| (Updated) Microsoft 365 admin center: Organizational Messages to support email deliveryCategory:Microsoft 365 suite
Microsoft Copilot (Microsoft 365)
Microsoft 365 Copilot ChatNummer:MC1189665Status:stayInformed | Updated April 16, 2026: We have updated the timeline. Thank you for your patience. [Introduction] Organizational Messages will soon include email as a delivery channel, expanding beyond existing surfaces such as the Windows Taskbar, Windows Notifications, Windows Spotlight, and Teams popovers. This enhancement helps organizations reach users through familiar communication channels, improving engagement and adoption. This message is associated with Microsoft 365 Roadmap ID 503562.
[When this will happen] - Public Preview (Worldwide): Rollout began in mid-November 2025 and is expected to complete by late January 2026.
- General Availability (Worldwide): Rollout begins in late April 2026 (previously mid-April) and is expected complete by late May 2026 (previously mid-May).
[How this will affect your organization]
Who is affected: Admins managing Organizational Messages in Microsoft 365.
What will happen:
- Email will be added as a delivery channel for Organizational Messages.
- Admins can send premade, templatized messages via email in addition to existing surfaces like Windows Spotlight, Taskbar, Notification Center, and Teams popovers:
- During Public Preview, new pre-built email templates will be available:
- Two welcome messages: Welcome to Copilot and Welcome to Copilot Chat.
- Six weekly Great M365 Copilot Journey emails highlighting features and best practices to drive onboarding and adoption.
[What you need to do to prepare]
No action is required at this time.
[Compliance considerations] No compliance impacts identified. Review your organization’s policies as needed. |
| (Updated) Microsoft 365 admin center: Organizational Messages now support Action Segments for Microsoft 365 CopilotCategory:Microsoft Copilot (Microsoft 365)Nummer:MC1189666Status:stayInformed | Updated April 16, 2026: We have updated the timeline. Thank you for your patience. [Introduction]
Action Segments empower IT admins to target Organizational Messages using dynamic, pre-defined usage segments. This enhancement helps admins deliver more relevant communications based on user activity. For the Public Preview, there are two Action Segments available: Inactive Microsoft 365 Copilot Users and Inactive Microsoft 365 Copilot Users in Teams.
This message is associated with Microsoft 365 Roadmap ID 503563.
[When this will happen]
- Public Preview (Worldwide): Rollout began in mid-November 2025 and is expected to complete by late January 2026.
- General Availability (Worldwide): Rollout begins in late April 2026 (previously mid-April) and is expected to complete by late May 2026 (previously mid-May).
[How this will affect your organization]
- Who is affected:
- Admins managing Organizational Messages in Microsoft 365.
- Tenants with Microsoft 365 Copilot licenses (required for Action Segments to apply).
- What will happen:
- Admins can target messages based on user activity using Action Segments:
- Two pre-defined segments are available during Public Preview:
- Inactive Microsoft 365 Copilot Users
- Inactive Microsoft 365 Copilot Users in Teams
- No changes to existing admin policies; feature is additive.
[What you can do to prepare]
- No immediate action is required at this time.
- If you want to take advantage of this feature:
- Ensure your organization has Microsoft 365 Copilot licenses (required for Action Segments to apply).
- Review and configure Action Segments in the Microsoft 365 admin center.
- Communicate this change to your helpdesk or support teams.
- Update internal documentation if you detail Organizational Messages or Copilot usage.
[Compliance considerations] No compliance impacts identified. Review your organization’s policies as needed. |
| Microsoft Entra ID Governance: Azure subscription required to continue using guest governance featuresCategory:Microsoft EntraNummer:MC1225192Status:planForChange | Introduction
Beginning January 30, 2026, Microsoft Entra ID Governance will require all tenants to have a linked Azure subscription to continue using Identity Governance features for guest users. This change ensures accurate billing for governance actions performed by guests and supports continued access to advanced governance capabilities.
When this will happen:
General availability and enforcement begin on January 30, 2026.
How this will affect your organization:
Who is affected:
- Organizations using Microsoft Entra ID Governance features for guest users (
userType = Guest).
- Admins managing lifecycle workflows or Entra ID Governance features in entitlement management for external or guest identities. Access reviews will be included by March 31, 2026.
