Category
planForChange
Severity
normal
Major change
True
Last modified
2025-12-12 17:18:57
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
2026-01-07 08:00:00
Action by (AI)
—
Services
Microsoft Entra
Tags
Updated message, Admin impact
Master tags
Security
Roadmap IDs
One-line summary
Microsoft Entra will migrate DigiCert certificates from G1 to G2 root CA on Jan 7, 2026; clients not trusting G2 may face authentication failures.
Similar updates
More like thisMC1139443 Secure Boot certificate expiration: What Windows IT admins need to know now
Secure Boot certificate expiration: What Windows IT admins need to know now Microsoft is updating Secure Boot certificates before current ones expire in 2026; IT admins must ensure systems accept new certificates to maintain security and updates. Secure Boot protects Windows systems by validating firmware and boot components using trusted.
MC1189663 Retirement of external access token for actionable messages – moving to Microsoft Entra authentication
Retirement of external access token for actionable messages – moving to Microsoft Entra authentication External access tokens for actionable messages retire on March 31, 2026; switch integrations to Microsoft Entra authentication to maintain functionality and improve security. [Introduction] We’re retiring the use of external access tokens for .
MC1096052 Windows add support for the new certificate authority handling logic in Application Control for Business
Windows add support for the new certificate authority handling logic in Application Control for Business Application Control for Business updates CA trust logic to handle expiring Microsoft CAs, requiring Windows updates by May 13, 2025 for seamless trust extension. Microsoft is updating the logic used by Application Control for Business to.
MC1185931 Secure Boot playbook for certificates expiring in 2026
Secure Boot playbook for certificates expiring in 2026 Secure Boot certificates on many Windows devices will expire in June 2026; admins should monitor, prepare, and update certificates to ensure continued protection. Secure Boot helps ensure that only trusted software runs during the boot sequence. It uses cryptographic keys, known as.
MC1097225 (Updated) Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview)
(Updated) Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview) Entra ID expands passkey policy in November 2025 public preview, enabling group-based passkey controls, new API schema, and broader attestation support for FIDO2/passkey providers. ...ed from early January 2026 to early February.
MC1179154 (Updated) Microsoft Authenticator app: Upcoming changes to jailbreak and root detection
(Updated) Microsoft Authenticator app: Upcoming changes to jailbreak and root detection Starting February 2026, Microsoft Authenticator will block and wipe Entra credentials on jailbroken/rooted iOS and Android devices to enhance security; no admin action is needed. [Introduction] Starting February 2026, we will introduce jailbreak and root.
Details
Summary
By January 7, 2026, Microsoft Entra will switch from DigiCert Global Root G1 to G2 certificates. Organizations must trust the DigiCert G2 root CA to avoid authentication failures with Entra services. Remove any pinning to G1 and update trust settings to prevent service disruption.
Body (from Message Center)
Updated December 12, 2025: We have updated the content. Thank you for your patience.
Action Required: Trust the new DigiCert Certificate Authorities (CAs) for Microsoft Entra
Starting January 7, 2026, Microsoft Entra will migrate its DigiCert certificates from the G1 root CA to the G2 root CA. Clients that pin to the DigiCert G1 root or do not trust the DigiCert G2 root may experience authentication failures.
What are G1 and G2 root CAs?Certificate Authorities (CAs) issue digital certificates that establish trust for secure communications. A root CA is the top-level certificate in a trust chain. DigiCert Global Root G1 is the current root CA used by Microsoft Entra services. DigiCert Global Root G2 is the newer root CA that Microsoft is migrating to for improved security and compliance. If your systems do not trust the G2 root, authentication and secure connections to Microsoft Entra services will fail.
Why you’re receiving this message:
Our reporting indicates that one or more users in your organization may be using Microsoft Entra ID.
When this will happen:January 7, 2026.
How this affects your organization:- Who is affected: Organizations using Microsoft Entra ID services.
- What will happen:
- If DigiCert G2 certificates are not trusted, authentication failures will occur when accessing Microsoft Entra services.
- Impacted domains include:
- login.live.com
- login.windows.net
- autologon.microsoftazuread-sso.com
- graph.windows.net
- Note: The login.microsoftonline.com domain has already been migrated to the DigiCert G2 root in Feb 2025. Customers using this domain will not be impacted, as their client systems already trust DigiCert G2.
- Trust all Root and Subordinate CAs listed in the Azure Certificate Authority details documentation.
- Ensure you trust the “DigiCert Global Root G2” root and its subordinate CAs (documented since September 2025).
- Remove any client-side pinning to the DigiCert Global Root CA root certificate.
- Update your settings now to avoid service disruption.
- For details about DigiCert certificates, refer to DigiCert documentation.
- For guidance on issuer/certificate pinning, see Azure documentation.
- Get answers from community experts in Microsoft Q&A.
- If you have a support plan and need technical help, create a support request.
No compliance considerations identified, review as appropriate for your organization.
Raw JSON (for debugging)
Expand/collapse the full payload below.
Show/hide raw
{
"snapshot_item": {
"action_required_by": "2026-01-07T08:00:00Z",
"ai_action_required_by": null,
"ai_actions": [
"Trust DigiCert Global Root G2 and subordinates",
"Remove pinning to DigiCert G1",
"Update certificate trust settings"
],
"ai_master_tags": [
"Security"
],
"ai_model": "gpt-4.1",
"ai_summary": "Microsoft Entra will migrate DigiCert certificates from G1 to G2 root CA on Jan 7, 2026; clients not trusting G2 may face authentication failures.",
"ai_topics": [
"Entra"
],
"category": "planForChange",
"details_map": {
"Summary": "By January 7, 2026, Microsoft Entra will switch from DigiCert Global Root G1 to G2 certificates. Organizations must trust the DigiCert G2 root CA to avoid authentication failures with Entra services. Remove any pinning to G1 and update trust settings to prevent service disruption."
},
"id": "MC1193408",
"importance": 5,
"is_major_change": true,
"last_modified": "2025-12-12T17:18:57Z",
"ms_products": [
"Entra"
],
"platforms": null,
"roadmap_ids": [],
"services": [
"Microsoft Entra"
],
"severity": "normal",
"tags": [
"Updated message",
"Admin impact"
],
"title": "(Update)Action Required: Trust DigiCert Global Root G2 Certificate Authority for using Entra services by January 7, 2026"
}
}