Top 5 This Week

  1. CVE-2026-42897 — Patch Exchange Server on-prem now. An XSS vulnerability in OWA allows arbitrary JavaScript execution when a user opens a crafted email. Exchange 2016, 2019, and SE are all affected. Exchange Online is not. If you’re still running on-prem Exchange, this is a drop-everything patch.

  2. Teams Live Events retires June 30, 2026. No new events can be scheduled after June 30. Events already on the calendar are honored through February 28, 2027. If you have workflows, Graph API integrations, or event templates built around Live Events, migration to Town Halls is not optional — the clock is 4 weeks out.

  3. Entra Tenant Configuration Management APIs hit GA. Multi-tenant governance at scale is now production-ready via API. If you’re managing a large tenant estate or running an MSP operation, this is the foundation for automating configuration drift detection and enforcement across tenants.

  4. Purview DLP for Microsoft 365 Copilot is GA. Sensitive data protection now extends into Copilot Chat prompts and responses. This is included for all M365 Copilot and Copilot Chat users — there’s no additional licensing gate. If you haven’t reviewed your DLP policies for Copilot coverage, now is the time.

  5. AI agent governance via Entra is here. The “agent sprawl” problem is real — agents appearing in admin portals without lifecycle management or access guardrails. Entra’s new agent governance capabilities provide the accountability and access control scaffolding. Evaluate this before your agent footprint grows further.

Identity

  • Find Shadow Tenants and Reduce Risk with Microsoft Entra Tenant Governance [GA] — Acquisition tenants, dev environments, partner collaboration tenants — they accumulate and fall out of central IT visibility fast. Entra Tenant Governance now surfaces these shadow tenants via B2B collaboration signals, multi-tenant app registrations, and shared billing relationships. Run discovery in your environment and assess what’s sitting outside your governance perimeter.

  • Get Ahead of Agent Sprawl: Manage and Govern AI Agents at Scale [GA] — AI agents are proliferating in customer tenants without accountability structures, lifecycle policies, or access guardrails — creating meaningful security exposure. Entra now provides centralized governance for AI agents covering identity assignment, access scoping, and lifecycle management. If you’re deploying Copilot Studio agents or third-party AI workloads, stand up governance before scale makes it unmanageable.

  • Closing the Identity Visibility Gap: Account Discovery in Entra ID Governance [GA] — When you connect a SaaS or on-prem app to Entra, existing accounts and permissions that were created outside modern governance workflows are invisible until now. Account Discovery surfaces those pre-existing accounts and brings them into access review and entitlement management workflows. Run this against your recently connected apps to close orphaned-account risk gaps.

  • License Usage Insights in Microsoft Entra Now Generally Available [GA] — You can now see which identity protections are actually in use and where licensed controls are deployed but inactive. The redesigned experience in the Entra admin center gives IT teams transparency into protection coverage versus licensing spend. Use this to identify users missing MFA, SSPR, or Conditional Access coverage — and to build a defensible audit trail.

  • Microsoft’s Perspective on Agentic Identity Standards [GA] — Microsoft has published its position on emerging agentic identity standards, covering how non-human AI identities should be authenticated, authorized, and audited in enterprise environments. Not an immediate action item, but IAM architects should read this now — the standards shaping your future Conditional Access and PIM designs are being written today.

  • Retiring Teams Live Events: June 30, 2026 [GA] — After June 30, no new Teams Live Events can be scheduled, and the associated Graph APIs are being retired. Events already scheduled will run through February 28, 2027. Audit your Graph API integrations, scheduled events, and any automation built on Live Events and migrate to Town Halls — four weeks is not much runway.

  • Secure External Attachments with Purview Encryption [GA] — If you’re using Purview sensitivity labels with encryption on email attachments, how you’ve configured Guest Accounts and Conditional Access directly determines whether external recipients get a smooth experience or a dead end. Enabling guest accounts allows seamless access but can generate thousands of guest objects; disabling them limits external access entirely. Review your CA policies and guest settings against your external sharing use cases before users start reporting access failures.

Devices

  • Intune March Updates: Notifications, Compliance Visibility, Apple and Mobile App Management [GA] — More timely check-in notifications, improved compliance visibility, and enhanced Apple device and mobile app management are now shipping. Review the full changelog to identify any policy or workflow changes relevant to your Apple fleet or app protection posture. Nothing breaking, but several incremental improvements worth pulling into your environment.

  • Protect Browser-Based Work on Agency-Managed Windows PCs [GA] — When users work on Windows PCs enrolled and managed by a different organization (contractor home agencies, for example), full Intune enrollment isn’t viable. Intune now supports app protection policies targeting browser-based work on these third-party managed devices, extending data protection without requiring re-enrollment. If you have contractors or partner employees accessing corporate SaaS from their own managed devices, evaluate this as a policy layer.

  • Updated Secure Boot Status Report in Windows Autopatch [GA] — The Secure Boot status report in Autopatch now surfaces certificate status, trust configuration, and readiness for Secure Boot certificate updates at the device level with interactive certificate-level drill-down. If you’re in the middle of a Secure Boot certificate rollout or planning one, this report should be your first stop for targeting and validation.