What will happen:
- If your tenant does not have a linked Azure subscription, creation or updates of policies scoped to guest users using premium Entra ID Governance capabilities will be blocked.
- The following actions will be unavailable:
- Creating access reviews scoped to guest users (inactive user reviews, user-to-group affiliation helper)
- Creating or updating entitlement management policies involving guests, sponsor approvers, custom extensions, Verified ID, or auto-assignment rules
- Marking a guest as governed in entitlement management
- Directly assigning a guest user to an access package in entitlement management
- Creating or updating lifecycle workflows scoped to guest users.
- Existing policies will continue to run, but no new guest-governance actions can be authored without billing enabled.
- Once a subscription is linked, normal guest governance usage and billing will begin under the Monthly Active User (MAU) model.
What you can do to prepare:
- Before January 30, 2026, link a valid Azure subscription to your tenant:
- Navigate to Entra ID → ID Governance → Dashboard
- In the Guest Access Governance panel, select Get Started
- Choose a subscription and resource group, then select Turn on
- Confirm your account has at least the Contributor role to enable subscription linking.
- Review any guest-scoped workflows, reviews, or entitlement policies that may require updates after subscription linking.
- Communicate this change to support teams or internal governance admins.
- Update internal documentation regarding:
- Guest governance prerequisites
- Subscription dependency
- Billing behavior for governance actions
Learn more: Microsoft Entra ID Governance licensing for guest users | Microsoft Learn
Compliance considerations:
| Question |
Explanation |
| Does the change alter how existing customer data is processed, stored, or accessed? |
Guest-governance actions require a linked Azure subscription; creating or updating guest-scoped governance actions is blocked without subscription linkage. |
| Does the change modify admin controls? |
Admins must link an Azure subscription to enable guest governance billing and can turn guest governance on or off in the Entra ID Governance dashboard. |
| Does the change allow a user or admin to enable or disable the feature? |
Guest governance features can be enabled or disabled through the Guest Governance panel in the Entra ID Governance dashboard. |
|
| (Updated) Copilot Cowork now available in FrontierCategory:Microsoft Copilot (Microsoft 365)
Microsoft 365 Copilot ChatNummer:MC1265767Status:planForChange | Updated April 15, 2026: We have updated the content. Thank you for your patience. [Introduction]
Copilot Cowork is now available in Frontier. Copilot Cowork enables users to orchestrate complex, multi-step work across Microsoft 365 without switching between apps. Copilot Cowork moves beyond answering questions to turning intent into execution by automatically generating plans, coordinating work across emails, meetings, messages, files, and data, and carrying tasks forward with visible progress and user control. This update reflects customer feedback to reduce manual coordination for real work while maintaining enterprise-grade security, privacy, and controls. Learn more on our blog: Powering Frontier Transformation with Copilot and agents. Screenshot: The Copilot Cowork interface in Microsoft 365 Copilot 
[When this will happen:]
- Copilot Cowork is now available in Frontier.
- General availability will be communicated at a later date.
[How this affects your organization:]
Who is affected:
- Users with a Microsoft 365 Copilot (Premium) license
- Users enabled for Frontier
- English language only
Prerequisites and controls:
- The tenant must be enrolled in the Frontier program.
- Microsoft‑built agents must be enabled.
- Anthropic must be enabled as a subprocessor (default: on).
- For tenants based in the European Union (EU), Anthropic as a subprocessor is off by default due to EU Data Boundary requirements and must be explicitly enabled.
- If anthropic is off, users may still see Cowork but be unable to use it.
- Admins must be enrolled in Frontier to see Cowork in Agent Inventory.
What will happen:
- Users can install Copilot Cowork from the Agent Store in the Microsoft 365 Copilot app and pin it to the left rail.
- Users can describe an outcome in natural language, and Copilot Cowork will:
- Automatically generate a multi-step plan grounded in the user’s Microsoft 365 context
- Coordinate tasks across Microsoft 365 apps such as Word, PowerPoint, Outlook, and others
- Continue work overtime with visible checkpoints and progress tracking
- Copilot Cowork proposes actions and requires explicit user approval before acting on tasks such as:
- Sending emails or Teams messages
- Scheduling, declining, or rescheduling meetings
- Editing or moving files
- Users can pause, adjust, or stop execution at any time and return later to review progress.
