Microsoft Roadmap, messagecenter and blogs updates from 10-12-2025

Updated December 8, 2025: We have updated the timeline. Thank you for your patience.

 What and Why

We’re introducing a new capability that allows users with a Microsoft 365 Copilot license to scope and control Copilot Chat responses by selecting specific content sources. This enhancement is designed to improve the relevance and accuracy of Copilot responses by limiting them to user-selected sources, aligning with customer feedback for more transparent and customizable AI interactions.

This message is associated with Microsoft 365 Roadmap ID 496596

Rollout Schedule

General Availability (Worldwide): Rollout will begin in January2026 (previously mid-December 2025) and is expected to complete by end of January 2026 (previously late December 2025).

Impact on Your Organization

• Who is affected:
  • Users with a Microsoft 365 Copilot license.
• What will happen:
  • Users will see a new option to select content sources when using Copilot Chat.
  • Copilot responses will be scoped only to the selected sources, improving control and precision.
  • This feature will follow a standard rollout and is enabled by default.
  • There is no impact to admin settings or policies.
  • No changes to existing Copilot behavior unless users actively select sources.

Action Required/Recommendations

• No admin action is required.
• This feature does not impact admin controls or require configuration.
• We recommend:
  • Informing helpdesk staff of this new user-facing capability.
  • Updating internal documentation if you provide guidance on Copilot usage.

Compliance Considerations

No compliance considerations identified, review as appropriate for your organization.

Updated December 9, 2025: We are updating this post as a reminder. Thank you for your patience. 

[Introduction:]

As part of the Microsoft Secure Future Initiative (SFI) and in alignment with the “Secure by Default” principle, we’re retiring the legacy IDCRL (Identity Client Run Time Library) authentication protocol in SharePoint Online and OneDrive for Business. This change helps strengthen your organization’s security posture by enforcing modern authentication standards—OpenID Connect and OAuth—which reduce exposure to outdated and vulnerable authentication methods.

[When this will happen:]

• Starting January 31, 2026: Legacy client authentication will be blocked by default. Organizations may temporarily re-enable it using PowerShell until April 30, 2026.
• Starting May 1, 2026: Legacy client authentication will be permanently blocked and cannot be re-enabled.

[How this affects your organization:]

Who is affected:

• Organizations using clients, scripts, or applications that rely on the legacy IDCRL authentication protocol to access SharePoint Online or OneDrive for Business.

• Legacy authentication calls using IDCRL will be blocked by default starting January 31, 2026.
• Temporary re-enablement is possible via PowerShell until April 30, 2026.
• After May 1, 2026, IDCRL authentication will be permanently retired and cannot be re-enabled.
• Applications using IDCRL will fail to authenticate unless updated to use modern protocols.

[What you can do to prepare:]

We recommend migrating from legacy authentication protocols to modern authentication as soon as possible. 

To prepare for this retirement:

• Migrate all clients, scripts, and applications to use OpenID Connect or OAuth protocols. 
• Review current configurations for IDCRL authentication.
• Notify IT admins, app owners, and security teams about the upcoming retirement.
• Update internal documentation to reflect the new authentication defaults.
• Use telemetry to identify usage of legacy authentication protocols and monitor migration progress.
• Use PowerShell to manage legacy authentication settings if needed:
  • Set AllowLegacyAuthProtocolsEnabledSetting and LegacyAuthProtocolsEnabled to TRUE to temporarily allow legacy authentication until April 30, 2026.
• Learn more:
  • Migrating from IDCRL authentication to modern authentication in SharePoint | Microsoft 365 Developer Blog | Microsoft Dev Blogs
  • Set-SPOTenant (Microsoft.Online.SharePoint.PowerShell) | Microsoft Learn

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

[Introduction]

We’re introducing significant enhancements to the Meeting Troubleshooting experience in Teams admin center. These updates make it easier and faster for administrators to identify issues during meetings and calls, understand root causes, and take action with confidence.

This message is associated with Microsoft 365 Roadmap ID 526784.

