Weekly Roundup
Microsoft Cloud News Roundup
7 July – 13 July 2026 · modernworkplacesecurity.com
⚠ Editorial Note: This roundup covers developments that are confirmed published, announced, or entering enforcement during the week of 7–13 July 2026. Where a story was announced before this window but enters a critical enforcement phase or active rollout during this week, it is included because it requires immediate admin action right now. All sources are official Microsoft channels. No speculative or unconfirmed items are included.
Executive Summary
This is a landmark week for Microsoft 365 administrators. Three of the biggest Microsoft infrastructure changes of 2026 are either completing enforcement or entering active notification phases simultaneously: the Entra ID Conditional Access credential registration enforcement deadline lands on 13 July 2026; the Intune Suite bundling into M365 E3/E5 is actively rolling out with tenants receiving 30-day Message Center notices right now; and the Entra Connect Sync to Cloud Sync migration notifications began on 1 July. Add the Entra Custom Controls retirement countdown, SSPR enforcement planning, and the Sentinel Azure Portal migration deadline now extended to 31 March 2027 — and this is one of the most action-heavy weeks for IT and security teams all year.
Top Trending Updates
1
Entra ID Conditional Access Enforcement for Credential Registration Completes 13 July 2026
Summary
Starting July 6, 2026, Conditional Access policies scoped to the “Register security information” user action now apply during credential registration for Windows Hello for Business and macOS Platform SSO — meaning users must satisfy MFA, network restrictions, or device compliance before completing registration. Full enforcement across all eligible tenants completes by 13 July 2026. Organisations without a policy scoped to this action are unaffected, but MFA remains required by default for all passwordless credential registrations.
Why It Matters
This closes a meaningful Zero Trust gap: previously, users could register phishing-resistant credentials without being subject to your registration-time CA policies. From this week forward, registration is just as policy-governed as sign-in. Any tenant that has CA policies for “Register security information” should verify no users are being blocked unexpectedly. Test policies in Report-Only mode before this enforcement completes.
2
Intune Suite Capabilities Now Rolling Out to M365 E3 / E5 Tenants — Check Your Message Center Now
Summary
The previously separate Intune Suite add-on is now being bundled into core M365 E3 and E5 licences as part of Microsoft’s July 2026 pricing update. Rollout began July 1 and completes by August 1, 2026. Features being added include: Intune Remote Help, Intune Advanced Analytics, Intune Plan 2, Endpoint Privilege Management (EPM), Microsoft Cloud PKI, and Intune Application Management for E5 customers. E3 customers receive Remote Help, Advanced Analytics, and Intune Plan 2. Tenants receive 30-day advance notice in Message Center before the features activate. New service plans are already appearing in some tenants as of early July.
Why It Matters
For any organisation already paying for the Intune Suite add-on (~$10/user/month), this eliminates the separate licence cost. More significantly, it means capabilities like EPM, Cloud PKI, and Advanced Analytics are now accessible to the majority of enterprise tenants at no incremental cost — which changes the strategic conversation around LAPS alternatives, helpdesk tooling, and third-party PKI. Admins should check licence service plans in their tenant now and review Message Center for their 30-day notice.
3
Entra Connect Sync → Cloud Sync Migration Notifications Begin: Is Your Tenant in Wave 1?
Summary
Starting July 1, 2026, Microsoft began notifying organisations via M365 Message Center, Entra Connect Health, and direct email about their individual migration windows from Entra Connect Sync to the cloud-native Entra Cloud Sync. Wave 1 targets simpler tenants where Cloud Sync already covers all synchronisation needs. Organisations with complex configurations (Exchange Hybrid, large directories, advanced features) are in later waves. Migration guidance and tooling are provided at notification time. Entra Connect Sync version 2.5.79.0 or later is also required for continued sync operation by September 30, 2026.
Why It Matters
This is the end of the on-premises Azure AD Connect era for many organisations. If you received a Message Center notification this week, you are in Wave 1 and should start your migration assessment immediately. Even if not yet notified, every hybrid identity team should run the Sync Tool Checker now to determine eligibility, check their Connect Sync version, and review which Cloud Sync feature gaps still apply to their environment.
