| Microsoft Exchange Online: Upcoming secure-by-default changes for Exchange APIsCategory:Exchange OnlineNummer:MC1304287Status:planForChange | [Introduction] As part of the Microsoft Secure Future Initiative (SFI), and in alignment with the Secure by Default principle, we’re updating the Microsoft‑managed default user consent policy for Microsoft Graph. This change increases administrator control over third‑party application access to Exchange data and aligns default consent behavior with industry best practices for protecting email and related content. [When this will happen] General Availability (Worldwide): We will begin rolling out in early June 2026 and expect to complete by early July 2026. [How this affects your organization] Who is affected - Microsoft 365 tenants using the Microsoft‑managed default user consent policy
- Admins managing Exchange Online and Microsoft Graph app access
- Organizations that allow third‑party applications to access Exchange data via delegated permissions
What will happen - The following Microsoft Graph delegated permissions will be added to the Microsoft recommended user consent policy:
- Contacts.ReadWrite
- Contacts.Read.Shared
- People.Read
- Tasks.ReadWrite.Shared
- Tasks.ReadWrite
- Tasks.Read.Shared
- Tasks.Read
- Contacts.ReadWrite.Shared
- These changes will be reflected as an update to the Microsoft‑managed default user consent policy.
- With this change, any organization using the Microsoft‑managed user consent policy will require admin consent for these additional permissions to access Exchange mail data. Learn more about Graph permissions.
- By default, admin consent will be required for third‑party apps requesting these permissions to access Exchange data.
- Users will no longer be able to grant consent for these permissions unless the app is included in the Mail client policy.
- The Mail client policy will continue to allow users to consent to approved, popular mail applications for the permissions included in the recommended user consent policy.
- Existing approved apps and existing user consents are not impacted and will continue to work.
- Tenants using custom user consent policies are not affected.
- No additional licensing is required.
[What you can do to prepare] - Review third‑party apps that access Exchange data using Microsoft Graph.
- Create granular app consent policies in advance for apps you want users to continue using without interruption.
- Configure the admin consent workflow so users can request approval for apps that now require admin consent.
- Notify helpdesk staff, security teams, and app owners about the upcoming change.
- Update internal documentation to reflect the new default consent behavior.
Learn more: [Compliance considerations] | Question | Answer | | Does the change alter how existing customer data is processed, stored, or accessed? | Yes. Access to Exchange data via delegated Microsoft Graph permissions will require admin approval for the additional permissions listed in this message when using the Microsoft‑managed default user consent policy. Existing approved access is not affected. | | Does the change include an admin control, and can it be managed through Entra ID? | Yes. Admins can manage access using Microsoft Graph app consent policies and the admin consent workflow in Microsoft Entra ID. |
|
| Lock-free coauthoring in Microsoft WordCategory:Microsoft 365 appsNummer:MC1304289Status:stayInformed | [Introduction] Lock-free coauthoring improves real-time collaboration in Microsoft Word by allowing multiple users to edit the same paragraph simultaneously. This enhancement reduces edit conflicts and interruptions, helping teams collaborate more efficiently. The feature is automatically enabled when supported, based on document compatibility and user environments.
[When this will happen:]
- General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out in mid-May 2026 and expect to complete by early June 2026.
[How this affects your organization:]
Who is affected:
- All users collaborating on Word documents when using supported versions of Word on desktop and web.
[What will happen:]
- Users can edit the same paragraph at the same time when the feature is supported in a session.
- Word will automatically enable lock-free coauthoring — no admin configuration required.
- If unsupported scenarios are detected (for example, older client versions or unsupported content types):
- Word will fall back to the existing coauthoring experience.
- Users may temporarily be unable to edit the same paragraph concurrently.
- There is no change to file storage, sharing permissions, or document access workflows.
- The feature is enabled by default when conditions are met.
- Existing collaboration features and policies remain unchanged.
[What you can do to prepare:]
- No action is required.
- Communicate this update to users who frequently coauthor documents to set expectations.
- Encourage users to keep Word clients updated to maximize compatibility with lock-free coauthoring.
- Update internal documentation or training materials for collaboration best practices if needed.