[When this will happen:]

General Availability (Worldwide, GCC): Rollout begins late January 2026 and is expected to complete by mid-February 2026.

[How this will affect your organization:]

Who is affected: Teams administrators managing meetings and calls.

What will happen:

• The list of In-progress and Completed meetings remains available for each user in Teams admin center > Manage users > {User} > Meetings and calls tab.

Screenshot 1: List of meetings for a user



• Existing functionalities are retained.
• New capabilities include:
  • Issues auto-identified and summarized: We surface likely root issues with your audio, video, and screen sharing experience (network, device, compute, etc.) and show how many people are affected, highlighted when you are viewing the meeting or the participant telemetry.

  Screenshot 2: Auto-identified issues

  

  • Easier drill-downs: Admins can navigate from the meeting view to a participant view with clearer device and network details and timeline‑based signal charts when real‑time data is available. Additionally, if the administrators are looking for more details, they can Export the participant telemetry for deeper analysis.

  Screenshot 3: Data for a meeting in progress

  

  Screenshot 4: A participant’s meeting details

  

  • Smarter search and filters: Search by meeting ID/code, filter by activity or issue type, and sort by key timestamps.
  • Integrated with M365 Copilot for Admins: Use Copilot in Teams admin center to troubleshoot meetings, analyze trends, find similar issues, or explain telemetry signals.

[What you can do to prepare:]

• No action is required.
• Changes will take effect automatically.
• Once rolled out, administrators can start using the new troubleshooting experience.
• We welcome your feedback.

Before rollout, we will update this post with new documentation.

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

Updated December 9, 2025: We have updated the content. Thank you for your patience. 

Action Required: Trust the new DigiCert Certificate Authorities (CAs) for Microsoft Entra

Starting January 7, 2026, Microsoft Entra will migrate its DigiCert certificates from the G1 root CA to the G2 root CA. Clients that pin to the DigiCert G1 root or do not trust the DigiCert G2 root may experience authentication failures.

Certificate Authorities (CAs) issue digital certificates that establish trust for secure communications. A root CA is the top-level certificate in a trust chain. DigiCert Global Root G1 is the current root CA used by Microsoft Entra services. DigiCert Global Root G2 is the newer root CA that Microsoft is migrating to for improved security and compliance. If your systems do not trust the G2 root, authentication and secure connections to Microsoft Entra services will fail.

Why you’re receiving this message:

Our reporting indicates that one or more users in your organization may be using Microsoft Entra ID.

January 7, 2026.

• Who is affected: Organizations using Microsoft Entra ID services.
• What will happen:
  • If DigiCert G2 certificates are not trusted, authentication failures will occur when accessing Microsoft Entra services.
  • Impacted domains include:
    • login.microsoftonline.com
    • login.live.com
    • login.windows.net
    • autologon.microsoftazuread-sso.com
    • graph.windows.net

• Trust all Root and Subordinate CAs listed in the Azure Certificate Authority details documentation.
• Ensure you trust the “DigiCert Global Root G2” root and its subordinate CAs (documented since September 2025).
• Remove any client-side pinning to the DigiCert Global Root CA root certificate.
• Update your settings now to avoid service disruption.

• For details about DigiCert certificates, refer to DigiCert documentation.
• For guidance on issuer/certificate pinning, see Azure documentation.
• Get answers from community experts in Microsoft Q&A.
• If you have a support plan and need technical help, create a support request.

No compliance considerations identified, review as appropriate for your organization.

[Introduction]

We’re introducing a new opt-in feature for automatic event-auditing configuration in Microsoft Defender for Identity unified sensors (v3.x). This enhancement simplifies deployment by automatically applying the required Windows event-auditing settings on sensors, reducing manual post-deployment steps and ensuring consistent policy enforcement across all onboarded sensors.

[When this will happen:]

• General Availability (Worldwide, GCC, GCCH, and DoD): The auditing opt-in feature will be available starting early January 2026, with rollout expected to complete by mid-January 2026. Until then, it will remain disabled in the portal.
• Related auditing health alerts will also roll out gradually starting early January 2026, completing by mid-January 2026.

