Top 5

  1. Entra Tenant Governance: Shadow Tenant Discovery GA — If your org has grown through acquisitions or has a history of ad-hoc tenant creation, this is the tool you’ve been waiting for. Entra Tenant Governance now discovers related tenants via B2B signals, multitenant app registrations, and shared billing, giving central IT visibility into shadow tenants that represent real but ungoverned attack surface. Start a discovery run and expect findings.

  2. Computer-Using Agents in Copilot Studio GA — Agents can now interact with web UIs, vendor portals, and legacy line-of-business apps without requiring an API — this is GA and it fundamentally changes the automation calculus for workflows that were previously RPA-only territory. Security and governance teams need to get ahead of the access scope and audit trail for these agents before business units deploy them at scale.

  3. Purview DSPM for AI GA — A unified monitoring plane for data exposure across Microsoft Copilot, Azure AI Foundry agents, and third-party LLM-backed apps is now generally available. If you don’t have a clear answer to “what sensitive data are our AI apps touching?”, DSPM for AI is where you start — it covers both first-party and cross-cloud AI workloads including AWS Bedrock.

  4. Exchange 2016/2019 ESU Period 2 Announced — Period 1 ESU ended April 2026; Period 2 runs May 2026 through April 2027 for orgs still migrating to Exchange SE. If you have on-premises Exchange 2016/2019, you need to be enrolled or you’re running unpatched. This is a hard deadline with a cost — plan your migration timeline now.

  5. IAKerb and LocalKDC Preview: NTLM Reduction in Windows — Windows Insider Canary channel is previewing IAKerb and LocalKDC, which extend Kerberos to scenarios that previously fell back to NTLM. This is a critical long-term dependency reduction for Zero Trust posture — watch the Canary channel closely and begin identifying NTLM-dependent workflows in your environment now while the feature matures.

Identity

  • Find Shadow Tenants and Reduce Risk Fast with Microsoft Entra Tenant Governance [GA] — Ungoverned tenants are a real and underappreciated attack surface — Entra Tenant Governance’s tenant discovery capability surfaces related tenants via B2B collaboration, multitenant app registrations, and billing relationships. Run a discovery scan, catalog what you find, and decide on a governance or decommission path for each shadow tenant. This is especially urgent post-acquisition.

  • Account Discovery for Entra ID Governance [GA] — When you connect a SaaS or on-prem app to Entra, existing accounts created outside governance workflows are now surfaced via account discovery, closing the visibility gap that’s made legacy app onboarding a governance blind spot. Use this to build accurate access reviews from day one rather than governing only net-new accounts.

  • Reducing NTLM Dependency: IAKerb and LocalKDC in Windows Insider Preview [Preview] — IAKerb and LocalKDC extend Kerberos to workgroup and direct-IP auth scenarios that previously required NTLM fallback, landing in Windows Insider Canary channel this month. Start auditing your NTLM usage now with Defender for Identity or event log tooling so you have a baseline before these capabilities move toward broad availability.

  • Secure External Attachments with Purview Encryption [GA] — Purview-encrypted attachments sent to external recipients behave very differently depending on whether guest accounts are provisioned — without guest accounts, external users hit access barriers, but enabling them can generate thousands of unexpected guest identities. Audit your CA policies and guest provisioning settings before broad deployment of Purview email encryption to avoid an uncontrolled B2B identity sprawl.

  • M365 Apps Cloud Update: Enhanced Rollout Waves [Preview] — Cloud Update for M365 Apps is moving out of the three-wave limit, adding support for more Entra ID group-based waves and configurable inter-wave delays. Preview is live in May, GA targets June — review your current wave configuration and plan to restructure phased deployments to take advantage of the additional granularity.

  • CVE-2026-54411: Linux-PAM Timing Side-Channel in pam_userdb [GA] — A timing discrepancy in pam_userdb’s plaintext comparison path allows a local or network-adjacent attacker to recover plaintext passwords when pam_userdb is configured with crypt=none or an unrecognized crypt method. If any Linux workloads in your environment use pam_userdb with plaintext credential storage, remediate the configuration immediately — this is exploitable by timing analysis alone.

