Microsoft Schedules Certificate Transition for Entra Service, Urges IT Admins to Prepare

Microsoft has announced an upcoming change to its Entra identity and access management service, which will see the underlying digital certificates updated to enhance security and compliance. This transition is set to take place in early January 2026, and IT administrators are advised to review and update their systems to avoid potential authentication issues.

The Entra service currently relies on certificates issued under the DigiCert Global Root G1. Microsoft plans to migrate to certificates based on the DigiCert Global Root G2, a newer root certificate authority (CA) recognized for its improved security standards. This migration aims to strengthen trust and maintain compliance with evolving cybersecurity requirements.

According to Microsoft, the shift to the DigiCert Global Root G2 will affect all authentication and secure communication functions within the Entra service. Systems that either pin the DigiCert Global Root G1 certificate or lack trust in the new DigiCert Global Root G2 could experience authentication failures once the transition occurs. Affected domains include key endpoints such as login.microsoftonline.com, login.live.com, login.windows.net, autologon.microsoftazuread-sso.com, and graph.windows.net.

Digital certificates issued by certificate authorities form the backbone of secure communications, providing the trust framework necessary for encrypted data exchanges and identity verification. The root CA is the top tier in this hierarchy, and all subordinate certificates derive their trust from it. Updating the root CA to DigiCert Global Root G2 positions Microsoft to offer stronger security assurances for its Entra customers.

IT administrators are strongly encouraged to proactively assess their environments. Microsoft recommends that all root and subordinate CAs from the Azure Certificate Authority be classified as trusted within organizational IT systems. In particular, it is crucial to ensure that trust is established for the DigiCert Global Root G2 and its subordinate authorities. Any existing certificate pinning configurations referencing the DigiCert Global Root G1 should be updated or removed. Microsoft provides guidelines to assist with these changes, aiming to minimize service disruption during the transition.

Past updates to certificate infrastructure, such as the changes rolled out to Microsoft Teams Phone in late 2023, have led to operational difficulties when administrators were unprepared for the shift. Microsoft emphasizes the importance of timely preparation to prevent issues such as authentication failures or service interruptions that could result from outdated trust anchors.

Administrators are urged to review their organization's security and authentication frameworks, update trust settings as needed, and consult Microsoft's documentation for detailed instructions on managing certificate transitions and pinning configurations. Early action will help ensure a seamless migration and continued secure access to Entra services.

This certificate update is part of Microsoft's ongoing efforts to enhance the security posture of its cloud-based identity and access management solutions, reflecting the company's commitment to maintaining the integrity and reliability of its authentication services.