4
Defender for Office 365 Plan 1 Now Included in M365 E3 / Office 365 E3 — Rollout Active
Summary
As part of the July 2026 M365 packaging update, Microsoft Defender for Office 365 Plan 1 is now being included in Office 365 E3 and Microsoft 365 E3 subscriptions at no additional cost. This brings Safe Links, Safe Attachments, and anti-phishing capabilities to E3 tenants that previously required a separate MDO licence or upgrade to E5. URL checks are also being extended to Office 365 E1, Business Basic, and Business Standard. Rollout is active now and completes by August 1, 2026.
Why It Matters
Organisations on E3 that have been relying on Exchange Online Protection (EOP) alone now gain a significant uplift in email security posture without a licence change. Admins should verify the MDO Plan 1 service plan is activating in their tenant and review Safe Attachments and Safe Links policies — these will be off by default and require configuration to provide protection.
5
Entra ID Custom Controls Deprecation — September 30, 2026 Retirement Clock Is Running
Summary
Microsoft has confirmed that Conditional Access Custom Controls — used by many organisations to integrate third-party MFA providers — will be retired on September 30, 2026 and reach end of life in May 2027. Existing configurations continue working during the transition period, but migration to External Authentication Methods (External MFA) is required before retirement. With this week’s CA enforcement changes also landing, now is the time to audit any CA policies using Custom Controls.
Why It Matters
Organisations using Duo, Okta, or other third-party MFA via Custom Controls will experience broken authentication flows after September 30 if not migrated. The External MFA framework is the supported replacement. Start by identifying all CA policies that reference Custom Controls — a quick Entra admin center review or Graph API query will surface them. Budget 6–8 weeks for third-party vendor testing.
6
Entra SSPR Registration Campaign Launches — Enforcing Registered Methods from September 2026
Summary
Beginning July 6, 2026, Microsoft automatically launched a registration campaign prompting affected users to register authentication methods after sign-in. This is preparation for September 7, 2026, when SSPR will only accept explicitly registered methods — directory-sourced phone numbers and email addresses that were never formally registered will no longer be accepted. No admin action is required to enable the campaign, but admins should monitor registration progress and ensure users are prompted before enforcement.
Why It Matters
Organisations that relied on directory contact data (phone/email on the user object) as a backdoor for password reset without formal MFA Registration will be directly impacted. Users without registered methods will face disruption during password reset after September 7. Use the Authentication Methods Activity report in Entra to identify users at risk now, while the 30-day campaign window is active.
7
Entra Security Operator Role Extended for SOC Identity Response in Defender RBAC
Summary
Microsoft has extended the Entra Security Operator role so SOC analysts can take identity response actions directly from the Microsoft Defender unified RBAC experience — without needing broad Entra admin roles. New actions include: disable users, revoke sessions, mark users as compromised, force password resets, and delete individual authentication methods. Permissions are scoped to non-admin users only, preserving least-privilege boundaries.
Why It Matters
This is a significant SOC workflow improvement. Previously, identity containment actions during an incident required Entra-privileged escalation — which breaks least-privilege and slows response. Analysts can now contain compromised identities directly from the same Defender portal they’re working incidents in, with full audit trail. SOC teams should review their Defender RBAC role assignments and map this capability into their incident response playbooks.
8
Phishing-Resistant MFA Now Available on Linux Desktops via Entra Identity Broker
Summary
Microsoft has extended phishing-resistant MFA support to Linux desktops through the Microsoft Identity Broker, closing a long-standing gap in cross-platform Zero Trust identity. Supported distributions include Ubuntu 24.04 and 26.04, and Red Hat Enterprise Linux (RHEL) 8, 9, and 10. The Intune app for Linux has also been updated to use the new Identity Broker (version 2.0.2+), enabling SSO using phish-resistant MFA, smart card authentication, and certificate-based authentication with Entra ID.