Learn more: About lock-free coauthoring in Word | Microsoft Support [Compliance considerations:] No compliance considerations identified, review as appropriate for your organization. |
| 2026 Microsoft 365 Packaging UpdateCategory:Exchange Online
Microsoft Intune
Microsoft Defender XDRNummer:MC1304290Status:planForChange | [Introduction]
As a part of the 2026 Microsoft 365 Packaging and Pricing Update, we’re excited to share that the following features will begin to roll out to Microsoft 365, Office 365, and Enterprise Mobility and Security (EMS) suites in mid-June and are expected to be complete by August 1, 2026. Refer to the licensing blog for feature availability by suite. Government and Commercial packaging changes are listed separately.
Refer to list of service display names affected below:
| Display Name |
Part Number |
| Microsoft 365 built-in email and collaboration security (URL time-to-click protection) |
MDOLITE_ENTERPRISE |
| Microsoft Defender for Office 365 (Plan 1) |
ATP_ENTERPRISE |
| Exchange Online Storage (50GB additional) |
EXCHANGE_STORAGE_50GB |
| Remote Help |
REMOTE_HELP |
| Microsoft Intune Advanced Analytics |
Intune_AdvancedEA |
| Intune Plan 2 |
INTUNE_P2 |
| Intune ServiceNow Integration |
Intune_ServiceNow |
| Microsoft Tunnel for Mobile Application Management |
Intune-MAMTunnel |
| Intune Enterprise Application Management |
3_PARTY_APP_PATCH |
| Intune Endpoint Privilege Management |
Intune-EPM |
| Microsoft Cloud PKI |
CLOUD_PKI |
[When this will happen:]
We will begin rolling out in mid-June 2026 and expect to complete by early August 2026.
[How this affects your organization:]
Who is affected:
- Refer to the licensing blog for feature availability by suite
- Organizations using Microsoft 365, Office 365, and EMS suites
- Microsoft 365 admins responsible for security and device management
- Users receiving enhanced protections and increased mailbox storage
What will happen: For Microsoft Defender features:
- Built-in protection policy (Safe Links, Safe Attachments), anti-phishing protections, and URL time-of-click protection will be applied to all users by default
- Policies cannot be disabled but can be supplemented or overridden
- New alerts may appear in the Microsoft Defender portal
For Microsoft Intune features:
- Intune features are not configured by default
For Exchange Online:
- Exchange Online storage increases by +50GB
[What you can do to prepare:]
For Microsoft Defender features:
- Review the Built-in Protection policy in the Microsoft Defender portal.
- Add exclusions by user, group, or domain, if needed.
- Consider enabling standard or strict preset security policies.
- Review mail flow and configure enhanced filtering if using a third-party gateway.
For Microsoft Intune features:
Refer to the MS Learn documentation hyperlinked in the Intro section of this post.
Learn more:
[Compliance considerations:]
| Area |
Explanation |
| Does the change store new customer data? |
Microsoft Defender and Intune features may generate and store additional security telemetry, alerts, and device analytics data as part of normal service operation. |
| Does the change alter how existing customer data is processed, stored, or accessed? |
Microsoft Defender enhancements introduce additional scanning and analysis of email content and URLs, including time-of-click protection, increasing inspection of existing data for threat detection. |
| Does the change introduce or significantly modify AI/ML capabilities? |
Microsoft Defender for Office 365 uses machine learning to detect phishing, malware, impersonation, and zero-day threats, and these capabilities are expanded through this rollout. |
| Does the change alter how admins can monitor, report on, or demonstrate compliance activities? |
New alert types and threat detection insights will appear in the Microsoft Defender portal, impacting security monitoring and reporting. |
| Does the change add any integration to 3rd party software products? |
Intune ServiceNow integration is included. |
| Does the change include an admin control and can it be controlled through Entra ID group membership? |
Admins can configure Defender and Intune policies and apply settings using user and group-based assignments. |
|
| Microsoft Purview: Data loss prevention inline controls for prompts in Microsoft Foundry apps and agentsCategory:Microsoft PurviewNummer:MC1304291Status:stayInformed | Introduction
With Microsoft Purview enabled in Microsoft Foundry, Purview admins can apply inline data loss prevention (DLP) policies to prompts used in Foundry-built apps and agents. This helps prevent sensitive data from being shared through prompts and supports stronger data protection and compliance for AI-driven workflows.