[How this affects your organization:]

Who is affected: Admins managing Defender for Identity unified sensors (v3.x) in Microsoft 365 tenants.

What will happen:

• A new opt-in setting will be available in both the UI and via Graph API.
• In the UI, this option will appear under Defender for Identity Settings → Advanced features.
• Once enabled, the automatic configuration feature will:
  • For new sensor activations: Automatically apply all required Windows event-auditing settings during activation.
  • For existing onboarded sensors: Automatically apply Windows event-auditing settings only if misconfigured and dismiss related health issues.
• After enabling the toggle, the automatic configuration process may take up to 24 hours to apply across all applicable Identity Unified sensors (v3.x).
• This feature is not enabled by default and requires admin action. No changes will occur unless admins choose to enable the feature.

Relevant auditing configurations health issues covered:

• NTLM auditing is not enabled
• Directory Services Advanced Auditing is not enabled as required
• Directory Services Object Auditing is not enabled as required
• Auditing on the Configuration container is not enabled as required
• Auditing on the ADFS container is not enabled as required

[What you can do to prepare:]

No action is required unless you choose to enable the feature.

If you plan to opt in:

• Review your unified sensor deployment strategy.
• Enable the opt-in setting via the UI or Graph API.
• Communicate the change to relevant IT and security teams.
• Update internal documentation if you track auditing configurations.

Learn more:

• Auditing health alerts documentation
• Configure Windows event auditing
• Configure audit policies for Windows event logs

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

We will retire the Technology Experience score and its three sub-scores (Network Connectivity, M365 Apps Health, and Endpoint Analytics) from Adoption Score in Microsoft 365 Admin Center starting Jan 15, 2026, and ending Jan 30, 2026.

After this change is made, the all-up Adoption Score will be equal to the People Experiences sub-score. This sub-score captures end user progress towards deeply embedding M365 and Copilot in their day-to-day productivity workflows. The total Adoption Score will reduce from a maximum of 900 to a maximum of 600.

This change will happen automatically by the specified date. To prepare for the change, inform any admins or report readers that regularly use Adoption Score that they will see change to their total Adoption Score value on the date of the change. End users are not impacted by this change. 

We are introducing a dynamic filtering experience in Microsoft 365 Copilot search that empowers users to refine their results more precisely by leveraging data source-specific filters in the filter section. When a user selects a data source—such as Outlook, SharePoint, Teams, Azure DevOps (ADO), ServiceNow (SNOW), Google Drive, Jira, Confluence, GitHub, or Copilot Chats—the interface dynamically presents a tailored set of filters specific to that source. These refiners allow users to narrow down results based on attributes unique to the selected data source, such as item type, status, or semantic labels.

A Microsoft 365 Copilot license is required to access this feature.

This message is associated with Microsoft 365 Roadmap ID 506752.

• Targeted Release: Began in mid-November 2025 and is expected to complete by mid-December 2025.
• General Availability (Worldwide): Begins in early December 2025 and is expected to complete by early January 2026.

• Who is affected: All users of Microsoft 365 Copilot search across supported data sources.
• What will happen:
  • Users will see new filter options in the right rail when selecting a data source:

   

  • Filters will be dynamically tailored to the selected source (such as Outlook, SharePoint, Teams).
  • This feature will be enabled by default and will require no configuration.
  • No changes to existing admin policies or user workflows.

• No action is required.
• The feature will be enabled automatically.
• No additional data or risks are introduced.
• You may wish to inform helpdesk staff or update internal documentation to reflect the new filtering experience.

No compliance considerations identified, review as appropriate for your organization.

[Introduction:]

We’re introducing the ability to add public web links as references in Microsoft Copilot Notebooks. This enhancement allows users to ground Copilot responses on specific public web pages, expanding the types of content that can be used to inform and contextualize their work.

A Microsoft 365 Copilot license is required to use this feature.

This message is associated with Microsoft 365 Roadmap ID 516040.

[When this will happen:]

General Availability (Worldwide): Rollout began in mid-November 2025 and is expected to complete by mid-January 2026.

