Top 5 This Week

  1. CVE-2026-42897 — Exchange Server OWA XSS (Active Vulnerability): All on-prem Exchange 2016, 2019, and SE versions are affected by an XSS flaw exploitable via a crafted email opened in OWA. Exchange Online is unaffected. Patch or mitigate immediately — no excuse to wait on this one.

  2. Teams Live Events retirement — June 30, 2026: Scheduling closes in three weeks. Any live events already on the calendar will run through February 28, 2027, but nothing new can be created after the deadline. If you have recurring large-format event workflows or Graph API integrations built on live events, migration to Town Hall is urgent, not optional.

  3. Computer-Using Agents in Copilot Studio now GA: Agents can now drive UI in vendor portals, legacy line-of-business apps, and internal web tools without APIs or brittle RPA scripts. This materially expands the automation surface — and the governance surface. Review your Copilot Studio data loss prevention and connector policies before agents start clicking through apps that hold sensitive data.

  4. Entra Tenant Governance — Shadow Tenant Discovery GA: If your org has grown through acquisitions, dev projects, or regional expansion, there are almost certainly tenants outside your visibility. This feature surfaces them via B2B, multitenant app, and billing signals. Run discovery before your next security review.

  5. Purview Data Security Posture Reports GA + Custom Workspaces in Preview: You can now produce executive-ready evidence that sensitivity labels and DLP policies are actually reducing risk at scale — not just that policies exist. The custom workspace/charts feature is in preview. Both are worth enabling now if you’re heading into an audit cycle.

Identity

  • Retiring Teams Live Events [GA] — Deadline: June 30, 2026. No new live events can be scheduled after this date; existing bookings run until February 28, 2027. Audit your Graph API integrations and scheduled events now, and migrate recurring large-scale event workflows to Town Hall before the cutoff.

  • Find Shadow Tenants with Microsoft Entra Tenant Governance [GA] — Unmanaged tenants from acquisitions, dev projects, and partner engagements represent a real blind spot in most enterprise identity postures. Tenant Governance now discovers related tenants via B2B collaboration signals, multitenant app registrations, and shared billing relationships. Run discovery and get those orphaned tenants into your governance model.

  • Account Discovery in Entra ID Governance [GA] — When you connect a SaaS or on-premises app to Entra, pre-existing accounts created outside modern governance workflows remain invisible to access reviews and lifecycle policies. Account Discovery surfaces those accounts from day one, letting you bring them into joiner-mover-leaver workflows immediately rather than accumulating orphan accounts.

  • Microsoft’s Perspective on Agentic Identity Standards [GA] — Microsoft has published its position on emerging IAM standards for agentic workloads, where software agents exhibit less predictable behavior than traditional service principals. This is directional guidance for IAM architects planning identity governance models for AI agents — read it before you finalize your non-human identity strategy.

  • Adaptive Context-Based Redirections in Windows 365 — Public Preview [Preview] — Windows App now supports granular device and resource redirection controls driven by compliance posture, device management state, group membership, and network conditions. This is the BYOD story for Cloud PCs: users on unmanaged or contractor-managed devices get contextually scoped access rather than blanket block-or-allow. Evaluate for your unmanaged device population.

  • Secure External Attachments with Purview Encryption — CA and Guest Account Interactions [GA] — If you’re using Purview Information Protection to encrypt email attachments sent externally, the experience forks sharply based on whether guest accounts are provisioned: guests get seamless access but can generate thousands of new guest objects; non-guests hit friction. Review your CA policies and guest account settings before rolling out Purview-encrypted external sharing at scale.

  • Reducing NTLM Dependency: IAKerb and LocalKDC in Windows Insider Preview [Preview] — IAKerb and LocalKDC extend Kerberos to workgroup and local authentication scenarios that have historically required NTLM fallback. Currently Canary Channel only, but this is the foundational work for eventually blocking NTLM at the OS level. Start tracking this if NTLM deprecation is on your roadmap.

Devices

  • Updated Secure Boot Status Report in Windows Autopatch [GA] — The Secure Boot report now surfaces certificate-level trust configuration, readiness for Secure Boot certificate updates, confidence levels, and alert timestamps — all directly integrated into the certificate rollout workflow. If you’re managing Secure Boot certificate transitions across a large fleet, this report replaces a lot of manual querying.