This message is associated with Microsoft 365 Roadmap ID 558565.
[When this will happen:]
- Public Preview: We will begin rolling out in mid-May 2026 and expect to complete by early June 2026.
- General Availability (Worldwide): Rollout will begin in mid-June 2026 and is expected to complete by late June 2026.
[How this affects your organization:]
Who is affected:
- Admins managing Microsoft Purview and Microsoft Foundry
- Organizations building or using apps and agents in Microsoft Foundry
What will happen:
- When your organization builds AI apps and agents on Microsoft Foundry, Foundry admins can enable Microsoft Purview by configuring the Purview toggle in Foundry, allowing Purview to manage how these apps and agents interact with data.
- Security admins can ensure the data security and compliance posture of how these apps and agents interact with data by setting up DLP policies for prompts in Microsoft Purview Data Loss Prevention (DLP).
- Admins can configure Microsoft Purview DLP policies to evaluate prompts submitted to Foundry apps and agents.
- Policies can detect and help prevent the sharing of sensitive information in prompts to large language models (LLMs)..
- DLP enforcement occurs inline as prompts are submitted.
- This feature supports existing Microsoft Purview DLP capabilities and integrates with current compliance workflows.
- No change occurs unless admins create or enable DLP policies for this scenario (admin configuration required).
- Foundry-based DLP capabilities follow a pay-as-you-go model. Microsoft Purview must be enabled with a pay-as-you-go subscription for this feature to work.
[What you can do to prepare:]
- Review your current Microsoft Purview DLP policies and identify scenarios that should apply to AI prompts.
- Create and use DLP policy simulation mode to understand what data is being exchanged with AI apps and agents before enforcing policies.
- Plan internal guidance for admins and compliance teams on managing prompt-level DLP.
- Update internal documentation to include this capability if you use Microsoft Foundry apps and agents.
Learn more: [Compliance considerations:]
| Area |
Explanation |
| Alters how existing customer data is processed |
Prompts submitted to Microsoft Foundry apps and agents are evaluated inline against Purview DLP policies to detect sensitive information. |
| AI/ML interaction with customer data |
Introduces DLP policy evaluation for prompts within AI apps and agents, adding governance to how AI systems process user-provided data. |
| End-user interaction with generative AI |
Users continue interacting with Foundry apps and agents, but prompts may now be evaluated or blocked based on DLP policies. |
| Modifies Purview DLP policies or enforcement |
Extends existing Purview DLP enforcement to include inline scanning and enforcement of prompts in Foundry apps and agents. |
| Alters admin monitoring or reporting |
Admins may use existing Purview reporting and auditing capabilities to monitor DLP activity for prompts, but no new reporting functionality is specified. |
| Includes admin control |
Security admins configure and manage DLP policies in Microsoft Purview DLP for this capability. |
|
| Microsoft Purview Insider Risk Management: View AI interaction messages for anonymized usersCategory:Microsoft PurviewNummer:MC1304292Status:stayInformed | [Introduction] Microsoft Purview Insider Risk Management is adding the ability for analysts to view AI prompt and response messages associated with insider risk indicators, even when user anonymization is enabled, helping improve investigation context while preserving privacy protections. This enhancement provides additional visibility into AI-related risk signals while maintaining existing role-based access controls, audit logging, and privacy-by-design safeguards. Microsoft Purview Insider Risk Management correlates signals across Microsoft 365 to help organizations identify potential malicious or inadvertent insider risks, such as data leakage, IP theft, and security policy violations. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs help ensure investigations balance risk visibility with user privacy. This message is associated with Microsoft 365 Roadmap ID 560599. [When this will happen] - Public Preview: We will begin rolling out in early May 2026 and expect to complete by mid-May 2026.
- General Availability (Worldwide): We will begin rolling out in mid-June 2026 and expect to complete by mid-June 2026.
[How this affects your organization] Who is affected - Admins and analysts who use Microsoft Purview Insider Risk Management
- Organizations that investigate AI-related insider risk signals
- No impact to users
What will happen - Analysts will be able to view AI interaction messages, including prompts and AI-generated responses, when those interactions are associated with insider risk indicators.