- For eligible tenants, the experience is enabled by default and respects existing Microsoft 365 permissions and policies, unless restricted by EU Data Boundary settings.
[What you can do to prepare:]
- No admin action is required.
Learn more: [Compliance considerations:]
| Compliance question |
Explanation |
| Does the change introduce or significantly modify AI/ML or agent capabilities that interact with or provide access to customer data? |
Copilot Cowork introduces a new Microsoft-built agent that orchestrates multi-step work across Microsoft 365 services using existing customer data, while requiring explicit user approval before taking actions. |
| Does the change provide end users any new way of interacting with generative AI? |
Users can describe an intended outcome in natural language and have Copilot Cowork generate and execute a multi-step plan with progress tracking. |
| Does the change add any integration to 3rd party software products? |
Anthropic is used as a subprocessor to support Copilot Cowork capabilities and is enabled by default. |
| Does the change include an admin control? |
Availability is controlled through Frontier enrollment, agent enablement settings, subprocessor configuration, and EU Data Boundary defaults. |
| Does the change allow a user to enable and disable the feature themselves? |
Users can install Copilot Cowork from the Agent Store and can pause, adjust, or stop execution at any time. |
|
| Microsoft Purview: Data Lifecycle Management- Azure PST ImportCategory:Microsoft PurviewNummer:MC1281505Status:stayInformed | [Introduction] Azure PST Import provides a structured, PowerShell-based way for administrators to import PST files stored in Azure Blob Storage into Exchange Online mailboxes, which are commonly used to store archived Outlook mailbox content. This capability helps organizations migrate historical email data in a controlled and auditable way by validating readiness before importing and by providing reports throughout the process. The process starts by creating an Azure PST Import endpoint to establish the connection between Azure storage and Exchange Online. Administrators then run a migration batch in Analyze mode to review readiness and validate the input before proceeding. Once the analysis results are reviewed, they use those results to create and start the import batch, which begins importing the PST files into the specified mailboxes. This message is associated with Microsoft 365 Roadmap ID 557559. [When this will happen] Global rollout - Start: May 4, 2026
- Complete: May 15, 2026
[How this affects your organization] Who is affected - Microsoft 365 administrators managing Exchange Online
- Administrators using Microsoft Purview Data Lifecycle Management
- Organizations that import PST files into user or archive mailboxes
What will happen - Administrators complete the Azure PST Import process using PowerShell cmdlets only.
- The workflow includes:
- Creating an Azure PST Import migration endpoint
- Running a migration batch in Analyze mode to validate readiness
- Reviewing analysis results and reports
- Creating and starting the import batch
- Performing post-import cleanup
- This experience is not available through a graphical user interface (GUI).
- Existing mailbox prerequisites and quotas are validated before importing begins.
- There is no direct user impact; the feature is admin-driven.
[What you can do to prepare] - Ensure your Azure storage account and container exist and are reachable; the endpoint creation cmdlet validates both during setup.
- Grant the Storage Blob Data Reader role to the Office 365 Import Service app on the target storage account. Without this permission, creating the Azure PST Import endpoint will fail.
- Prepare your batch input files (XML and/or CSV) and run the migration batch in Analyze mode first so the service can validate readiness before importing.