  • Admin Insights for Windows 365 Now in Public Preview [Preview] — Admin Insights provides a consolidated view of the most critical Cloud PC health and configuration issues requiring attention, surfaced directly in the Intune admin center. This is worth enabling in preview if you manage a Windows 365 estate — early signal on which Cloud PCs need remediation before users file tickets is worth the preview risk.

  • Microsoft 365 Adds Advanced Intune Suite Capabilities — Rolling Out CY26 Q3 [GA] — Advanced Intune Suite capabilities are being bundled into Microsoft 365 plans, with rollout starting CY26 Q3. Tenants will receive 30-day Message Center notice before the update activates. Watch your Message Center — this is a license and feature entitlement change that may affect your procurement and deployment planning.

  • Intune Announces Android Enterprise Management Support for Android XR [GA] — Intune now supports Android XR devices including the Samsung Galaxy XR headset via the Android Enterprise management framework. If your organization is evaluating or deploying XR hardware, existing enrollment, policy, and app management workflows apply — no new platform expertise required to get started.

  • Admin Tasks in Microsoft Intune Now Generally Available [GA] — Intune Admin Tasks aggregates high-impact approvals, privilege requests, and security remediation actions into a single pane rather than scattering them across multiple consoles. This directly reduces response latency for high-priority actions and simplifies audit readiness. Enable and review the task queue as part of your daily operations workflow.

  • New Windows 365 Monitoring and Reporting Platform in Public Preview [Preview] — The new unified reporting platform for Windows 365 consolidates Cloud PC health, performance, and configuration data from across Intune into integrated dashboards. Currently in public preview — enroll if you want early access to end-to-end Cloud PC visibility before GA, particularly useful if your current monitoring involves navigating multiple Intune blades.

Apps

  • Addressing Exchange Server May 2026 Vulnerability CVE-2026-42897 [GA] — This is an XSS vulnerability in Exchange OWA (all supported and SE versions) that allows arbitrary JavaScript execution when a user opens a specially crafted email. Exchange Online is not affected. If you’re running Exchange 2016, 2019, or SE on-premises, patch immediately — this is a socially engineered, email-delivered attack vector requiring no admin interaction to trigger.

  • What’s New in Microsoft Teams — March 2026 [GA] — The March Teams release includes an AI-powered Workflows app for Copilot-driven task automation without code, plus a range of productivity and connectivity improvements. Review the full changelog for features your users will encounter — particularly the Workflows app, which may surface shadow automation patterns you’ll want to govern via Power Platform policies.

  • Introducing New Agentic Building in SharePoint [GA] — SharePoint is getting native agentic building capabilities on top of its role as the primary grounding source for M365 Copilot. New tooling lets developers extend agents using SharePoint as a knowledge layer. If you’re building or governing Copilot agents, SharePoint content quality, governance, and access controls are now load-bearing — audit your SharePoint sprawl accordingly.

  • Copilot Call Delegation for Teams Phone [GA] — M365 Copilot can now answer incoming Teams Phone calls and schedule follow-up appointments on the user’s behalf, available via the Frontier program. This is a significant shift in what Copilot can act on autonomously — confirm your organization’s stance on AI call handling before users opt in, and review any compliance or recording obligations that apply to delegated calls.

Data

  • Purview DLP for Microsoft 365 Copilot Now Generally Available [GA] — DLP policies can now be scoped to Copilot Chat prompts and responses, preventing sensitive data from being surfaced or transmitted via Copilot interactions. This capability is included for all M365 Copilot and Copilot Chat users — no additional license required. Review your existing DLP policies and explicitly extend coverage to Copilot workloads if you haven’t already.

  • Data Security Posture Reports Now Generally Available [GA] — Purview Posture Reports provide an outcome-based view of whether sensitivity labels and DLP policies are consistently applied and enforced across M365 — answering the executive question “are our controls actually working?” rather than just generating alert volume. Use these reports to build your data protection audit narrative and identify control gaps before your next compliance review.

  • Data Security Posture Reports — Custom Workspaces and Charts in Public Preview [Preview] — Custom workspaces and chart configurations for Purview Posture Reports are now in public preview, enabling security and compliance teams to build executive-ready dashboards tailored to their specific data protection KPIs. If you’re already using the GA Posture Reports, enroll in preview to get ahead of custom reporting before it becomes a stakeholder ask.

  • Data Security Posture Management for AI — Holistic Overview [GA] — Purview DSPM for AI provides a unified monitoring surface covering Copilot, Azure AI Foundry agents, and third-party LLM-connected applications. This blog post is the clearest architectural overview of how DSPM for AI fits together with the broader Purview stack. If you’re standing up AI governance, this is your reference document for scoping what Purview covers versus what requires Defender or Entra controls.

  • Priority Cleanup V2: Faster, Simpler Data Purging for Exchange Online [GA] — Priority Cleanup V2 improves the hold-override deletion workflow for Exchange Online mailboxes — faster deletion speeds, a simplified approval process, and better operational review based on real-world feedback. If your organization deals with data spillage incidents or urgent litigation holds, test the V2 workflow against your IR playbook to validate timing assumptions.