[How this will affect your organization:]

Who is affected: All users of Microsoft Copilot Notebooks with a Microsoft 365 Copilot license.

What will happen:

• Users will be able to add public web links as references in their Copilot Notebooks.
• This expands current capabilities, which already support referencing Word, PowerPoint, Excel, and other file types.
• Users can now ground Copilot on public web content without needing to convert it to a file format (such as PDF).
• The feature will be enabled by default.

[What you can do to prepare:]

No specific preparation is required. However, we recommend:

• Informing users about the upcoming capability to enhance their productivity.
• Updating internal documentation if you provide guidance on using Copilot Notebooks.

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

With this release, users can discover and add SharePoint agents directly within Microsoft Teams chats on Desktop and Mac. Agents can be added via the Add Agents and Bots option in the chat roster dropdown, which opens the in-context store for discovery and selection. This enables users to quickly bring SharePoint agents into conversations to support collaboration.

Additionally, SharePoint agents are available in the Teams Store under the Agents category, making them easier to find and deploy across Teams experiences.

This message is associated with Microsoft 365 Roadmap ID 515465.

[When this will happen]

• Targeted Release: Rolling out in January 2026 and expected to complete in January 2026.
• General Availability: Rolling out in January 2026 and expected to complete in January 2026.

[How this affects your organization]

• Who is affected: All users of Microsoft Teams on Desktop and Mac.
• What will happen:
  • Users will be able to discover and add SharePoint agents from the in-context store in Teams chats.
  • SharePoint agents will be available in the Teams Store under the Agents category.
  • Agents can be added via the Add Agents and Bots option in the chat roster dropdown.
  • No admin action is required; the feature is enabled by default.
  • Existing policies are respected; no changes to admin controls are needed.

[What you can do to prepare]

• Ensure that intended users have E3 or E5 (with Teams) licensing, and one of the following options: 
  • Microsoft 365 Copilot license OR
  • Pay-as-you-go (PAYG) separately setup for SharePoint agents on MAC.

• Inform helpdesk staff in case users have questions about accessing or using SharePoint agents.
• Share this update with users to highlight new collaboration opportunities.
• Update internal documentation if you maintain guidance on Teams agents or bots.

Learn more: Share an agent from SharePoint in Teams | Microsoft Support

[Compliance considerations]

No compliance considerations identified, review as appropriate for your organization.

We’re improving SharePoint Online security via Content Security Policy (CSP) enforcement. Currently CSP is applied in reporting mode but as of March 1, 2026, the Content Security Policy will be enforced which will prevent the loading of script (e.g. JavaScript) from non-allowed sources. This message center post replaces MC1055557 (April 2024).

This change is associated with Microsoft 365 Roadmap ID: 485797

[When this will happen:]

This will be implemented starting March 1, 2026.

[How this will affect your organization:]

If your organization extended SharePoint Online using SPFx then the created custom SPFx solutions could potentially load scripts from locations which are not allowed. In most cases SPFx solutions use and load script from allowed locations, but that’s not always the case. Any script from a not allowed location will be blocked, the same applies for any inline script usage. SPFx solutions whose script is getting blocked will not function anymore as designed, impacting business scenarios depending on those solutions.

To prevent solutions from breaking there you need to:

1. Ensure all used script locations are trusted script sources. This can be done without updating the SPFx solution
2. Move all inline script to script files which can then be defined as trusted source. This will require updating the SPFx solution!

If you need more time to review your SPFx solutions, there’s an option to postpone CSP enforcement by 90 days via below SPO Management Shell PowerShell cmdlet.

Set-SPOTenant -DelayContentSecurityPolicyEnforcement $true

Note:

This option will be available in the SPO Management Shell version 16.0.26712.12000 (November 2025) or higher.

[What you need to do to prepare:]

In addition to the default CSP settings, SharePoint Online will add locations listed in the Trusted Script Sources area of the SharePoint Online Admin Center as valid locations for CSP, thus enabling script loading from those locations. To add an entry, in a browser, go to the Trusted Script Sources via SharePoint Online Admin Center > Advanced > Script sources.