- Confirm analysis prerequisites for target mailboxes:
- Appropriate license assigned
- Mailbox is not inactive or soft-deleted
- Recipient type is UserMailbox
- Archive is enabled if importing to archive
- Quota validations (ArchiveQuota / RecoverableItemsQuota) occur during analysis
- Validate PST files ahead of time:
- Analysis verifies that all specified PST files exist
- PST file size is validated during analysis
For detailed cmdlet usage and guidance, review the Azure PST Import documentation on Microsoft Learn. [Compliance considerations] | Question | Answer | | Does the change alter how existing customer data is processed, stored, or accessed? | Yes. The feature enables administrators to import existing customer email data contained in PST files into Exchange Online mailboxes, where the data is then stored and processed according to existing Exchange Online behaviors. | | Does the change store customer data, and if so, where is it stored? | Yes. PST file contents are imported into Exchange Online mailboxes within the customer’s Microsoft 365 tenant and are stored according to the tenant’s data residency and storage configuration. | | Does the change modify retention policies, holds, or deletion workflows? | Yes. Once imported, mailbox data becomes subject to any existing Microsoft Purview retention policies, retention labels, holds, and deletion workflows already configured for the target mailboxes. | | Does the change affect audit logging capabilities? | Yes. Administrative actions related to PST import and the resulting mailbox changes are logged using existing Exchange Online and Microsoft Purview audit logging mechanisms. | | Does the change alter how admins can monitor or demonstrate compliance? | Yes. Administrators can use existing Exchange Online and Microsoft Purview reporting and audit tools to monitor PST import activity and demonstrate compliance after the data is imported. | | Does the change include an admin control? | Yes. The feature is controlled through administrator access to PowerShell cmdlets and Azure role assignments, including permissions on the Azure storage account used for PST import. |
|
| Planned breaking changes to ASIM KQL functions used by Microsoft Sentinel for DevelopersCategory:Microsoft Defender XDRNummer:MC1281506Status:planForChange | [Introduction] We’re making planned breaking changes to some Advanced Security Information Model (ASIM) KQL functions used in Microsoft Sentinel for Developers. These changes align parameters with documentation to improve consistency and performance. [When this will happen] Rollout timing has not been finalized. We’ll update this Message center post with specific start and end dates once they’re confirmed. [How this affects your organization] Who is affected - Organizations using ASIM or normalization KQL functions in Microsoft Sentinel for Developers
- Security teams and partners building or maintaining detections and analytic rules that rely on these functions
What will happen (April 19) - We will update _Im_ProcessCreate with the correct parameter, so that it will take both targetusername and targetusername_has.
- This will give time to partners to update their detections and KQL queries to switch to the parameter name targetusername_has, while not break any existing experiences.
What will happen (May 25 or later) - Once we have given enough time and also checking with our usage telemetry that targetusername is not being used, we will remove targetusername as parameter.
[What you can do to prepare] - Review detections and analytic rules that use ASIM or normalization functions.
- Update queries to use targetusername_has.
- Test updated detections before rollout.
- Notify teams or partners who maintain Sentinel detections.
Learn more: The Advanced Security Information Model (ASIM) Process Event normalization schema reference | Microsoft Sentinel | Security | Azure | Microsoft Learn [Compliance considerations] No compliance considerations identified. Review as appropriate for your organization. |
| Microsoft 365 Copilot: Discover Copilot actions in OneDrive/SharePoint file previewCategory:Microsoft Copilot (Microsoft 365)Nummer:MC1281507Status:stayInformed | [Introduction] We are improving how users discover Microsoft 365 Copilot capabilities in the file previewer of OneDrive and SharePoint. Ready to use Copilot actions will appear directly in the file preview experience, alongside the Copilot button. When users preview supported files, suggested prompts will help them complete common tasks such as summarizing documents, generating FAQ, and extracting key information without writing their own prompts. [When this will happen] General Availability (Worldwide): We will begin rolling out in late April 2026 and expect to complete the rollout by early May 2026. [How this affects your organization] Who is affected - Microsoft 365 tenants using OneDrive for Business
- Users who have access to Microsoft 365 Copilot
- Administrators managing OneDrive and Copilot experiences
What will happen - Users will see suggested Copilot actions when previewing supported files in OneDrive:
 - Suggested actions may include summarizing content, generating FAQ, and identifying key points.
- The feature will be enabled by default for eligible users. Suggestions will disappear after a timeout or after a user interacts with a file.
- Existing Copilot, OneDrive, SharePoint, and Microsoft Purview policies will continue to apply.
- There will be no change to file permissions, sharing behavior, or data residency. Copilot will continue to respect existing access controls and Microsoft Purview policies.
[What you can do to prepare] - No admin action is required.
- Consider notifying users that Copilot suggestions will appear in OneDrive file previews to support awareness and adoption.
- If Copilot is disabled or restricted in your tenant, those settings continue to apply.
