June 2026 brings a dense wave of Microsoft 365 changes across identity, security, licensing, and AI, several of which require MSP action before deadlines hit.
Intune
Hotpatching Enabled by Default Starting May 2026 Security Update
Windows Autopatch now enables hotpatch updates by default for all eligible devices, reducing the number of restarts required during patch deployment. If your clients aren’t ready for hotpatching, you need to opt out at the tenant or policy level proactively; waiting means it activates automatically across all eligible managed devices.
Windows 11 25H2 Security Baseline Now Available
The updated security baseline for Windows 11 version 25H2 is available in Intune, bringing new settings, updated defaults, and retired settings. Existing baseline profiles do not auto-update, so you must manually create or migrate profiles to the new baseline and review every setting change before pushing to client devices.
Microsoft Edge v139 Security Baseline Released
An updated Edge security baseline with new settings and revised defaults is now available in Intune. Like the Windows baseline, existing Edge profiles require a manual update — test in a pilot group before broad deployment to avoid breaking browser configurations across client tenants.
Platform SSO During macOS ADE Now Supported
macOS devices enrolled via Automated Device Enrollment can now complete Platform SSO registration during the setup flow, giving users immediate Entra ID resource access at first desktop login. This requires specific prerequisites: a settings catalog policy, Company Portal 5.2604.0 or later, a configured ADE policy, and macOS 26 or later. MSPs deploying new Mac fleets should update enrollment profiles now to take advantage of this.
Intune RBAC Roles Now Inherit Copilot in Intune Access Automatically
All built-in and custom Intune RBAC roles now automatically receive Security Copilot contributor access when Intune is enabled as a Copilot data source, no separate role assignments needed. MSPs should review whether this expanded access aligns with the least-privilege model in place for client tenants, since it applies to custom roles as well.
Entra ID
Microsoft Entra Connect Sync to Cloud Sync Migration Announced — Phased Starting July 2026
Microsoft will begin notifying customers via M365 Message Center and Entra Connect Health of their transition timelines from Connect Sync to Cloud Sync starting July 2026. MSPs managing hybrid identity environments need to assess client readiness now, identify configurations not yet supported by Cloud Sync, and start migration planning before assigned transition windows arrive.
Hard Match Blocked for Users with Entra Roles — Effective June 1, 2026
Entra Connect Sync and Cloud Sync can no longer hard-match a new AD object to an existing cloud user that holds Entra ID roles, effective June 1. This is a breaking change for any migration or re-sync scenario involving privileged cloud accounts. Audit hybrid environments for affected users immediately and use the new Graph API recovery path if hard-match errors occur.
Entra Backup and Recovery Now in Public Preview
Built-in daily snapshots of critical directory objects (users, groups, apps, Conditional Access policies, and more) are now available in public preview with 5-day retention and admin-initiated restore capability. This gives MSPs a native safety net for accidental tenant configuration changes; familiarize yourself with the restore workflow and add it to your incident response runbooks.
SAP SuccessFactors Provisioning Must Migrate from Basic Auth by November 2026
Workload identity-based authentication for SAP SuccessFactors provisioning is now in public preview, with basic auth deprecation set for November 2026. MSPs managing SuccessFactors provisioning integrations need to plan and execute migration to workload identity auth before the deadline to avoid provisioning failures.
Sensitivity Labels Now Supported on Entra Security Groups (Preview)
Microsoft Purview sensitivity labels can now be applied to Entra cloud security groups to govern settings like guest access. MSPs managing group-based access controls should evaluate whether existing label policies need updating to cover this new scope.
Defender
Local AI Agent Discovery and Runtime Protection on Windows Endpoints (Preview)
Defender now automatically discovers local AI agents — coding agents, IDE extensions, desktop AI assistants — on onboarded Windows devices and can block risky activity in the agent loop at runtime. Before broad enforcement, MSPs should assess whether any legitimate local AI tools used by client employees will generate alerts and tune accordingly.
Automatic Attack Disruption Can Now Isolate Compromised Devices (Preview)
High-confidence incident analysis can now trigger automatic network isolation of devices identified as active attacker footholds, with time-limited scope and operator release capability. This is a significant operational change. MSPs must ensure clients understand that devices may be isolated without manual intervention, and SOC runbooks need to account for this response action.