Devices

  • Updated Secure Boot Status Report in Windows Autopatch [GA] — The Secure Boot status report in Autopatch now surfaces certificate-level details including trust configuration, confidence level, and freshness timestamps — exactly what you need to plan and validate a Secure Boot certificate rollout. Use the new interactive device-level view to prioritize remediation and verify your rollout strategy before initiating cert updates.

  • Admin Insights for Windows 365 — Public Preview [Preview] — A new aggregated insights surface for Windows 365 is now in public preview, designed to surface the highest-priority environmental signals without requiring admins to hunt across multiple reports. Enable the preview in your tenant and validate that the signal prioritization aligns with your operational runbook — early feedback will shape GA behavior.

  • Protect Browser-Based Work on Agency-Managed Windows PCs [GA] — Intune now supports app protection policies scoped to browser-based work on Windows PCs that are already enrolled in a third-party MDM (e.g., a contractor’s agency MDM), without requiring full re-enrollment. This unblocks data protection for extended workforce scenarios that were previously a policy gap — evaluate your contractor onboarding workflows against this new capability.

  • Admin Tasks in Microsoft Intune GA [GA] — Intune now aggregates high-impact approval actions — privilege requests, security remediations, configuration changes — into a single admin tasks view rather than scattering them across multiple console blades. Wire this into your SOC/ops workflow and validate that the right admin roles are scoped to review and approve tasks promptly.

  • Microsoft Intune: Android Enterprise Management Support for Android XR [GA] — Intune now supports Android Enterprise enrollment, policy, and app management for Android XR devices including the Samsung Galaxy XR headset. If your org is evaluating XR hardware for field or productivity use cases, existing Android Enterprise profiles and compliance policies apply — no new management framework required.

  • Microsoft 365 Adds Advanced Intune Solutions at Scale [GA] — Advanced Intune Suite capabilities are being bundled into broader M365 plans rolling out in CY26 Q3 — 30-day Message Center notice will precede tenant enablement. Review your current Intune Suite licensing and determine whether the bundled capabilities change your procurement or deployment roadmap before Q3.

  • What’s New in Microsoft Intune — March [GA] — March’s Intune update focuses on compliance visibility improvements, timelier device check-in notifications, and expanded Apple device and mobile app management capabilities. Review the full changelog and map the Apple MDM enhancements against any open gaps in your macOS or iOS compliance policy coverage.

  • Three New Partners for Multi-Tenant Management with Intune [GA] — Microsoft has added three new ISV partners to the Intune multi-tenant management ecosystem, giving MSPs additional options for delivering managed Intune at scale without building custom tooling. MSPs managing M365 tenants at volume should evaluate the new partner offerings against their current toolchain for operational efficiency gains.

Apps

  • Computer-Using Agents in Microsoft Copilot Studio GA [GA] — Agents can now autonomously interact with web UIs, vendor portals, and legacy apps without API dependencies, going GA this week after filling the automation gap that RPA tools have struggled with at scale. Before business units deploy these broadly, establish governance policies covering agent identity, allowed app scope, audit logging, and data handling — the blast radius of a misconfigured computer-using agent is significant.

  • Agent Evaluation in Microsoft Copilot Studio GA [GA] — Structured evaluation with test sets and automated scoring is now GA in Copilot Studio, providing a repeatable quality gate for agents moving into production. Mandate evaluation runs as part of your agent deployment approval process — spot-checking is not sufficient at production interaction volumes.

  • Automate Agent Evaluation with the Evaluation APIs [GA] — The Evaluation APIs let you integrate Copilot Studio agent testing into CI/CD pipelines, making evaluation a continuous rather than one-time gate. If your team is building or managing agents in Copilot Studio, plug these APIs into your deployment pipeline now — regression testing for agent behavior is no longer optional in production.

  • What’s New in Microsoft 365 Copilot — April 2026 [GA] — April’s Copilot wave includes Copilot Notebooks updates, Plan mode and Python support in Excel, image editing and public website grounding in PowerPoint, and Claude model availability in Copilot Chat. Review the full changelog and update your end-user enablement materials — several features require user awareness to drive adoption and a few may warrant communication on data handling (e.g., public website grounding).

  • Microsoft 365 Copilot: ISO/IEC 42001 Recertification [GA] — M365 Copilot achieved back-to-back ISO 42001 AI management system recertification with zero non-conformities, providing independently validated assurance for compliance and procurement conversations. Use this as supporting evidence in your AI governance documentation and vendor risk assessments.

