Modern Work Weekly — Week of 2026-05-19
Dirty Frag is being actively exploited on Linux endpoints. Storm-2949 proves credentials alone are enough to wipe a cloud environment. Know what needs action now.
Top 5 This Week
Storm-2949 cloud breach anatomy — read this now. No malware, no novel exploits. Stolen credentials plus patient attacker plus trusted tooling equalled cloud-wide data exfiltration. Microsoft’s full TTP breakdown is required reading. Then go audit your Conditional Access policies, PIM assignments, OAuth app consents, and UEBA alerting.
Dirty Frag Linux LPE — actively exploited. Local privilege escalation in Linux kernel networking components (esp4, esp6, rxrpc) is seeing in-the-wild exploitation. Any Linux endpoint or server reachable via SSH, web shell, or low-priv account is at risk. Patch kernels now; Defender detects exploitation attempts but that is not your primary control.
SAP SuccessFactors basic auth deprecation — November 2026 hard deadline. SAP is pulling the plug on basic auth for SuccessFactors APIs. Entra provisioning is introducing workload identity–based auth as the replacement. If you have Entra → SuccessFactors inbound provisioning, migrate before November 2026 or provisioning breaks.
Entra Agent ID Platform — GA. Microsoft now has a first-class identity and authorization framework for AI agents using OAuth 2.0, MCP, and A2A. If you’re deploying Copilot Studio or custom agents, this is the governance model to build around. Start reviewing agent identity posture now.
Entra Connect Sync → Cloud Sync migration announced. Microsoft is formally beginning the transition away from on-premises Connect Sync to cloud-native Cloud Sync. No hard cutoff yet, but the direction is unambiguous. Start your inventory of Connect Sync dependencies — custom sync rules, writeback configs — and build a migration roadmap.
Identity
Microsoft Entra Agent ID Platform
GA— First-class identity framework for AI agents supporting OAuth 2.0, MCP, and A2A protocols. Developers can create and manage agent identities with enterprise-grade auth and governance. If you’re building or deploying agents anywhere in your tenant, this is your identity foundation.Entra Connect Sync → Cloud Sync Migration
Plan for Change— Microsoft is formally transitioning away from on-premises Connect Sync to cloud-native Cloud Sync. No enforcement date announced yet but posture is clear. Begin auditing Connect Sync deployments, custom rules, and writeback dependencies now.SAP SuccessFactors Provisioning: Basic Auth → Workload Identity
Plan for Change— Hard deadline: November 2026 (SAP deprecation date). Entra provisioning will authenticate using workload identities and short-lived tokens instead of static credentials. If you have Entra → SuccessFactors inbound provisioning, migrate before SAP pulls the plug.SCIM Provisioning Apps: Modern Authentication Migration
Plan for Change— Basic auth is being deprecated across SCIM provisioning integrations over the coming months. Timelines vary per application and will be communicated via monthly What’s New articles and Message Center. Watch for your specific apps.CBA on iOS + CBA as Second Factor
GA— Entra Certificate-Based Authentication is now GA on iOS, eliminating unnecessary password/MFA prompts in native iOS apps. CBA can now serve as a second factor and system-preferred MFA method. Review your auth policies if you’re using CBA.Entra CBA Certificate Authority Scoping
GA— Tenant admins can now restrict specific CAs to defined user groups. Essential for environments with multiple PKI hierarchies — prevents over-broad certificate trust.Entra CBA Issuer Hints
GA— Users on multi-certificate devices will only be prompted to select certificates trusted and valid for the tenant. Reduces sign-in errors with no behavior change for the certificates themselves.Enforce CA Policies Including MFA on Every PIM Activation
GA— Reauthentication with Conditional Access is now GA for PIM role activations. Require MFA on every privileged role activation without workarounds. Implement this if you haven’t already.Configurable Token Lifetime Policies
GA— Admins can customize access token, ID token, and SAML token lifetimes per application/service principal via policy. Use this to tighten token windows for sensitive apps or accommodate legacy systems that need longer lifetimes.Purview Data Security Investigations: Personal Data Examination
GA — April CY2026— DSI now identifies and extracts personal data (names, addresses, financial account numbers) from investigation items. Works alongside existing AI categorization and risk examination features. Update your breach response and compliance investigation runbooks.Workday Connector: Termination Lookahead for APAC/ANZ
GA— Fixes termination processing delays for workers in APAC and ANZ regions. Admins can enable termination lookahead to prefetch data and tailor deprovisioning logic. If you have Workday provisioning and operate in those regions, enable this now.Account Discovery for Connected Apps (Entra ID Governance)
Preview— Generates discovery reports to identify orphan accounts in connected applications that aren’t assigned to the enterprise app in Entra. Good for access hygiene audits.Entra External ID Federation with Workforce Identities
Preview— Users can sign in to External ID (customer-facing) apps using their workforce Entra ID via standards-based federation. Reduces duplicate accounts for internal-facing consumer apps.App-based Branding Themes
Preview— Assign different sign-in branding experiences to specific applications within a single tenant. Previously, branding was tenant-wide only.License Usage Page in Entra Admin Center
GA— Visibility into Entra ID P1, P2, and Suite license consumption. Shows feature usage mapped to license type with 6-month trends. Useful for license right-sizing conversations.GSA iOS Client
GA— Global Secure Access client on iOS/iPadOS leverages existing MDE deployment — no additional agent required. Routes traffic through Microsoft SSE for M365, internet access, and private access.MIM 2016 Service Pack 3
GA— SP3 updates SQL Server, SharePoint, and Exchange compatibility and adds Azure SQL Database with managed identity auth support for the Synchronization Service. If you’re still running MIM, apply SP3.