To understand which script location to add there are two options. First option is testing your SPFx solutions with the browser dev tools console open. As CSP is in reporting mode until March 1, 2026, there will be messages indicating script that will be blocked once CSP is enforced. These messages start with “Loading the script ‘<path to script>’ violates the following…” or “Executing inline script violates the following Content Security Policy directive…”.

Whenever the browser logs a CSP violation, that violation is also logged to Microsoft Purview. In the browser, navigate to the Audit solution in Microsoft Purview from the Microsoft 365 Admin Center. From the Search page, search for the Activity – friendly names value Violated Content Security Policy, or the Activity – operation names value ViolatedContentSecurityPolicy:

Selecting a search result opens the side panel with the audit details. Take note of the following properties:

• DocumentUrl: This indicates the page in the SharePoint Online site where the CSP violation occurred.
• BlockedUrl: This indicates the URL of the script that violated the CSP configuration or contains “inline” when the violation came from loading inline script

Important

In the case of inline script, the remediation requires updating the SPFx solution by moving inline script into a separate script file, which then can be added as a trusted source.

Learn more: Support for Content Security Policy (CSP) in SharePoint Online 

[Introduction]

In early 2026, a major update of Planner will begin rolling out. This update will introduce several new capabilities. In addition, several features will be retired from Microsoft Planner. These changes will begin rolling out between mid-January 2026 and mid-February 2026.

[When this will happen:]

Refer to the sections below for details on timing.

[How this affects your organization:]

Who is affected: All users of Microsoft Planner in your organization, including those using Planner components in Loop, integrations with Viva Goals, and premium Planner plans.

What will happen:

In early 2026, we will begin rolling out a new major update of the Planner app in Teams desktop and web as well as Planner on the web. This update will come with several new enhancements, and we will also be retiring several features at this time. See each section below for more detail on the timing.

New features in the upcoming Planner update:

• These changes will be available with the new update, which we expect to begin rolling out between mid-January 2026 and mid-February 2026.
• Tasks chats in basic plans will allow team members to collaborate directly on tasks using rich text formatting and @mentions, making it easier to discuss work and notify teammates about what needs attention.
• Custom templates will allow you to create reusable, pre-designed plan layouts tailored to your organization’s needs, ensuring consistency and saving time. They provide the ability to standardize content while allowing easy customization for specific scenarios.
• Project manager agent will now be available in all plans for M365 Copilot licensed users, including basic plans.

Features in Planner that will be retired:

• We expect this rollout to begin between mid-January 2026 and mid-February 2026.
• The following changes will take effect as this build rolls out to your organization:
• A new Task chat experience will replace the prior comments experience for basic plan tasks:
  • As noted above, the previous task comments experience will be replaced by a new task chat feature that supports messages about the task that can include @mentions and rich text formatting, in response to a longstanding top customer request. Due to customer feedback on our notifications experience, the new chat feature only sends an email/Teams notification to a colleague that’s been @mentioned in the message.
  • The task chat experience will be available on Planner in Teams web/desktop and the Planner web experience, and the old experience for viewing comments will no longer be directly visible on a task. Instead, the task details pane will show a link to open a page in Outlook where task comments can be seen.
  • Users can continue to use and see the previous task comments experience in the iOS Planner app, Android Planner app, and Planner in Teams mobile. New task chat messages will not be visible in the mobile experience at this time.
  • There are no changes to email notifications for the existing task comments experience, meaning that an email notification will be sent to all group members associated with the plan when a task comment is added.
  • There is no change to the premium plan conversations feature at this time.
• The whiteboard tab for premium plans will be retired.
  • This feature automatically created a whiteboard for premium plans in Planner and allowed users to create tasks in Planner from that whiteboard’s sticky notes.
  • The whiteboard tab will be unavailable on the premium plan after retirement of this feature.
  • Users will be unable to create tasks from a whiteboard as a result.
  • Any existing whiteboard content will remain available via the Whiteboard app.
  • There is no replacement for this feature at this time.