  • Teams Interpreter: Simultaneous Mode Enhancements [GA] — Teams Interpreter gains per-speaker distinct voice assignment, admin control to disable voice simulation via PowerShell, shimmer effects scoped to interpreter users only, and audio activation confirmations — GA targeting July 2026. Admins who have previously deployed Interpreter should review the new PowerShell controls to align with organizational policy on voice simulation.

  • Power Fx: User Defined Types Generally Available [GA] — User Defined Types are now on by default for new Power Apps as of Studio version 3.26044, with opt-in for existing apps via Settings > Updates > New. Review existing apps before enabling UDTs — test for behavioral changes in complex formulas before rolling out to production apps.

  • Finance Agent in Microsoft 365 Copilot [GA] — The Finance Agent extends Copilot into record-to-report, source-to-pay, and forecast-to-plan workflows, GA as part of M365 Copilot. Finance teams piloting this should work with compliance to confirm data residency and audit trail requirements are met before using it for reportable financial outputs.

Data

  • Data Security Posture Management for AI [GA] — Purview DSPM for AI provides a unified console to monitor sensitive data exposure across Microsoft Copilot, Azure AI Foundry, custom AI agents, and third-party LLM applications — this is the single pane you need to answer “what sensitive data are our AI systems accessing?” Start a discovery sweep against your AI app inventory and use the findings to prioritize labeling and DLP policy gaps.

  • Extend Microsoft Purview Data Protection to AWS Bedrock Agents [GA] — Purview can now act as the central policy engine for AI workloads running on AWS Bedrock, enabling consistent sensitivity label enforcement and DLP controls across cloud boundaries. If your org runs hybrid AI (M365 data + AWS inference), this closes the cross-cloud governance gap — map your Bedrock agent data flows and apply Purview policies now.

  • Purview Data Security Posture Reports GA [GA] — Posture Reports deliver an outcome-based view of sensitivity label and DLP policy effectiveness across M365 — answering “are controls consistently applied?” rather than just surfacing individual alerts. Use these reports to drive board-level and CISO-level security posture conversations and identify coverage gaps in your labeling taxonomy.

  • Data Security Posture Reports: Custom Workspace and Charts — Public Preview [Preview] — Custom workspaces and charts for Purview Posture Reports are now in public preview, enabling teams to build executive-ready dashboards from Audit telemetry without exporting raw data. Enable the preview and start building role-specific views — custom charts are particularly valuable for demonstrating DLP coverage to auditors.

  • Purview Data Security Investigations: Pre-Built Search Templates [GA] — Pre-configured search templates for common data security investigation scenarios are GA in June 2026, reducing investigation setup from manual query-building to a few clicks. Update your IR playbooks to reference the available templates — this meaningfully reduces mean time to scope for data security incidents.

  • Purview eDiscovery Premium Cases [Preview] — E5 eDiscovery Premium now supports up to 50,000 cases and 5 TB per search versus E3’s 10,000/2 TB limits, plus tenant-wide holds reporting in preview. If your legal team is hitting case or volume ceilings in eDiscovery, validate your license tier and evaluate whether E5 Premium cases are warranted given upcoming litigation or regulatory activity.

  • Bulk Deletion in Microsoft Dataverse [GA] — Native Dataverse bulk deletion capabilities have been expanded, giving admins better tools to manage storage consumption from accumulated data at scale. Audit your high-volume Dataverse environments for stale records and schedule bulk deletion jobs to reclaim storage before it affects capacity thresholds.

Network

  • Lock Down AI, Web, and Private Apps: What’s New in Internet Access and Private Access [GA] — Global Secure Access now includes controls specifically targeting unsanctioned AI service access, prompt injection protection, and private app security without backhauling traffic — all addressable from the Entra admin center. If you haven’t scoped an Internet Access profile that restricts unsanctioned AI tools, this week’s update gives you the controls to do it; Shadow AI is now a solvable network policy problem.

  • CVE-2026-12012: Chromium Use-After-Free in Edge [GA] — A Chromium use-after-free vulnerability affecting the network stack has been patched in the upstream Chromium release ingested by Microsoft Edge. Validate your Edge update rings are current — managed devices should be verified via Intune compliance or Defender for Endpoint’s software inventory within the next patch cycle.