  • The Advantages of Premium Cases in Purview eDiscovery [Preview] — E5 eDiscovery premium cases support up to 50,000 cases and 5 TB per search versus E3’s 10,000 cases and 2 TB — plus a preview of tenant-wide eDiscovery process and hold reports. If you’re running large-scale litigation or compliance investigations and hitting E3 limits, this is the capability delta that justifies the E5 licensing conversation with your legal team.

Network

  • What’s New in Global Secure Access: Lock Down AI, Web, and Private Apps [GA] — Global Secure Access Internet Access and Private Access have new controls targeting unsanctioned AI tool usage, sensitive data upload to external services, and prompt injection attack prevention — alongside continued improvements to private app access without VPN dependencies. If you haven’t deployed GSA Internet Access policies against AI service categories, this update is the right moment to evaluate that as a Shadow AI control layer.

Visibility & Automation

  • Tenant Configuration Management APIs Now Generally Available [GA] — The TCM APIs provide a programmatic foundation for enforcing configuration consistency and detecting drift across multi-tenant Entra environments. This is production-ready for MSPs and large enterprises managing multiple tenants — integrate these APIs into your IaC or CSPM tooling to automate governance at scale rather than relying on manual admin center reviews.

  • Securing AI Agents End-to-End: Purview DSPM, Agent 365, and the AI Security Dashboard [GA] — Security visibility for AI agents is fragmented across Purview DSPM, Agent 365, and the AI Security Dashboard, and most practitioners don’t have a clear picture of how they interlock. This post delivers the architectural blueprint connecting all three into a unified AI security posture management workflow. If you’re accountable for AI security in your org, this is required reading before your next architecture review.

  • Copilot Studio May 2026: Computer-Using Agents GA, New Workflows, Real-Time Voice [GA] — Computer-using agents (CUAs) — agents that can operate UI-based applications on behalf of users — are now generally available in Copilot Studio, alongside a redesigned workflows experience and real-time voice capabilities. CUAs represent a meaningful expansion of autonomous agent capability and attack surface; review your Copilot Studio governance policies and ensure agent scoping and permissions are appropriately restricted before broad deployment.

  • Exchange Server ESU Period 2 Announced: May 2026 Through April 2027 [GA] — If you missed the Exchange 2016/2019 migration window, Period 2 ESU extends security update coverage from May 2026 through April 2027. This is a lifeline for organizations still finalizing Exchange SE migrations — but it is not a migration substitute. Enroll if needed, set a hard migration deadline within the ESU window, and don’t let Period 2 become your new steady state.

  • High Volume Email Reaches GA in Exchange Online [GA] — Exchange Online High Volume Email (HVE) is now GA in the worldwide multi-tenant service, providing a supported mechanism for sending high-volume transactional and notification email directly from Exchange Online. If your organization is routing bulk email through third-party relay services for volume reasons, evaluate HVE as a consolidation opportunity — but review pricing before committing.

  • Updated Secure Boot Status Report in Windows Autopatch [GA] — Enhanced certificate-level visibility in the Autopatch Secure Boot report now surfaces readiness, trust configuration, and rollout confidence levels per device. If you’re managing Secure Boot certificate transitions across a heterogeneous Windows fleet, this report is now the right operational tool — use the confidence level and timestamp freshness indicators to prioritize remediation targeting.

  • Advancing Print Readiness Across Windows on Arm [GA] — Print driver and infrastructure readiness for Windows on Arm devices is improving, but remains a deployment blocker for some commercial environments. If you’re evaluating or rolling out Arm-based Windows hardware, validate your print infrastructure compatibility before broad deployment — especially for environments with legacy print servers or non-universal drivers.

Action Required

  • CVE-2026-42897 — Patch On-Prem Exchange Immediately [GA] — Patch now — disclosed May 14, 2026. An OWA XSS vulnerability affects Exchange Server 2016, 2019, and SE (all update levels). Exploitation requires a user to open a crafted email in OWA — no admin interaction needed. Exchange Online is not affected. Apply the fix immediately; this is an email-delivered attack vector with no viable compensating control short of disabling OWA.

  • Teams Live Events Retirement — June 30, 2026 Deadline [GA] — Hard deadline: June 30, 2026 — 4 weeks out. No new Live Events can be scheduled after this date. Graph APIs for creating Live Events are also being retired. Audit all scheduled Live Events, migrate recurring event templates to Town Halls, and update any Graph API integrations before the deadline. Events already on calendar are honored through February 28, 2027 — do not rely on this as a migration buffer.

  • Purview DLP for Copilot — Review and Extend Your DLP Policies Now [GA] — Action within 30 days. DLP for M365 Copilot Chat is GA and included at no extra cost for all Copilot and Copilot Chat users. If your DLP policies were written before Copilot was in scope, they do not automatically extend to Copilot interactions. Review your DLP rule sets, explicitly add Copilot Chat as a workload target, and validate that sensitive information types are being evaluated against prompt and response content.