- AI interaction visibility will be available even when user anonymization is enabled during investigations.
- User identities will remain pseudonymized unless an authorized analyst performs a permitted deanonymization action.
- Existing role-based access controls, audit logging, and privacy safeguards will continue to apply.
- The feature will be enabled by default as part of the rollout and will respect existing Insider Risk Management policies.
[What you can do to prepare] No action is required to enable this feature. You may want to: - Inform Insider Risk Management analysts about additional AI interaction context will be available during investigations.
- Review and update internal investigation or governance documentation to reflect AI interaction visibility.
- Reinforce internal guidance that user privacy protections and access controls remain unchanged.
[Compliance considerations] | Question | Answer | | Does the change alter how existing customer data is processed, stored, or accessed? | Yes. Authorized analysts will be able to view existing AI prompt and response messages within Insider Risk Management investigations when those messages are associated with insider risk indicators. Access remains governed by existing role-based access controls and audit logging. | | Does the change alter how admins can monitor, report on, or demonstrate compliance activities? | Yes. Enhanced visibility into AI-related activity may improve insider risk investigations and compliance reviews without changing existing workflows or controls. |
|
| Updates to SharePoint home sitesCategory:SharePoint OnlineNummer:MC1304293Status:planForChange | [Introduction]
We are updating the SharePoint home site experience and renaming the Viva Connections app in Microsoft Teams to the SharePoint app to simplify setup and provide more flexibility when deploying your main intranet experience in Teams. These changes streamline home site configuration, introduce new capabilities designed specifically for home sites, and expand deployment options in Teams. Additionally, we are introducing new web part enhancements available exclusively on home sites. This message is associated with Roadmap ID 557983. [When this will happen:]
- Targeted Release (Worldwide): We will begin rolling out early May 2026 and expect to complete by late May 2026.
- General Availability (Worldwide, GCC, GCCH): We will begin rolling out early June 2026 and expect to complete by late June 2026.
[How this affects your organization:]
Who is affected:
- SharePoint administrators managing home sites
- Organizations using the Viva Connections (now SharePoint app) experience in Microsoft Teams
What will happen: - If you have an existing Viva Connections experience with a configured app name and logo in Teams, this update will not change your current branding or experience.
- The Viva Connections app in Teams will be renamed to the “SharePoint app in Teams.”
SharePoint home site updates: - Admins will be able to set up and designate a SharePoint home site directly from the SharePoint admin center, simplifying configuration and management.
- A new Resources web part will be available for SharePoint home sites to highlight key links, tools, and destinations.
- A new Announcements web part will be available for SharePoint home sites.
- A new customization experience for the SharePoint app in Teams will be available, allowing admins to tailor the SharePoint app experience for Teams desktop and mobile.
- These updates apply only to designated SharePoint home sites and respect existing permissions and policies.
[What you can do to prepare:]
- No action is required.
- Update internal documentation as needed.
- Inform helpdesk staff and communicate changes to end users.
Learn more: What’s new for SharePoint home sites | Microsoft Learn [Compliance considerations:]
| Compliance area |
Explanation |
| Does the change alter how existing customer data is processed, stored, or accessed? |
Existing SharePoint content is surfaced through new web parts and layouts, but data storage, permissions, and access controls remain unchanged. |
| Does the change include an admin control? |
Admins can configure the SharePoint home site in the SharePoint admin center and customize the Viva Connections experience. |
| Does the change allow a user to enable or disable the feature themselves? |
Site owners can choose whether to add or use the new Resources, Announcements, and News web parts. | |
| Microsoft Dataverse – Service Update 9.2.26051.00000 for EURCategory:Microsoft DataverseNummer:MC1305181Status:stayInformed | We have a minor service update planned for your Microsoft Dataverse environment hosted in EUR.
This service update will occur within your region’s scheduled maintenance timeline, on the scheduled date listed for Microsoft Dataverse.
How does this affect me?
The version number for your Microsoft Dataverse environment will update to version 9.2.26051.00000 or higher.
There is no expected degradation to service performance or availability, however, during this maintenance window users may see short, intermittent impact such as transient SQL errors or a redirect to the login screen.
What action do I need to take?
This message is for awareness and no action is required. |