Identity Security Dashboard and Risk Score Now in Preview
A new Identity Security dashboard surfaces identity provider coverage, non-human identities, and a 0–100 risk score per identity that can be used directly in Conditional Access policies. This gives MSPs a consolidated identity risk view across human and non-human identities; evaluate the risk score integration with Conditional Access for clients where risk-based policy enforcement makes sense.
AgentsInfo Table Replaces AIAgentsInfo in Advanced Hunting — Deadline July 1, 2026
The new unified AgentsInfo table covers all agent types; the AIAgentsInfo table retires July 1, 2026. Any custom detection rules, hunting queries, or automation referencing AIAgentsInfo must be updated before that date to avoid query failures.
Built-in Alert Tuning Rules Now Generally Available
Suppression rules for common benign activity in Defender for Endpoint and Defender for Office 365 are now GA, without affecting AIR investigations. MSPs managing high-alert-volume tenants should review which rules are active and confirm they align with client security posture before relying on suppression.
Licensing
Microsoft 365 Business Standard with Copilot and Business Premium with Copilot Become Permanent SKUs July 1, 2026
The promotional offers for M365 Business Standard with Copilot and Business Premium with Copilot transition to permanent subscriptions at $23.50 and $32 USD per user/month respectively, with new SKUs available July 1 and price list preview in Partner Center starting June 1. Update quoting tools, renewal motions, and SMB offer packaging now. Every Business Standard and Premium renewal is a built-in Copilot upsell opportunity with stable, predictable pricing.
Agent 365 Now Requires Microsoft 365 E5 as Licensing Prerequisite (Effective June 1)
New Agent 365 purchases now require M365 E5 for enterprise, F5-level Defender and Purview for frontline workers, and M365 Business Premium for SMB customers. Audit client licensing before positioning Agent 365. Clients without the prerequisite licenses will lack access to certain capabilities, which creates risk of failed deployments or uncomfortable upsell conversations mid-engagement.
Work IQ API Reaches GA June 16 with Consumption-Based Copilot Credits Billing
Work IQ API is generally available June 16; custom agents using Work IQ via Copilot Studio, Foundry, or third-party platforms are billed via Copilot Credits. Admins must enable consumptive billing before use. MSPs building or managing custom AI agents need to ensure client admins configure payment methods, access policies, and spend limits in the M365 Admin Center before June 16 to avoid service interruption or uncontrolled spend.
EEA Currency Pricing Precision Updates for Select M365/O365 SKUs Effective July 1
Minor cent-level price adjustments are coming to M365 and O365 SKUs in EUR, DKK, NOK, SEK, and CHF for EU settlement compliance, effective July 1. The amounts are small, but discrepancies in automated billing systems should be corrected proactively to avoid invoice inaccuracies for clients billed in EEA currencies.
Dynamics 365 Business Central Dual Use Rights License Keys Must Be Refreshed Every Six Months
Effective June 5, on-premises Business Central deployments via Dual Use Rights require license key download and replacement every six months. MSPs managing Business Central on-premises deployments must establish a recurring process to download and apply updated DUR license keys to prevent service interruption.
Purview
Data Security Posture Management (DSPM) New Version Now Generally Available
The updated DSPM with guided workflows for proactive risk management is now GA; partner solutions for non-Microsoft sources and the Data Security Posture Agent remain in preview. MSPs advising clients on data security governance should update deployment guidance and assess whether clients need the GA version’s administrative unit support for scoped administration.
DLP Policy Device Scoping Now Available
Endpoint DLP policies can now be scoped to specific device groups (for example, enforcing a policy only on Windows devices for Finance users, not macOS) using dynamic Entra ID device groups. MSPs should review existing Endpoint DLP policies to determine whether device-scoped rules would reduce false positives or improve coverage for clients with mixed-OS environments.
Anthropic Claude Enterprise Now Supported in DSPM (Preview)
Claude interactions can now be monitored alongside Copilot, ChatGPT Enterprise, and other AI apps in DSPM activity explorer. MSPs should configure the Anthropic Claude connector for clients with Claude Enterprise deployments so AI interaction visibility and data security controls apply consistently.
eDiscovery Review Set Limit Increased from 20 to 100
The maximum number of review sets per eDiscovery case has been raised from 20 to 100. MSPs supporting legal or compliance teams running large investigations no longer need to work around the previous limit by managing case sprawl; update client guidance accordingly.