[Compliance considerations] | Question | Answer | | Does the change alter how existing customer data is processed, stored, or accessed? | Yes. Copilot processes existing OneDrive or SharePoint file content to generate responses, consistent with current Copilot behavior and user permissions. | | Does the change introduce or significantly modify AI or ML capabilities that interact with customer data? | Yes. The change introduces new in context Copilot prompts that guide user interaction with existing generative AI capabilities. | | Does the change provide a new way for users to interact with generative AI? | Yes. Users can initiate Copilot actions directly from the OneDrive or SharePoint file preview using suggested prompts. |
|
| Modernized Change Management for Microsoft 365Category:Microsoft 365 suiteNummer:MC1282306Status:planForChange | We are introducing a modernized change management model for Microsoft 365 to help IT teams manage the pace of innovation and realize value faster. Based on customer feedback, this new approach provides greater clarity, consistency, and control through flexible release audiences, more actionable Message center posts, and AI enabled access to trusted release information. Clarity and Control for Admins Microsoft 365 is evolving how updates are released and giving IT teams greater clarity, consistency, and control over change. Audience based rollout model - Align rollouts to operational readiness with channels that support both rapid innovation and regulated environments. Expanding release audience options (Frontier program, Standard release, and Deferred release) to better align rollout timing with organizational readiness and governance needs.
- This is the first step in our modernization change management journey. We’re starting with Microsoft 365 Copilot.
Actionable communications - Enhanced Message center updates are timely and relevant, helping admins anticipate, validate, and prepare changes. Providing more structured, launch‑focused Message center announcements with clearer impact, actions, and compliance considerations.
AI powered change insights [When this will happen:] General Availability (Worldwide): We will begin rolling out mid-April 2026 and expect to complete by late April 2026. [How this will affect your organization:] Depending on your
configuration and readiness model, you now
have the option to choose your release audience preference for your organization:
- Stage
feature rollout using release audiences:
- Frontier
program for early experimentation and feedback.
- Standard
release (default) for immediate access at general availability.
- Deferred
release (for eligible major features) to delay rollout by 30
days for additional security or compliance review.
- To
access the Admin Control to select release preference:
Preferences navigation 
Release preferences Standard release 
Release preferences Deferred release
- Enable
AI tools and agents to query trusted release and roadmap data via the MRC
MCP Server and Microsoft MCP for Enterprise.
- Note: Additional Microsoft 365 workloads will be supported in the future.
[What you need to do to prepare:] - Review and configure your release
preferences: Assign your release audience your
tenant and users are assigned to in the Microsoft 365 Admin Center.
- Please note we will begin leveraging this new model for Microsoft 365 Copilot features in late May and preferences will be honored.
- Explore MCP-powered insights: Connect the MRC MCP
Server and MCP for
Enterprise to your AI-enabled tools to streamline change tracking and
analysis.
Learn more |
| Message center post structure updates may require admin script changesCategory:Microsoft 365 suiteNummer:MC1282308Status:planForChange | [Introduction:]
We’re updating the Microsoft 365 Message center post structure to provide more consistent, concise, and actionable communications. This change standardizes section headings across Message center posts to improve readability, support automation scenarios, and enable future personalized and agentic experiences. As part of this update, existing section headings are being replaced with a new, consistent set of headers.
[When this will happen:]
May 16, 2026
[How this affects your organization:]
Who is affected
- Microsoft 365 administrators
- Admins or partners who use scripts, tools, or automation that parse Message center posts based on section headings
What will happen
- New Message center posts will use the following standardized headings:
- What and Why
- Rollout Schedule
- Impact on Your Organization
- Action Required/Recommendations
- Compliance Considerations
- Previous Message center headings will no longer appear in newly published posts.
- Scripts or workflows that rely on the original headings may fail or return incomplete data if not updated.
[What you can do to prepare:]
- Review any scripts or automation that extract or classify Message center content by heading name.
- Update logic to recognize the new standardized headings.
- Validate downstream systems such as dashboards, alerts, or ticketing integrations.
- Communicate this change to admin, operations, and tooling teams as appropriate.
[Compliance considerations:]
No compliance considerations identified, review as appropriate for your organization. |
| Power Apps – Supervise autonomous agents with agent feedCategory:Power AppsNummer:MC1282551Status:stayInformed | We are announcing the ability to supervise autonomous agents with agent feed in Power Apps. This feature will reach general availability on May 4, 2026.
How does this affect me?
This feature provides real-time visibility and control over agent activity. It allows users to oversee agent decisions, intervene when necessary, and ensure alignment with business rules and compliance standards.
