the portal.

[When this will happen:]
We will begin rolling out this change in an upcoming service update. We will update this post once rollout timing is finalized.

[How this affects your organization:]

Who is affected:

• Microsoft 365 administrators and compliance teams using Activity Explorer in Microsoft Purview.

What will happen:

• The “Total count” shown in Activity Explorer will be replaced with “Total results loaded.”
• The displayed number will reflect the count of events currently loaded in the portal view.
• Exported data remains unchanged and continues to include only unique records.
• There is no data loss and no change to export deduplication behavior.
• This approach avoids performance impact for large tenants.

[What you can do to prepare:]
No action is required.

We recommend informing compliance teams about the updated label and updating any internal documentation that references the Activity Explorer total count.

[Compliance considerations:]
This change affects how counts are displayed in the Activity Explorer UI but does not change how customer data is stored, exported, or retained.

[Introduction]

Microsoft 365 Copilot Declarative Agents are being upgraded to the GPT‑5.2 model. This update improves quality and reliability for agent scenarios such as reasoning, multi‑step workflows, tool calling, structured output generation, and document analysis. As with GPT‑5.1, users can continue to choose between Auto, Quick Response, and Think Deeper modes.

[When this will happen]

General availability (Worldwide): Rollout will begin around mid-March 2026 and is expected to complete by late March 2026.

[How this affects your organization]

Who is affected

• Users and builders of Microsoft 365 Copilot Declarative Agents in all Microsoft 365 tenants

What will happen:

• Declarative Agents will begin using the GPT‑5.2 foundational model.
• Users may notice improved quality, accuracy, and formatting in responses.
• Some agent behaviors may vary slightly due to model differences.
• The update will roll out gradually; not all users will receive the new model at the same time.
• No admin controls are changing, and existing settings continue to apply.

[What you can do to prepare]

No configuration changes are required. To support a smooth transition, consider the following steps:

• Inform agent builders that the model upgrade is rolling out.
• Validate your organization’s most important agent workflows (for example, top 5–10 prompts or use cases).
• Check that agents continue to meet expectations for accuracy, tone, and formatting.
• Monitor agent behavior and submit feedback through the thumbs up/down feature.
  • Include #GPT52 when reporting issues or successes.

[Compliance considerations]

No compliance considerations identified. Review as appropriate for your organization.

[Introduction]

AI‑powered meeting assistant bots—such as transcription and summarization services—are increasingly used to enhance productivity in online meetings. While these tools can be valuable, some bots may access meetings without the knowledge or consent of the meeting organizer or the hosting tenant, which can create data security, privacy, and compliance risks.

To help organizations protect meeting content and increase visibility into automated participants, Microsoft Teams is introducing a new capability that detects external meeting assistant bots as they attempt to join meetings. This update gives organizers greater awareness and control and provides administrators with clear controls to manage how detected bots are handled in meetings hosted across the organization.

This message is associated with Microsoft 365 Roadmap ID 558107.

[When this will happen]

• Targeted Release: We will begin rolling out in mid-May 2026 and expect to complete by early June 2026.
• General Availability (Worldwide): We will begin rolling out in early June 2026 and expect to complete by mid-June 2026.
• General Availability (GCC): We will begin rolling out in early June 2026 and expect to complete by mid-June 2026.

[How this will affect your organization]

Who is affected

• All organizations using Microsoft Teams meetings, including GCC tenants
• Meeting organizers and Teams administrators

What will happen

• Teams will detect external meeting bots as they attempt to join meetings hosted by your organization.
• When detected, bots will be clearly labeled in the meeting lobby experience.
  • Note: There might still be bots that are undetected by the system due to their intrinsic behavior. Please inform your users to report them out directly from the app/meeting. This will help us improve our detection system.
• Organizers will be able to:
  • approve or deny detected bots from the meeting lobby.
  • see clearly which participants have been identified as bots.
  • remove detected bots during the meeting if necessary.
• These organizer controls are designed to help ensure that bot participation in meetings is an intentional and informed decision.
• A new meeting policy will be available in the Teams admin center that allows admins to configure how detected bots are handled (do not detect bots, require approval). In the future, we intend to provide more granular controls to admins, as appropriate.
• Bot detection will be enabled by default for all tenants.
• Teams will continue improving detection accuracy; however, some bots may not be detected in all scenarios.

[What you can do to prepare]

No action is required at this time.

However, we recommend that Teams admins:

• Review the new meeting policy in the Teams admin center once it becomes available.
• Keep the default setting, which requires organizers to approve detected bots before they join meetings (recommended).
• Choose a stricter or more permissive option based on your organization’s collaboration and compliance requirements.
• Inform meeting organizers that they may see new indicators and approval prompts when detected bots attempt to join meetings.
• Update internal helpdesk or governance documentation if your organization documents meeting join or lobby controls behavior.
• Monitor future Message center updates for expanded administrative controls.

[Compliance considerations]

[Introduction]

We’re adding new Microsoft Secure Score recommendations for Microsoft Defender for Endpoint (MDE) to help your organization strengthen endpoint security and proactively reduce exposure to common attack techniques. These recommendations support more robust security baselines and help you assess and improve protection across your devices.

[When this will happen]

• Public Preview: Rollout began at the end of February 2026 and is expected to complete by mid‑March 2026.

[How this will affect your organization]

Who is affected

• Admins who manage Microsoft Defender for Endpoint and Microsoft Secure Score.

What will happen

Customers in Public Preview will see the following new Microsoft Secure Score recommendations:

• SMB server security hardening against authentication relay attacks:

   

• Block file transfer over Remote Desktop Protocol (RDP):

   

As these recommendations become available:

• Secure Score will update based on your organization’s implementation of the recommended actions.
• No changes will be made to your existing configurations unless you choose to enable the recommended settings.
• These recommendations are off by default and require admin action to adopt.

[What you can do to prepare]

• Review the new recommendations in Microsoft Secure Score as they become available.
• Complete the recommended actions to strengthen your endpoint security posture.
• Communicate these changes to your security and endpoint management teams.
• Update internal documentation if you track Secure Score or MDE configuration standards.
• Learn more: Microsoft Secure Score | Microsoft Defender XDR | Microsoft Defender | Microsoft Learn

[Compliance considerations]

No compliance considerations identified. Review as appropriate for your organization.