Visibility & Automation

  • Exchange 2016/2019 ESU Period 2 Announced [GA] — Period 1 ESU ended April 2026; Period 2 covers May 2026 through April 2027 for orgs still running Exchange 2016 or 2019 on-premises. If you have not enrolled in Period 2 and are not yet on Exchange SE, you are currently running an unsupported, unpatched mail server — this is a hard security and compliance risk that requires immediate action or an accelerated migration commitment.

  • Computer-Using Agents in Copilot Studio — May 2026 Roundup [GA] — The May Copilot Studio update bundles computer-using agents GA, a redesigned workflows experience, and Work IQ extensibility into a single release. Review the redesigned workflows surface against any automation workflows you’ve previously built — structural changes in workflow UX can break existing configurations.

  • ASSERT: Open-Source Framework for Agent Evaluation [GA] — Microsoft’s ASSERT framework converts natural language behavioral specifications into executable evaluations for AI models and agents, published as open source. If your team is building agents, ASSERT gives you a structured, repeatable way to convert your behavioral requirements doc into automated test coverage — worth integrating alongside Copilot Studio’s native evaluation tooling.

  • Windows on Arm: Print Readiness Improvements [GA] — Print driver compatibility for Arm64 Windows has expanded, reducing one of the key blockers for commercial Arm device adoption. If printing gaps have held back Arm device pilots in your org, re-evaluate compatibility against the updated driver ecosystem before ruling out Arm hardware for new deployments.

  • Made for Developers and Agents — Windows 365 at Build 2026 [GA] — Build 2026 brings developer-focused Windows 365 enhancements including streamlined Cloud PC onboarding for dev scenarios and agent hosting capabilities backed by the same security posture as standard Cloud PCs. If your org is standing up AI agent infrastructure, Windows 365 as a managed agent execution environment is now a viable and auditable option.

  • Admin Insights for Windows 365 — Public Preview [Preview] — Admin Insights consolidates the highest-priority Cloud PC health and action signals into a single view, reducing the time admins spend correlating across multiple Windows 365 reports. Enroll in the preview and validate that the prioritization logic matches your operational priorities — your feedback directly influences the GA experience.

Action Required

  • Exchange 2016/2019 ESU Period 2 — Immediate Enrollment Required [GA] — Deadline: May 2026 start / April 2027 end for Period 2. If you are running Exchange 2016 or 2019 on-premises and Period 1 ESU has lapsed, you are currently unprotected. Enroll in Period 2 ESU immediately or commit to an accelerated migration to Exchange SE — running unpatched on-premises Exchange is not an acceptable security posture.

  • CVE-2026-12012: Patch Edge Now [GA] — Action within current patch cycle. A use-after-free vulnerability in the Chromium network stack affects Edge — verify all managed devices are running the latest Edge build via Intune compliance policy or Defender for Endpoint software inventory. Don’t rely on auto-update alone; confirm coverage across your managed fleet.

  • CVE-2026-54411: Audit pam_userdb Configurations on Linux Workloads [GA] — Action immediately if applicable. Linux-PAM through 1.7.2 with crypt=none or no crypt= argument leaks plaintext passwords via timing analysis. Audit all Linux systems in your environment for pam_userdb usage, switch to a hashed crypt method or remove plaintext credential storage, and update PAM packages when vendor patches are available.

  • Intune Advanced Suite Bundling — CY26 Q3 Rollout Incoming [GA] — 30-day Message Center notice precedes tenant enablement. Advanced Intune Suite capabilities are being added to broader M365 plans starting CY26 Q3. Review your licensing, determine whether newly bundled capabilities change your existing Intune Suite procurement, and plan for any configuration or policy changes triggered by new feature availability in your tenant.

  • Computer-Using Agents: Establish Governance Before Business Unit Deployment [GA] — 30-day governance window. Computer-using agents are GA and accessible to makers in Copilot Studio — without proactive governance, business units will deploy agents with broad UI access and no audit controls. Define and publish agent governance policy covering identity scope, data handling, audit logging requirements, and approval workflows before the first production agent goes live in your tenant.