The Week at a Glance
- 🔴 High — Patch Exchange Server now. Microsoft released June 2026 security updates for Exchange Server (all supported versions) addressing actively disclosed vulnerabilities, including CVE-2026-42897, a cross-site scripting flaw in Outlook Web Access. On-premises Exchange environments that are unpatched are exposed today.
- 🔴 High — Legacy email authentication retirement is underway. Direct Exchange ActiveSync certificate-based authentication (CBA) to Exchange Online is being retired by end of 2026. New tenants are already blocked. Organizations still using this flow for mobile devices must migrate before access breaks.
- 🟡 Medium — AI agents can now autonomously operate your systems. Microsoft has reached general availability of “computer-using agents” in Copilot Studio — AI that can interact with any application through its user interface, including legacy systems with no API. This dramatically raises the stakes for AI governance. Agent 365, the control plane for governing these agents, is also now generally available.
- 🟢 Low — New Microsoft 365 Business with Copilot SKUs arrive July 1. Small and mid-sized business licensing is being restructured with Copilot built into base plans. No disruption to existing enterprise agreements, but SMB customers and MSPs should review commercial implications before the July 1 effective date.
Sources: June 2026 Exchange Server Security Updates · Retirement of Direct Exchange ActiveSync Certificate-Based Authentication · Computer-Using Agents in Microsoft Copilot Studio — GA · Microsoft Agent 365 — GA
Why This Week Matters
Two independent forces are converging this week. First, the traditional threat surface is demanding urgent attention: a disclosed Exchange Server vulnerability and the forced retirement of legacy authentication mean organizations that delay patching or migration face concrete, near-term breach risk. Second, the AI surface area is expanding faster than most governance frameworks have anticipated — autonomous agents can now operate enterprise software without APIs, and Microsoft has shipped the tools to govern them, but only organizations that actively configure those controls will benefit.
The one thing leadership must understand: the arrival of autonomous AI agents is not a future planning item — it is a present-tense governance question. Employees and developers can deploy agents today that operate payroll systems, HR portals, and line-of-business applications with minimal oversight. Without deliberate policy, you cannot know what those agents are accessing or doing on your behalf.
Sources: Microsoft Agent 365 — GA · Updating the Taxonomy of Failure Modes in Agentic AI Systems · Addressing Exchange Server May 2026 vulnerability CVE-2026-42897
Risk & Compliance
| Change | Business Risk | Regulatory Angle | Act By |
|---|---|---|---|
| June 2026 Exchange Server Security Updates | Unpatched Exchange Server (SE, 2019, 2016) is vulnerable to CVE-2026-42897, a cross-site scripting flaw that can execute malicious code in the browser when a user opens a crafted email in OWA. Active exploitation risk is real. | HIPAA Security Rule, CMMC Level 2+, NIST CSF Respond/Recover, cyber insurance patch-currency requirements | Immediately — patches are available now |
| Retirement of Direct Exchange ActiveSync Certificate-Based Authentication | Mobile devices using EAS with client certificates sent directly to Exchange Online will lose access by end of 2026. New tenants are already blocked. Loss of email access for affected mobile users will be abrupt if not planned. | NIST CSF Identity/Authentication controls; impacts CMMC and FedRAMP environments using device-based CBA | Migration plan required before end of 2026; begin inventory now |
| Entra ID Security Updates — Custom Controls & SSPR Changes | Microsoft is retiring Custom Controls in Conditional Access (replacing with External MFA), enforcing Conditional Access during credential registration, and requiring explicitly registered methods for self-service password reset. Existing configs continue working during transition, but unreviewed policies may create access gaps or helpdesk surges. | SOC 2 (access control), CMMC Level 2 MFA requirements, NIST 800-63B, cyber insurance MFA attestation | Begin migration planning within 30 days |
| Computer-Using Agents Now Generally Available in Copilot Studio | AI agents can now autonomously operate any application through its user interface — including legacy systems, vendor portals, and internal web apps — without API integration. Without governance controls, agents may access, modify, or exfiltrate sensitive data with no human in the loop. | HIPAA (access to PHI by automated processes), SOC 2 (logical access controls), GDPR (automated processing of personal data), NIST AI RMF | Governance policy required before broad deployment — 30 days |
| Deprecating Legacy TLS (1.0/1.1) for POP3 and IMAP4 in Exchange Online | Email clients or automation tools connecting to Exchange Online via POP3/IMAP4 using TLS 1.0 or 1.1 will fail after deprecation. Shared mailboxes used by line-of-business apps are a common exposure point that IT teams often overlook. | PCI DSS 4.0 TLS requirements, CMMC encryption standards, NIST CSF Protect | Audit connectivity within 30 days; timeline enforcement expected in coming months |
| npm Supply Chain Attack — Red Hat Miasma Campaign | Over 90 versions of trusted @redhat-cloud-services npm packages were compromised, silently stealing credentials from CI/CD pipelines, GitHub, and cloud platforms. Organizations with development teams using these packages may have exposed credentials in their build environments. | SOC 2 (vendor risk, change management), CMMC supply chain risk management (Level 2+), NIST CSF Supply Chain | Immediate: audit development environments for affected packages |
Sources: June 2026 Exchange Server Security Updates · Microsoft Threat Intelligence — npm Miasma Campaign · Entra ID Security Updates
What Your Employees Will Notice
- Teams performance improvements — Microsoft has shipped a significant performance update to Teams, reducing load time and improving responsiveness in chat, calls, and meetings. Most users will notice the app feels faster and more reliable with no action required.
