← Back
(Update)Action Required: Trust DigiCert Global Root G2 Certificate Authority for using Entra services by January 7, 2026
MC1193408 · build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
True
Last modified
2025-12-12 17:18:57
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
2026-01-07 08:00:00
Action by (AI)
Services
Microsoft Entra
Tags
Updated message, Admin impact
Master tags
Admin, Security
Roadmap IDs

One-line summary

Microsoft Entra will migrate DigiCert certificates from G1 to G2 root CA on Jan 7, 2026; clients not trusting G2 may face authentication failures.

Similar updates

More like this

Details

Summary
By January 7, 2026, Microsoft Entra will switch from DigiCert Global Root G1 to G2 certificates. Organizations must trust the DigiCert G2 root CA to avoid authentication failures with Entra services. Remove any pinning to G1 and update trust settings to prevent service disruption.

Body (from Message Center)

Updated December 12, 2025: We have updated the content. Thank you for your patience. 

Action Required: Trust the new DigiCert Certificate Authorities (CAs) for Microsoft Entra

Starting January 7, 2026, Microsoft Entra will migrate its DigiCert certificates from the G1 root CA to the G2 root CA. Clients that pin to the DigiCert G1 root or do not trust the DigiCert G2 root may experience authentication failures.

What are G1 and G2 root CAs?

Certificate Authorities (CAs) issue digital certificates that establish trust for secure communications. A root CA is the top-level certificate in a trust chain. DigiCert Global Root G1 is the current root CA used by Microsoft Entra services. DigiCert Global Root G2 is the newer root CA that Microsoft is migrating to for improved security and compliance. If your systems do not trust the G2 root, authentication and secure connections to Microsoft Entra services will fail.

Why you’re receiving this message:

Our reporting indicates that one or more users in your organization may be using Microsoft Entra ID.

When this will happen:

January 7, 2026.

How this affects your organization:
  • Who is affected: Organizations using Microsoft Entra ID services.
  • What will happen:
    • If DigiCert G2 certificates are not trusted, authentication failures will occur when accessing Microsoft Entra services.
    • Impacted domains include:
      • login.live.com
      • login.windows.net
      • autologon.microsoftazuread-sso.com
      • graph.windows.net
      • Note: The login.microsoftonline.com domain has already been migrated to the DigiCert G2 root in Feb 2025. Customers using this domain will not be impacted, as their client systems already trust DigiCert G2.
What you can do to prepare:
  • Trust all Root and Subordinate CAs listed in the Azure Certificate Authority details documentation.
  • Ensure you trust the “DigiCert Global Root G2” root and its subordinate CAs (documented since September 2025).
  • Remove any client-side pinning to the DigiCert Global Root CA root certificate.
  • Update your settings now to avoid service disruption.
Help and support: Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw
{
  "snapshot_item": {
    "action_required_by": "2026-01-07T08:00:00Z",
    "ai_action_required_by": null,
    "ai_actions": [
      "Trust DigiCert Global Root G2 and subordinates",
      "Remove pinning to DigiCert G1",
      "Update certificate trust settings"
    ],
    "ai_master_tags": [
      "Admin",
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Microsoft Entra will migrate DigiCert certificates from G1 to G2 root CA on Jan 7, 2026; clients not trusting G2 may face authentication failures.",
    "ai_topics": [
      "Entra"
    ],
    "category": "planForChange",
    "details_map": {
      "Summary": "By January 7, 2026, Microsoft Entra will switch from DigiCert Global Root G1 to G2 certificates. Organizations must trust the DigiCert G2 root CA to avoid authentication failures with Entra services. Remove any pinning to G1 and update trust settings to prevent service disruption."
    },
    "id": "MC1193408",
    "importance": 5,
    "is_major_change": true,
    "last_modified": "2025-12-12T17:18:57Z",
    "ms_products": [
      "Entra"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Microsoft Entra"
    ],
    "severity": "normal",
    "tags": [
      "Updated message",
      "Admin impact"
    ],
    "title": "(Update)Action Required: Trust DigiCert Global Root G2 Certificate Authority for using Entra services by January 7, 2026"
  }
}