Why It Matters
For organisations managing developer workstations, engineering environments, or regulated infrastructure running Linux, this eliminates the “Linux exemption” that has been a persistent gap in phishing-resistant MFA coverage. Admins can now enforce consistent CA policies across Windows, macOS, and major Linux distributions — a significant step toward true cross-platform Zero Trust identity posture.
9
Microsoft Sentinel Azure Portal Experience: Extended Deadline Now March 31, 2027
Summary
Microsoft extended the deadline for transitioning Sentinel from the Azure portal to the Microsoft Defender portal from the original July 2026 target to March 31, 2027. The extension was granted in response to customer feedback, particularly from organisations managing Sentinel at scale. The Defender portal is now the strategic home for Sentinel — combining SIEM, XDR, SOAR, and threat intelligence in a unified experience — but customers now have more time to plan their migration.
Why It Matters
If you were racing to complete your Sentinel migration before July 2026, you now have until March 2027. However, the extension is not a reason to delay — the unified Defender portal provides genuine operational value including unified case management, cross-product correlation, and the Sentinel Data Lake for cost-effective long-term retention. Admins should still assess RBAC changes (Unified RBAC is required), Workspace Manager deprecation, and KQL entity mapping changes before migrating.
10
Microsoft Intune Now Supports Ubuntu 26.04 LTS — Ubuntu 22.04 Support Ends August 2026
Summary
Microsoft Intune has added support for Ubuntu 26.04 LTS. Alongside this, support for Ubuntu 22.04 LTS ends in August 2026 — devices already enrolled on 22.04 remain enrolled but will not receive new policy support. The Intune admin center allows filtering by OS version to identify affected devices. RHEL 8 LTS support also ends in July 2026, with RHEL 9 and 10 LTS now the supported versions.
Why It Matters
Linux device management in enterprise environments is growing rapidly. Admins managing Ubuntu fleets should identify and communicate to users on 22.04 to upgrade before August. Use Devices > All Devices > filter by Linux > add OS version column to surface affected devices in your tenant today.
11
Sentinel Account Name Entity Mapping Change — Automation Rules Must Be Updated by July 1, 2026
Summary
Microsoft Sentinel updated how the Account Name value is populated for analytics rule alerts — it is now consistently the UPN prefix rather than a variable format. This improves consistency for downstream automation and Logic Apps playbooks. The call to action deadline was July 1, 2026, meaning automation rules that parse or trigger on Account Name format may now be broken if not updated. The change applies to analytics rule alerts and affects playbooks consuming that entity field.
Why It Matters
Any Sentinel Logic App playbook or automation rule that parses account entities for identity response actions needs to be reviewed immediately. If you missed the July 1 deadline, audit your active playbooks for Account Name handling now — incidents may be triggering automation with incorrect entity data until this is corrected.
12
Security Copilot Agents Now Rolling Out to All M365 E5 Customers
Summary
As part of the July 2026 M365 E5 packaging update, Microsoft Security Copilot agents are now being provisioned to all Microsoft 365 E5 customers with advance notice. Over 70 Microsoft and partner-built agents are available across Defender, Entra, Intune, and Purview — covering workflows from phishing triage to identity investigation and endpoint remediation. E5 customers were previously required to purchase Security Copilot separately at consumption cost.
Why It Matters
This is a major change in value for E5 customers. Security operations teams that couldn’t justify Security Copilot’s standalone cost now have access to AI-powered triage and investigation workflows within their existing licence. Security leaders should evaluate which agents to enable first — the Phishing Triage Agent and the Identity Investigation Agent are typically the highest-ROI starting points for most SOC teams.
13
Entra Registration Campaigns Now Support Passkey (FIDO2) Nudging at Scale
Summary
Microsoft Entra Registration Campaigns now support Passkeys (FIDO2) as an authentication method for campaigns. Administrators can configure campaigns to nudge users to register passkeys during sign-in, enabling organisations to drive passkey adoption at scale. The first rollout experience targets users in a passkey profile without restrictions. This complements the redesigned My Account portal pages (Devices, Security Info, Organizations) that are now generally available.