Devices
macOS Platform SSO during Automated Device Enrollment
GA— PSSO now runs during ADE registration, giving users immediate Entra ID resource access at first desktop login. Requires pre-enrollment configuration. This is the baseline expected experience for ADE macOS deployments.Enhanced App Inventory for Windows
GA— Improved data freshness, richer app metadata, and new controls to scope which devices contribute to inventory. Windows-first; additional platforms coming. Useful for identifying outdated or risky software at scale.EPM Support-Approved Elevations for All Device Users
GA— Endpoint Privilege Management now accepts support-approved elevation requests from any user of a device, not just the primary/enrolling user. Fixes a real gap for shared device scenarios.Android Enterprise Credential Manager Control (Android 14+)
GA— Admins can explicitly configure which apps act as credential providers (password autofill, passkey storage) on managed Android Enterprise devices. Navigate to Apps > Android > Configuration > Managed Devices. Note: Google Password Manager cannot act as credential provider on corporate-owned work profile devices.Userless ADE for visionOS and tvOS
GA— Apple Vision Pro and Apple TV can now be enrolled through ABM/ASM without a user account. Manage alongside other Apple devices in the admin center.Ubuntu 26.04 LTS Support Added; Ubuntu 22.04 End of Support August 2026
Preview— Ubuntu 26.04 LTS is now supported in Intune. Ubuntu 22.04 support ends August 2026 — enrolled devices stay enrolled but you need to notify users to upgrade. Filter by OS version in Devices > All Devices > Linux to find your exposure.Autopatch Update Risk Visibility Report
GA— New report classifies devices as Current, Exposed, or Critical and surfaces which policies are contributing to risk. Extends the Security Update Status dashboard. Good for prioritizing remediation conversations with device owners.Windows 11 25H2 Security Baseline
GA— New Windows 11 25H2 security baseline is available. Existing profiles do NOT auto-update. Admins must create a new profile or explicitly update existing ones to adopt new settings, defaults, and retired settings.Edge 139 Security Baseline
GA— Latest Edge browser security baseline is now available in Intune. Review and deploy alongside your existing Edge baseline profiles.Direct Android LOB App Management (COBO/COSU)
GA— Upload APK files directly to Intune and deploy to corporate-owned fully managed and dedicated devices without going through Managed Google Play. Streamlines workflows for apps that can’t or shouldn’t be published to the Play Store.Android XR Device Management
GA— Android XR devices including Android-based XR headsets can now be enrolled via dedicated and fully managed modes. Deploy apps via Managed Google Play and apply compliance policies.Apple DDM for Required LOB Apps (iOS/iPadOS 18+)
GA— Intune now supports Apple Declarative Device Management for required LOB apps on iOS/iPadOS 18 and later. Change management type to DDM in App information. Improves delivery efficiency and provides real-time app status.macOS Recovery OS Password Policy
GA— Admins can configure and rotate a recovery OS password to prevent users from booting company-owned Macs into recovery mode and bypassing MDM. Password visible in per-setting status report with appropriate RBAC permission.TeamViewer Connector Replacement
GA— New TeamViewer integration replaces the existing connector. If you’re on the old connector, you have 12 months to migrate before functionality breaks. Begin migration planning now.Intune Data Warehouse Beta Connector v1 (Power BI) — Retired
Retirement— Reports created before November 2025 may still use the beta v1 connector. Transition to connector v2 or the OData Feed connector. Reports created after November 2025 already use v2.Remote Help Connectivity Improvement + New IME Log
GA— New endpoint added for Launch Remote Help — update firewall rules accordingly. NewNotificationInfra.logadded to IME logs for tracking real-time communication channel notifications.
Apps
Microsoft Copilot in Word: Anthropic Model Selection
GA — May CY2026— Users editing Word documents with Copilot can now select Anthropic models alongside OpenAI. Understand your org’s data handling posture with third-party model providers before this lands broadly — check your Copilot usage policies and communicate expectations to users.Teams Facilitator Agent for In-Person Meetings (Teams Rooms on Windows)
GA — July CY2026— AI-powered notes, decisions, and action items for in-person meetings in Teams Rooms on Windows. Invite with one console tap; notes appear on front-of-room display and are available in meeting recap if shared, auto-deleted if not. Requires Teams Rooms Pro.Teams Facilitator Agent for In-Person Meetings (Teams Rooms on Android)
GA — July CY2026— Same Facilitator capability extended
Sources
- https://www.microsoft.com/en-us/security/blog/2026/05/18/storm-2949-turned-compromised-identity-into-cloud-wide-breach/
- https://www.microsoft.com/en-us/security/blog/2026/05/18/how-to-better-protect-your-growing-business-in-an-ai-powered-world/
- https://www.microsoft.com/microsoft-365/roadmap?id=562343
- https://www.microsoft.com/microsoft-365/roadmap?id=562345
- https://www.microsoft.com/microsoft-365/roadmap?id=562050
- https://www.microsoft.com/microsoft-365/roadmap?id=561915
- https://www.microsoft.com/microsoft-365/roadmap?id=560700
- https://www.microsoft.com/microsoft-365/roadmap?id=559388
- https://www.microsoft.com/microsoft-365/roadmap?id=559018
- https://www.microsoft.com/microsoft-365/roadmap?id=558540
- https://www.microsoft.com/microsoft-365/roadmap?id=558442
- https://www.microsoft.com/microsoft-365/roadmap?id=558440
- https://www.microsoft.com/microsoft-365/roadmap?id=557167
- https://www.microsoft.com/microsoft-365/roadmap?id=554925
- https://www.microsoft.com/microsoft-365/roadmap?id=548648
- https://www.microsoft.com/microsoft-365/roadmap?id=548647