- Copilot redesign — The Microsoft 365 Copilot app has a refreshed visual design. Users will see a cleaner interface when accessing Copilot across apps. Proactively communicate that this is intentional and not a security concern.
- New AI models available in Copilot — GPT-5.5 Instant, Anthropic Claude Opus 4.8, and Claude Fable 5 (preview) are now available as model choices within Microsoft 365 Copilot. Users in organizations with Copilot licenses may see new model options in their experience.
- Teams message reminders — Coming in July, users will be able to set private reminders on individual chat and channel messages. This is a personal productivity feature; no admin action is required and no messages are shared.
- Teams call queue recording — Administrators at organizations using Teams Phone call queues can now enable automatic call recording. Agents answering queued calls should be informed if this is activated, as recordings may have consent notification obligations depending on jurisdiction.
- Wi-Fi workplace check-in in Teams — Employees who opt in will have their workplace location automatically updated when they connect to a configured company network. This is opt-in only and does not enable tracking without user consent.
- Copilot Notebooks expanded access — Copilot Notebooks is now available to users with Copilot Chat (not just full Microsoft 365 Copilot licenses), giving more employees a shared collaborative workspace grounded in company data.
Sources: Making Microsoft Teams More Responsive · What’s New in Microsoft 365 Copilot — May 2026 · Workplace Check-In via Wi-Fi
What Your Help Desk Should Expect
- Exchange Server patch inquiries — IT teams managing on-premises Exchange should expect internal questions about the June update and whether servers have been patched. Ensure your Exchange administrators have confirmed deployment status and can communicate it up the chain.
- Mobile email access issues — Organizations with employees using older mobile email clients (particularly those configured with certificate-based authentication to Exchange Online) may begin seeing access failures or authentication prompts as the EAS CBA retirement enforcement tightens. Volume will increase as enforcement broadens.
- Copilot model selection questions — As new AI models appear in the Copilot interface, users will ask which model to use and whether switching models changes how their data is handled. Prepare a brief internal FAQ; the short answer is that all models in M365 Copilot operate under the same enterprise data protection terms.
- Copilot design change confusion — The refreshed Copilot app interface may prompt tickets from users who believe something is wrong or that they received an update they didn’t authorize. Proactive internal communication ahead of the change reduces ticket volume.
- Teams call recording notification questions — If your organization enables automatic call queue recording, agents will likely ask whether they are being recorded and what happens to recordings. Prepare a communication before enabling the feature.
- Password reset and MFA method changes — As Entra ID enforces registered authentication methods for SSPR, users who have not registered modern MFA methods may find they cannot reset their own password and will call the help desk. Audit MFA registration completeness now to reduce this surge.
- Secure Boot certificate readiness questions — Secure Boot certificates are beginning to expire in June 2026 on Windows devices. IT may receive questions about Windows Autopatch reports or device compliance warnings. The updated Autopatch Secure Boot status report helps identify affected devices.
Sources: Retirement of Direct Exchange ActiveSync CBA · Entra ID Security Updates · Updated Secure Boot Status Report in Windows Autopatch
Cost & Licensing
New Microsoft 365 Business with Copilot SKUs — effective July 1, 2026. Microsoft is introducing restructured small business plans with Copilot built into the base subscription. Organizations on current Microsoft 365 Business Basic, Standard, or Premium plans — and their managed service providers — should evaluate whether existing agreements are affected and what the transition path looks like. This is primarily relevant to SMB customers; enterprise EA agreements are not immediately impacted, but channel partners and IT resellers should brief their SMB clients before July 1.
Advanced Intune Solutions included in Microsoft 365 at scale — rollout beginning CY26 Q3. Microsoft is adding advanced Intune Suite capabilities to broader Microsoft 365 plans. Customers currently paying separately for Intune Suite add-ons should review whether these capabilities will be covered in their base plan after Q3. Tenants will receive 30-day advance notice in the Message Center before the change applies to their environment. This is a potential cost reduction, not an additional expense.
Teams Premium required for call queue recording. The newly generally available automatic recording and transcription for Teams call queues requires a Teams Premium license per queue. Organizations considering this feature for contact center or customer-facing teams should confirm licensing before enablement.