Agent feed introduces an integration with the MCP server, enabling autonomous agents to create actionable tasks that surface directly to human users. These tasks are routed through the agent feed interface, where users can view, prioritize, and complete them using a streamlined human-in-the-loop (HITL) experience.
Agents can call tools like run human-in-the-loop action generation with contextual descriptions, triggering workflows that are grouped, prioritized, and formatted for human review. Once surfaced in the agent feed, users engage with these tasks through a responsive UI designed to enhance transparency and control.
What action do I need to take?
This message is for awareness, and no action is required.
If you would like more information on this feature, please visit Supervise autonomous agents with agent feed. |
| Power Platform – Block sending customer data from Dataverse audit events to Purview Activity loggingCategory:Power PlatformNummer:MC1282554Status:stayInformed | We are announcing the ability to block customer data from being sent in Dataverse audit events to Purview Activity logging in Power Platform. This feature will reach general availability on May 15, 2026.
How does this affect me?
Dataverse audit logs will continue to capture before and after values for Create and Update events within your environment. However, customer data such as financial, health, and personal identifiable information will be removed before audit events are sent to Purview Activity logging. This helps reduce the risk of exposing sensitive data while maintaining auditing functionality within Dataverse.
What action do I need to take?
This message is for awareness, and no action is required. |
| Microsoft Purview eDiscovery: Naming and description fields will restrict certain special charactersCategory:Microsoft PurviewNummer:MC1282562Status:planForChange | [Introduction] We’re making a change to the characters allowed in naming and description fields across Microsoft Purview eDiscovery. As part of ongoing security hardening efforts, this update strengthens input validation for eDiscovery cases, holds, searches, and review sets to improve service resilience and reliability. [When this will happen:] General Availability (Production, GCC, GCC High, DoD): This change will begin rolling out in mid-May 2026 and is expected to be completed by late May 2026. [How this affects your organization:] Who is affected: Organizations with users or administrators who create or manage Microsoft Purview eDiscovery: - Cases
- Holds
- Searches
- Review sets
What will happen: - Beginning May 15th, 2026, the following special characters will no longer be permitted in naming or description fields when creating or editing:
- + (plus sign)
- – (hyphen)
- = (equals sign)
- @ (at sign)
- / (forward slash)
- * (asterisk)
- This restriction applies to:
- Case name and description
- Hold policy name and description
- Search name and description
- Review set name and description
- Existing entities are not affected.
- Cases, holds, searches, and review sets that already contain these characters will continue to function normally.
- Editing triggers enforcement:
- If a user edits an existing entity that contains a restricted character in the name or description, they will see a validation message prompting them to update the value before saving.
- The original name and description are preserved until the user chooses to make changes.
- New entities are enforced immediately:
- Any newly created case, hold, search, or review set must not contain restricted characters in name or description fields.
[What you can do to prepare:]
No admin action is required to enable this change. However, we recommend the following: - Inform your eDiscovery users that the characters + – = @ / and * will no longer be accepted in entity names and descriptions.
- Review and update existing naming conventions or templates that include these characters.
- Update internal documentation or guidance for eDiscovery naming standards.
- Communicate this change to helpdesk and compliance teams to prepare for validation messages when editing existing entities.
Learn about eDiscovery (Premium) | Microsoft Learn No data loss will occur. Existing entities retain their current names and continue to function. Enforcement applies only at the time of creation or editing. [Compliance considerations:] No compliance considerations identified, review as appropriate for your organization. |
| Exchange Online, SharePoint Online, and Microsoft Teams: April 2026 industry-wide DigiCert Global Root CA (G1) distrustCategory:Microsoft 365 suiteNummer:MC1282565Status:planForChange | [Introduction] To support industry-wide security improvements and modern cryptographic standards, browsers and platforms that follow Mozilla and Chrome trust stores will begin distrusting the DigiCert Global Root CA (G1) starting April 15, 2026. Microsoft has already migrated Microsoft 365 services to newer, more secure certificate hierarchies (such as DigiCert Global Root G2 and G3). We’re sharing this notification to help you quickly identify and respond to any unexpected certificate-related connection issues that may arise in edge scenarios due to this industry trust change. This change is driven by industry trust store updates and does not represent a new change or rollout within Microsoft 365 services. [When this will happen] - April 15, 2026: Industry-wide distrust of DigiCert Global Root CA (G1) begins
- Microsoft monitoring period: April 15, 2026 and onward
[How this affects your organization] Who is affected - Organizations accessing Microsoft 365 services using:
- Google Chrome or Mozilla Firefox
- Linux-based systems, containers, appliances, or software stacks that rely on Mozilla/NSS trust stores
- Only scenarios where a service endpoint still presents a TLS certificate chaining to DigiCert Global Root CA (G1)
What will happen - Most customers will not experience any impact.