  • Admin Insights for Windows 365 — Public Preview [Preview] — A new insights surface in the Windows 365 admin experience that aggregates signals requiring attention across your Cloud PC estate into a single prioritized view. Enable it now in preview if you manage Cloud PCs at scale — early signal on what the GA dashboard will look like.

  • Browser-Based Work Protection on Agency-Managed Windows PCs [GA] — Intune now supports data protection policies for browser-based work on Windows PCs your org doesn’t own and can’t fully enroll — specifically targeting contractor devices already enrolled in another agency’s MDM. This closes a meaningful gap in the federal and contractor-heavy enterprise model without requiring dual enrollment.

  • What’s New in Microsoft Intune — March [GA] — March updates focus on faster check-in notifications (fixing delays from offline/low-battery states), improved compliance visibility, and expanded Apple device and mobile app management capabilities. Review the full changelog if you manage iOS/macOS fleets or rely on compliance-triggered Conditional Access.

  • Admin Tasks in Microsoft Intune Now GA [GA] — Admin Tasks aggregates high-impact approvals, privilege requests, security remediation actions, and configuration changes into a single workflow surface in the Intune console. This directly addresses audit readiness and reduces the sprawl of decision points across multiple consoles — worth configuring for your SOC/IT handoff workflows.

  • Intune Suite Capabilities Coming to Microsoft 365 — CY26 Q3 [GA] — Advanced Intune Suite capabilities will be bundled into Microsoft 365 plans beginning CY26 Q3, with 30-day Message Center notice before tenant rollout. If you’re licensing these capabilities standalone today, revisit your SKU strategy — this may change your cost model.

  • Intune Android Enterprise Support for Android XR [GA] — Intune now manages Samsung Galaxy XR headsets via standard Android Enterprise enrollment, policy, and app management workflows. If your org is evaluating XR hardware for field or frontline scenarios, the management story is now consistent with your existing Android Enterprise posture.

  • Three New Partners for Intune Multi-Tenant Management [GA] — Three new MSP-focused partners now integrate natively with Intune’s multi-tenant management APIs, reducing the need for custom tooling or non-Microsoft platforms. Relevant if you’re an MSP managing multiple customer tenants or evaluating outsourced endpoint management models.

Apps

  • CVE-2026-42897 — Exchange Server OWA XSS Vulnerability [GA] — Exchange 2016, 2019, and SE on-premises are all vulnerable to arbitrary JavaScript execution via a crafted email opened in OWA; Exchange Online is not affected. Patch immediately — the attack vector is email delivery with no additional preconditions beyond user opening the message in OWA.

  • Copilot in OneNote Now Understands Images, Tables, and Note Tags [GA] — Copilot’s grounding in OneNote now extends beyond typed text to include images, tables, and note tags, improving accuracy of summarization and extraction across rich-content notebooks. No admin action required, but worth communicating to users whose notebooks rely heavily on structured or visual content.

  • Microsoft 365 Copilot Achieves ISO 42001 Recertification [GA] — Copilot and Copilot Chat completed their second consecutive ISO/IEC 42001:2023 recertification with zero non-conformities. If you’re managing AI risk registers or responding to procurement questionnaires about AI system governance, this certification evidence is now available for year two.

  • Finance Agent in Microsoft 365 Copilot — Expanded Capabilities [GA] — The Finance Agent now covers a broader range of finance workflows including record-to-report, source-to-pay, and forecast-to-plan scenarios. If your finance team is on M365 Copilot, this is worth a pilot — but ensure your data residency and sensitivity label coverage over financial data is solid before broad rollout.

  • Copilot in PowerPoint Agent Mode — Style Reference from Existing Deck [Preview] — Delayed in development; rolling out mid-June 2026. When available, Copilot Agent Mode in PowerPoint will apply an attached deck’s theme and styles to newly generated presentations, reducing manual reformatting. Watch for Message Center confirmation before communicating GA to users.