Exchange Server 2016/2019 Extended Security Update — Period 2 now available. For organizations still running Exchange 2016 or 2019 that did not complete migration before April 2026, Microsoft has opened a “Period 2” ESU program running through October 2026. This is a paid extension and is not a long-term solution; it buys time for migration to Exchange Server Subscription Edition. Organizations in this position should quantify the ESU cost against accelerating migration.
Sources: Microsoft 365 Business with Copilot — New SKUs · Microsoft 365 Adds Advanced Intune Solutions at Scale · Period 2 Exchange 2016/2019 ESU Program
Planning Horizon
| Timeframe | Item | Decision Required | Owner |
|---|---|---|---|
| Now | June 2026 Exchange Server Security Updates | Confirm patch deployment on all Exchange Server instances (SE, 2019, 2016) | IT / Infrastructure |
| Now | npm Miasma Supply Chain Attack | Audit CI/CD pipelines and developer environments for affected @redhat-cloud-services packages; rotate any potentially exposed credentials | Security / DevOps |
| 30 days | EAS Certificate-Based Authentication Retirement | Inventory all mobile devices and apps using EAS with direct CBA to Exchange Online; plan migration to Entra ID-based authentication | IT / Identity / Mobile |
| 30 days | Entra ID Custom Controls & SSPR Changes | Review Conditional Access policies using Custom Controls; audit SSPR method registrations across the user base to prevent help desk surge | Identity / Security |
| 30 days | AI Agent Governance — Copilot Studio Computer-Using Agents GA | Establish or update AI agent governance policy; configure Microsoft Agent 365 as the control plane; determine which business processes are in-scope for autonomous agent use | CISO / IT / Legal / Compliance |
| 30 days | Legacy TLS Deprecation for POP3/IMAP4 in Exchange Online | Identify all POP3/IMAP4 connections to Exchange Online; confirm TLS version in use; update or replace any clients or automation using TLS 1.0/1.1 | IT / Application Owners |
| Before July 1 | Microsoft 365 Business with Copilot SKU Launch | SMB customers and MSPs: review commercial impact of new plan structure; confirm existing customer agreements and renewal paths | Finance / Procurement / MSP Partners |
| 60 days | Secure Boot Certificate Expiration | Use the updated Windows Autopatch Secure Boot status report to identify devices not ready for certificate rollover; plan remediation for non-compliant devices | IT / Device Management |
| 90 days | Advanced Intune Solutions in Microsoft 365 — CY26 Q3 Rollout | Review current Intune Suite licensing; confirm whether Q3 inclusion changes your licensing cost structure; watch for 30-day Message Center notification | IT / Finance / Procurement |
| Before end of 2026 | Exchange 2016/2019 Migration Deadline | Organizations still on Exchange 2016/2019 must migrate to Exchange Server SE or Exchange Online; Period 2 ESU ends October 2026. Budget and project timeline approval required now. | IT / Finance / Executive Sponsor |
Sources: Entra What’s New — June 2026 · Administering and Governing Agents Whitepaper v3.2 · M365 Roadmap
If You Take No Action
Exchange Server remains unpatched — CVE-2026-42897. An attacker who can send email to a user at your organization can exploit this vulnerability by crafting a message that, when opened in Outlook Web Access, executes malicious JavaScript in the browser. This could be used to steal session tokens, redirect users to credential-harvesting pages, or pivot deeper into your environment. On-premises Exchange is a high-value target precisely because it is often the last layer of defense before an attacker reaches sensitive communications. Most cyber insurance policies now require documented patch management and timely application of critical updates — failure to patch a disclosed, publicly known vulnerability could affect your coverage position in the event of a claim.
Exchange ActiveSync CBA is not migrated before enforcement. Mobile devices configured with certificate-based authentication directly to Exchange Online will stop receiving email without warning when Microsoft enforces the retirement. There is no grace period for access once the block is applied to your tenant. In environments where executives, field staff, or operational teams rely on mobile email — including those using shared devices or bring-your-own devices — this will result in immediate productivity loss and a high-volume support event. The migration requires re-enrolling devices or updating authentication configuration, which typically requires vendor coordination and user communication. Starting that process today provides a manageable runway; starting it after an outage does not.
AI agents are deployed without governance controls. Computer-using agents in Copilot Studio are available to any licensed user or developer in your organization today. Without deliberate configuration of Microsoft Agent 365 — or equivalent governance policies — agents can be created and deployed that access sensitive applications, process personal data, and execute transactions without audit trail, oversight, or compliance controls. In regulated industries (healthcare, financial services, government), this creates direct exposure under HIPAA, GDPR, and relevant state privacy laws. Even in unregulated environments, the reputational and operational risk of an autonomous agent making incorrect or unauthorized changes to business systems is material. The mitigation is available today; it requires deliberate configuration, not additional cost.
Sources: June 2026 Exchange Server Security Updates · Retirement of Direct Exchange ActiveSync CBA · Microsoft Agent 365 — GA