- In rare legacy scenarios:
- TLS connections may fail certificate validation
- Failures may be intermittent depending on:
- Client OS patch level
- Browser version
- Container or image refresh cadence
- Common error messages may include:
- NET::ERR_CERT_AUTHORITY_INVALID
- SEC_ERROR_UNKNOWN_ISSUER
- SunCertPathBuilderException
- verify error:num=19:self signed certificate in certificate chain
[What you can do to prepare] No action is required if you are not experiencing certificate or TLS handshake errors. If you encounter errors on or after April 15, 2026: - Review the certificate chain presented by the failing endpoint
- If DigiCert Global Root CA (G1) appears:
- Stop local debugging or repeated mitigation attempts
- Collect the following triage information:
- Target URL or hostname
- Full error message and timestamp (including time zone)
- Client OS, version, browser/runtime, and whether it’s a VM, container, or appliance
- Certificate chain evidence (log output or screenshot)
- Contact Microsoft Support through your normal support channel and reference:
- “April 15, 2026 DigiCert Global Root CA (G1) industry distrust”
This information helps route your issue directly to certificate and TLS specialists and avoids unnecessary troubleshooting steps. [Compliance considerations] No compliance considerations identified. Review as appropriate for your organization. |
| Power Apps – Enable online mode to access Dataverse for Canvas appsCategory:Power AppsNummer:MC1282566Status:stayInformed | We are announcing the ability to enable online mode to access Dataverse for Canvas apps in Power Apps. This feature will reach general availability on May 18, 2026.
How does this affect me?
This feature enables you to switch from the default offline mode to online mode in Canvas apps to access Dataverse data and receive real-time updates.
What action do I need to take?
This message is for awareness, and no action is required. |
| Create charts on pages with AI in SharePointCategory:SharePoint Online
Microsoft Copilot (Microsoft 365)Nummer:MC1282567Status:stayInformed | Introduction
We’re introducing a new Charts web part with AI assistance in SharePoint, designed to help page authors quickly create rich, interactive charts using plain-language prompts. This update reduces the time and effort needed to visualize data on SharePoint pages and enables more intuitive, AI-powered authoring experiences directly within SharePoint. This message is associated with Microsoft 365 Roadmap ID 560076.
When this will happen:
- Targeted Release: Rollout begins in early May 2026 and is expected to complete by mid-May 2026.
- General Availability (Worldwide): Rollout begins in mid-May 2026 and is expected to complete by late May 2026.
How this affects your organization:
Who is affected:
- SharePoint page authors
- Tenants using SharePoint Online
- A Microsoft 365 Copilot (Premium) license is required to use this feature
What will happen:
What you can do to prepare:
No action is required.
- Optionally inform SharePoint authors of the new capability.
- Update internal documentation if you provide SharePoint or Copilot guidance.
- Review Copilot licensing assignments to confirm which users will have access.
Learn more: Create a chart on pages with AI in SharePoint | Microsoft Support Compliance considerations:
This change introduces a new way for users to interact with generative AI by using natural language prompts to create and edit charts in SharePoint pages. |
| General Availability: Microsoft Entra passkeys on WindowsCategory:Microsoft EntraNummer:MC1282568Status:stayInformed | [Introduction]
Microsoft Entra passkeys on Windows are now Generally Available, enabling phishing‑resistant, passwordless sign‑in to Microsoft Entra‑protected resources from Windows devices. The Public Preview of this capability was previously announced in MC1247893. Users can create device‑bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN). This expands passwordless authentication support to Windows devices that aren’t Microsoft Entra‑joined or registered, helping organizations strengthen security and reduce reliance on passwords across corporate‑managed, personal, and shared device scenarios.
[When this will happen:]
- General Availability (Worldwide): We will begin rolling out in late April 2026 and expect to complete by mid‑June 2026.