Features in Planner that will be temporarily unavailable:

• We expect this rollout to begin between mid-January 2026 and mid-February 2026.
• Convert a basic plan to a premium plan will be temporarily unavailable.
• The ability to convert an existing basic plan to a premium plan will be unavailable.
• We plan to make similar functionality available again in the future.
• In the meantime, users will need to create a new premium plan and manually copy the tasks into the new plan.

Features outside of Planner that will be retired without replacement:

• Planner integration in Viva Goals.
  • Viva Goals will be retired on December 31, 2025, as previously announced. Refer to Viva Goals retirement for more information.
  • When Viva Goals is retired, the entry point in Viva Goals for use with Planner will no longer be available.
• iCalendar feed integration retirement.
  • This feature will be retired between mid-January 2026 and mid-February 2026.
  • This feature allowed users to subscribe to their Planner tasks as an iCalendar feed that could be viewed in iCalendar-compatible applications like Outlook.
  • After this feature is retired, users will not be able to create new iCalendar feeds for their tasks or plans, and they will stop seeing their tasks in the iCalendar feeds they previous created.
  • There is no replacement for this feature at this time.
• Planner component retirement in Loop pages.
  • This feature will be retired between mid-January 2026 and mid-February 2026.
  • Loop pages support various options for capturing task information.
  • This control, which could previously be inserted by typing /planner in a Loop workspace, was one of the available options.
  • We recommend the Task List Control in Loop to capture tasks.
  • After the retirement of this control, which is expected to begin in January 2026 and will roll out independent of the Planner update rollout, it will no longer be possible to add a new component of this type in a Loop workspace.
  • Workspaces where these components were already present will display the Planner plan URL where the component was previously located.
  • Tasks previously entered in these components will remain available in Planner.

[What you can do to prepare:]

• These changes will happen automatically by the specified dates.
• No admin action is required.
• Notify users about this change.
  • Update relevant documentation as appropriate.
  • Share the recommended alternate options where appropriate, as described above.

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

• One card shows your triggered custom alerts, helping you focus on priority resources.
• The other, “Triggered alerts for high-use items,” displays predefined alerts for high-use resources like high-use canvas apps. These Microsoft-created alerts are enabled by default and cannot be changed or deleted. Use custom alerts for more control.

• Data Request Success Rate
• Data Request Latency

• This security update includes improvements that were a part of update KB5070311 (released December 1, 2025).
• This update addresses security issues for your Windows operating system. 
• This update addresses an issue where Ask Copilot didn’t activate the Click to Do* window as expected. The window now appears in the foreground when you share data with Copilot.
• This update addresses an issue where File Explorer briefly flashes white when you navigate between pages. This issue might occur after you install KB5070311.
• This update fixes an issue where external virtual switches lose their physical network adapter (NIC) bindings after a host restart. 

• Windows 11, versions 25H2 and 24H2: KB5072033
• Windows 11, version 23H2: KB5071417
• Windows 11 Enterprise LTSC 2024: Hotpatch KB5072014
• Windows 10, versions 22H2 and 21H2: KB5071546
• Windows 10 Enterprise LTSC 2019 and Windows Server 2019: KB5071544
• Windows 10 LTSB 2016 and Windows Server 2016: KB5071543
• Windows Server 2025: KB5072033
• Windows Server 2025 Datacenter: Azure Edition: Hotpatch KB5072014
• Windows Server 2022: KB5071547
• Windows Server 2022 Datacenter: Azure Edition: Hotpatch KB5071413
• Windows Server 2012 R2: Monthly Rollup: KB5071503
• Windows Server 2012: Monthly Rollup: KB5071505
• Windows Server 2008 R2 Service Pack 1: Monthly Rollup: KB5071501 / Security Only: KB5071506
• Windows Server 2008 SP2: Monthly Rollup: KB5071504 / Security Only: KB5071507

• Windows 11, versions 24H2 and 25H2: KB5074204
• Windows Server 2025: KB5074204
• Windows Server 2022: KB5074353