Why It Matters
Passkey adoption has been the “last mile” challenge for passwordless — most organisations had the capability but not the mechanism to drive users to register. Registration Campaigns with FIDO2 support changes this, giving admins a non-disruptive, policy-driven way to nudge the entire user population toward phishing-resistant credentials over time. The redesigned My Account pages also reduce helpdesk load by making device and recovery information more self-serviceable.
Top 3 Updates Every Microsoft Admin Should Know
01
Check Your Tenant Licences Right Now
Intune Suite features and Defender for Office 365 Plan 1 are actively being added to M365 E3/E5 licences this week. New service plans may already be active in your tenant — check licence assignments and review Message Center for your 30-day notice. Features are enabled by default.
02
Entra Connect Sync Migration Notifications Are Live
If you received a Message Center notification this week, you are in Wave 1 of the Connect Sync → Cloud Sync migration. Even if not yet notified, verify your Connect Sync version (must be 2.5.79.0+ by September 30) and run the Sync Tool Checker to assess Cloud Sync eligibility.
03
Sentinel Azure Portal Deadline Extended to March 2027
The original July 2026 Sentinel migration deadline has been extended. However, plan the migration now — don’t wait. The Defender portal provides real operational value. Key prep items: Unified RBAC migration, Workspace Manager replacement, and KQL entity mapping review for automation rules.
Top 3 Security Updates of the Week
01
CA Credential Registration Enforcement Completes July 13
Conditional Access now governs credential registration for WHfB and macOS Platform SSO. Check for unintended policy blocks now. This closes a real Zero Trust gap that attackers could exploit to register credentials without meeting policy requirements.
02
Entra Security Operator Role — SOC Identity Response Without Escalation
SOC analysts can now disable users, revoke sessions, and force password resets directly from Defender RBAC without Entra admin escalation. Update your IR playbooks and assign this role to your T1/T2 analysts now. Huge least-privilege win for incident containment speed.
03
Custom Controls Retirement: September 30, 2026
Third-party MFA via CA Custom Controls retires in 84 days. If you use Duo, Okta MFA, or any third-party via Custom Controls in CA, you must migrate to External Authentication Methods now. Identify affected policies, engage your vendor, and test in report-only mode before the deadline.
Recommended Reading Links
| Category | Article Title | URL |
|---|---|---|
| Entra | What’s New in Microsoft Entra: June 2026 | techcommunity.microsoft.com |
| Entra | Entra ID Security Updates: What Organizations Need to Do Now | techcommunity.microsoft.com |
| Entra | Microsoft Entra Releases and Announcements (What’s New) | learn.microsoft.com |
| Entra | Migrate from Entra Connect Sync to Cloud Sync FAQ | learn.microsoft.com |
| Intune | What’s New in Microsoft Intune | learn.microsoft.com |
| M365 | Advancing Microsoft 365: New Capabilities and Pricing Update | microsoft.com |
| Defender | Microsoft Defender Monthly News — May 2026 | techcommunity.microsoft.com |
| Sentinel | Updated Timeline: Transitioning Sentinel to Defender Portal | techcommunity.microsoft.com |
| Sentinel | Microsoft Sentinel in the Defender Portal (Learn Docs) | learn.microsoft.com |
| Defender | Microsoft Learn: Defender for Office 365 Overview | learn.microsoft.com |
| Entra | Microsoft Learn: Conditional Access Controls | learn.microsoft.com |
| M365 | Microsoft Learn: Security Copilot | learn.microsoft.com |
That’s the roundup for 7–13 July 2026. The theme this week is enforcement meets rollout — several major Microsoft platform changes are completing their countdown while new licensing capabilities are landing at the same time. There’s a lot of action required, not just reading.
If something from this week is causing issues in your environment — especially around the CA credential registration change or the Intune Suite service plans — drop it in the comments. I’ll keep an eye on the community chatter and follow up next week if there are common issues worth calling out.
— Anand
modernworkplacesecurity.com
Written by
itanand21
Microsoft Security Consultant and IT EUC Engineer with 15+ years helping organisations modernise endpoint management and lock down Microsoft 365 using Zero Trust principles.