  • High Volume Email (HVE) Now GA in Exchange Online [GA] — Exchange Online HVE is now generally available in the worldwide multi-tenant service. If you run transactional or notification email through Exchange Online at scale, review the HVE pricing model and documentation — this changes the recommended architecture for high-throughput sending scenarios.

Data

  • Purview Data Security Posture Reports — GA [GA] — Posture Reports deliver an outcome-based view of whether sensitivity labels and DLP policies are actually enforced consistently across M365 — not just whether they’re configured. This is the answer to “prove your controls are working” in audit and regulatory conversations. Enable and baseline now before your next compliance review.

  • Purview Data Security Posture Reports — Custom Workspaces and Charts in Preview [Preview] — Custom workspaces let you tailor posture report views and charts for specific audiences — executives, compliance teams, or business unit owners. Built on Audit log telemetry. Enable the preview alongside the GA posture reports to get ahead of the executive reporting ask.

  • Purview DSPM for AI — Deep Dive [GA] — A comprehensive walkthrough of how Purview DSPM for AI monitors data exposure across Microsoft Copilot, Azure AI Foundry agents, and third-party LLM-connected apps. If you haven’t scoped your DSPM for AI coverage yet, this post is the reference — it maps the full monitoring surface including agent-generated interactions.

  • Priority Cleanup V2 for Exchange Online — GA [GA] — V2 of Priority Cleanup improves approval workflows, deletion speed, and review processes for urgently purging mailbox content that’s under retention or eDiscovery hold. If you’ve hit data spillage scenarios where V1’s speed or approval friction was a problem, the V2 changes address those directly.

  • AI-Powered DLM Diagnostics MCP Server — Open Source Release [GA] — Microsoft has open-sourced a Model Context Protocol (MCP) server that enables AI-driven diagnosis of Data Lifecycle Management policy failures — retention not applying, archive mailboxes not expanding, inactive mailbox purge failures. This is a practical operational tool; worth deploying if your team regularly debugs DLM policy behavior.

  • Microsoft Purview Referential Architecture Diagrams [GA] — Updated reference architecture diagrams covering classification, sensitivity labeling, DLP, and Insider Risk signal flows across M365 workloads. Use these for design reviews, onboarding documentation, and communicating policy enforcement boundaries to stakeholders — they’re the clearest official representation of how Purview evaluation actually works.

  • Purview eDiscovery Premium Cases — Capability Overview [Preview] — Detailed breakdown of E5 eDiscovery Premium advantages over E3: 50,000 case limit vs. 10,000, 5 TB per search vs. 2 TB, and a preview tenant-wide holds/process report. If your legal team is hitting scale limits in E3 eDiscovery, this documents the upgrade case clearly.

  • Building a Curated Agent Store to Scale Agent Adoption [GA] — Guidance on creating governed, curated agent catalogs that prevent ungoverned agent sprawl while enabling business adoption. Directly relevant to orgs trying to balance “let teams build agents” with “don’t let agents exfiltrate data or accumulate permissions.”

Network

  • What’s New in Global Secure Access: Lock Down AI, Web, and Private Apps [GA] — Internet Access and Private Access updates address the specific threat surface of generative AI adoption: identifying unsanctioned AI tool usage, preventing sensitive data upload to uncontrolled AI services, and blocking prompt injection vectors. If you haven’t scoped GSA Internet Access policies to cover AI SaaS categories, this is your operational checklist.

  • The Gentlemen Ransomware — Storm-2697 Go-Based Self-Propagating Encryptor [GA] — Microsoft Threat Intelligence analysis of a Go-based ransomware using per-file ephemeral key encryption combined with simultaneous lateral movement techniques across target networks. Review the IOCs and lateral movement TTPs against your network segmentation and Defender for Endpoint detection rules — self-propagation at this level makes containment time-critical.

Visibility & Automation

  • Computer-Using Agents in Copilot Studio — Now GA [GA] — Agents can now directly interact with browser UIs, vendor portals, and legacy line-of-business systems without APIs or RPA tooling. This is a significant expansion of the automation attack surface: review your DLP, connector governance, and Conditional Access policies for Copilot Studio before agents start operating against sensitive internal systems.