- General Availability (GCC, GCC High, DoD): We will begin rolling out in early July 2026 and expect to complete by late July 2026.
How this affects your organization:
Who is affected:
Organizations using Microsoft Entra ID with passkeys enabled in the Authentication Methods policy whose users sign in from Windows devices, including: - Corporate‑managed PCs
- Personal devices
- Shared devices
What will happen: With this General Availability release:
- Microsoft Entra passkeys on Windows will no longer require explicit opt‑in through Windows Hello AAGUID allow‑listing in a passkey (FIDO2) profile.
- This represents a change from Public Preview behavior, where administrators were required to explicitly allow Windows Hello AAGUIDs in a passkey profile for Microsoft Entra passkeys on Windows to function.
- If your passkey profile allows device‑bound, non‑attested passkeys:
- Users scoped to that profile will now be able to register and use Microsoft Entra passkeys on Windows by default without additional administrator configuration.
- As a result:
- Users in scope of passkey profiles that allow device‑bound, non‑attested passkeys may begin registering and using passkeys on Windows devices.
- If Conditional Access policies allow:
- Passkeys can be created and used on Windows devices that are not Microsoft Entra‑joined or registered, including personal or shared PCs.
- Each Windows device requires separate passkey registration per Entra account.
- Windows Hello for Business remains recommended for managed, Microsoft Entra‑joined or registered devices.
- Passkeys on Windows supplement unmanaged or shared device scenarios and do not support device sign‑in.
- Attestation is not currently supported for Microsoft Entra passkeys on Windows but is planned for a future update.
What you can do to prepare:
No action is required for most organizations. If you do not want users to register or use Microsoft Entra passkeys on Windows:
- Update the relevant passkey (FIDO2) profile to block Windows Hello AAGUIDs.
- Review existing passkey profiles that allow device‑bound, non‑attested passkeys.
- Add Windows Hello AAGUIDs to the block list in passkey profiles where passkey usage on Windows devices should not be permitted.
Learn more: Enable Microsoft Entra passkey on Windows | Microsoft Learn (will be updated before GA rollout) [Compliance considerations:] | Compliance area | Explanation | | Does the change modify, interrupt, or disable Conditional Access policies? | Existing Conditional Access policies continue to govern whether passkeys can be created or used on unmanaged Windows devices. | | Does the change include an admin control and can it be controlled through Entra ID group membership? | Admins can control passkey availability through Authentication Methods policies and FIDO2 passkey profiles scoped to Microsoft Entra ID groups. | | Does the change allow a user to enable and disable the feature themselves? | Users may register Microsoft Entra passkeys on Windows devices if permitted by administrator policy configuration. |
|
| Copilot entry point changes in ExcelCategory:Microsoft 365 apps
Microsoft Copilot (Microsoft 365)
Microsoft 365 Copilot ChatNummer:MC1282571Status:stayInformed | [Introduction]
We’re updating how users access Copilot in Excel to provide a clearer, more consistent, and more intuitive experience across Microsoft 365 apps. These changes consolidate multiple Copilot entry points into a single, predictable location and establish Excel Edit Mode in the right-side chat pane as the primary Copilot interface. This update improves discoverability, simplifies user workflows, and aligns the Excel Copilot experience with other Microsoft 365 applications.
[When this will happen:]
- General Availability (Worldwide): Rollout begins in late April 2026 and is expected to complete by early June 2026.
- General Availability (GCC, GCC High, and DoD): Rollout begins in early October 2026 and is expected to complete by late October 2026.
[How this affects your organization:]
Who is affected:
- All users of Microsoft 365 apps for Excel on Windows, macOS, and the web with Copilot enabled.
- A Microsoft 365 Copilot (Premium) license is required to use this feature.
What will happen:
[What you can do to prepare:]
No action is required. You may optionally:
- Inform users about the updated Copilot entry points and chat-based experience in Excel.
- Update internal documentation or training materials if you reference specific Copilot buttons or menus.
- Notify helpdesk teams to prepare for user questions during rollout.
[Compliance considerations:]
| Compliance area |
Explanation |
| Does the change provide end users a new way of interacting with generative AI? |
Users will primarily interact with Copilot through the right-side chat pane instead of multiple in-context entry points within Excel. |
|