  • Agent Governance at Scale with Microsoft Entra [GA] — As agents proliferate across admin portals without clear ownership or lifecycle management, Entra is positioning agent identity governance as a first-class capability. The post outlines accountability frameworks, lifecycle controls, and access guardrails for AI agents. If you’re seeing unowned agents in your tenant already, this is where to start.

  • Agent Evaluation in Copilot Studio — Now GA [GA] — Automated evaluation runs test sets against agents at scale to validate behavior, tool usage, and response correctness continuously — not just at build time. For production agents handling sensitive workflows, this is table stakes: configure evaluation pipelines before agents go live, not after incidents.

  • Automate Agent Evaluation with Evaluation APIs [GA] — The Evaluation APIs extend the GA Agent Evaluation capability to CI/CD pipelines, enabling automated regression testing as agents evolve. If your dev team is shipping agent updates on a cadence, integrate these APIs into your deployment gates now.

  • Exchange 2016/2019 ESU Period 2 — May 2026 Through October 2026 [GA] — Period 1 ESU ended April 2026; Period 2 runs May through October 2026 for orgs that couldn’t complete migration to Exchange SE. If you’re still running 2016/2019, enroll in Period 2 now — and given CVE-2026-42897, staying unpatched on expired support is an active risk, not just a compliance footnote.

  • Windows Autopatch Secure Boot Status Report — Updated [GA] — The updated report adds certificate-level detail, trust configuration visibility, and confidence scoring that fits directly into Secure Boot certificate rollout planning. Use this as your primary readiness assessment tool before executing Secure Boot certificate update campaigns.

  • Microsoft Edge Security Update Alerts in Edge Management Service [Preview] — Admins will be able to set a severity threshold and receive alerts when an Edge update contains security fixes at or above that level, including zero-days. GA targeted July 2026; preview available now. Enroll if you need tighter control over security-driven Edge update urgency communication.

  • Windows 365 at Build 2026 — Developer and Agent Workload Expansions [GA] — Build 2026 announcements position Windows 365 as compute infrastructure for both developers (streamlined onboarding, flexible SKUs) and autonomous agents (secure, governed execution environments). If your org is planning agent infrastructure at scale, Windows 365 is now a first-class option alongside Azure Container Instances.

Action Required

  • CVE-2026-42897 — Exchange Server OWA XSS — PATCH NOW [GA] — Immediate action required. All on-premises Exchange 2016, 2019, and SE installations are vulnerable to JavaScript injection via crafted email in OWA. Exchange Online is not affected. Apply the May 2026 security update to all on-prem Exchange servers now — the exploit requires only that a user open a malicious email in OWA, making this a low-barrier, high-impact risk.

  • Teams Live Events Retirement — Deadline June 30, 2026 [GA] — 21 days remaining. New live event scheduling closes permanently on June 30, 2026. Audit all scheduled live events, identify Graph API integrations that create or manage live events, and migrate event workflows to Town Hall before the deadline. Events already scheduled will run until February 28, 2027.

  • Exchange 2016/2019 ESU Period 2 Enrollment [GA] — Active now through October 2026. If you’re still running Exchange 2016 or 2019 and Period 1 ESU has lapsed, enroll in Period 2 immediately — both to receive security patches (including CVE-2026-42897 mitigations) and to maintain a supported posture while completing migration to Exchange SE. Running unpatched on these versions is now a critical risk.

  • Computer-Using Agents in Copilot Studio — Governance Review Required [GA] — Review within 30 days. With computer-use agents now GA, agents can interact with any web UI including internal systems holding sensitive data. Audit your Copilot Studio environment, Conditional Access policies, and DLP rules before agents are deployed against production systems. Establish agent identity governance policies aligned to the Entra guidance published this week.

  • Intune Suite Capabilities Rolling Into Microsoft 365 — CY26 Q3 [GA] — Plan within 30 days. Advanced Intune Suite features will begin appearing in M365 tenants in CY26 Q3 with 30-day Message Center notice. Review your current Intune Suite add-on licensing — if you’re paying for standalone Suite SKUs that will be included in your M365 plan, you’ll want to adjust renewal planning before overspending on the next cycle.