Sensitivity Label Auto-Labeling Can Now Override Manually Applied Labels (GA)
Auto-labeling policies for SharePoint and OneDrive can now be configured to always override lower-priority labels, even if manually applied, a capability previously limited to email. This is a behavior change that could override user-applied labels on files; MSPs must review auto-labeling policy configurations for clients to confirm the override option is intentionally set and that users are informed.
Teams
Copilot Call Delegation Rolling Out to Frontier in June
Copilot can now answer incoming Teams Phone calls on a user’s behalf, capture intent, and schedule follow-ups via Microsoft Bookings when the user is unavailable. This feature requires Teams Phone licensing and may trigger questions about call recording consent and data retention. Review client policies before enabling.
Scam and Impersonation Detection Now Live
Teams now detects when callers may be impersonating trusted brands (banks, IT admins) and warns users with options to decline, leave, or report. This is a default-on security control that requires no configuration; MSPs should communicate it to clients as a meaningful reduction in social engineering risk.
Video Recap for Recorded Meetings
AI-generated narrated highlight reels are now available for recorded Teams meetings, surfacing key moments without requiring full playback. This feature uses meeting recordings and transcripts, so MSPs should confirm clients have appropriate retention and compliance policies in place for AI-generated recap content.
Recap Deletion Now Available Without Admin Setup
Meeting organizers can now permanently delete recordings, transcripts, AI summaries, and notes from the recap page via a single menu action, no admin configuration required. This self-service deletion capability may conflict with client retention policies; MSPs should verify that retention labels or compliance holds are in place to prevent premature deletion.
Mobile Queues App Now Available
The Teams Queues app for collaborative call queue management is now available on Teams mobile for iOS and Android. MSPs should validate that mobile device policies permit the app and that queue agent permissions are correctly scoped before clients start using it in the field.
Copilot
ISO/IEC 42001 Certification Expanded Across Copilot Portfolio
Microsoft has extended ISO 42001 AI management certification to Copilot Studio, GitHub Copilot, Dragon Copilot, and Copilot Health, adding to existing certifications for M365 Copilot, Security Copilot, and Microsoft Foundry. Clients in regulated industries requiring AI governance documentation can now reference expanded third-party certification coverage. Update your compliance evidence packages accordingly.
Federated Copilot Connectors via MCP Now Available
Real-time enterprise data from SaaS systems (HubSpot, Notion, LSEG, Moody’s) can now be connected to Work IQ via Model Context Protocol, with native security controls maintained. Enabling these connectors requires admin configuration and access policy review; assess data exposure risk before activating third-party connectors for clients.
Teams Meeting Watermarks Reach DoD in June
Watermark overlay of attendee email addresses on shared meeting content is rolling out to DoD environments in June, following GA in March and GCC-High in May. MSPs supporting government cloud clients should validate this feature is enabled for clients handling sensitive meeting content, as it requires organizer-level configuration in Meeting options.
Learning Agent Rolling Out in June
A new in-flow learning agent powered by Work IQ delivers personalized Copilot and AI skill-building, assessments, and roleplay practice directly within user workflows. This agent will appear in licensed tenants automatically. MSPs should be prepared to field end-user questions and advise clients on whether to promote or restrict it via policy.
Anthropic Claude Opus 4.8 and GPT-5.5 Instant Now Available in Copilot
Two new AI models are available for M365 Copilot licensed users: Claude Opus 4.8 for complex multi-step tasks and GPT-5.5 Instant for faster everyday responses. Expanded model choice increases the surface area for data handling considerations. Confirm clients understand which models are active and review any data residency or compliance implications.
Outlook
Copilot Chat Now Available in Pop-Out Windows
Copilot chat is now accessible in popped-out Outlook message windows, enabling use while reading or composing separate messages. No admin action is required, but MSPs should confirm clients with Copilot licenses have appropriate usage policies in place as this expands the Copilot surface area in Outlook.
Shared Calendars Assigned by Admin Now Appear Automatically
Calendars assigned to users by admins now populate automatically in the calendar list without any user action. This should reduce helpdesk tickets for shared calendar setup, but MSPs should verify that existing admin-assigned calendar configurations are correctly scoped to avoid unexpected calendar visibility for users.
DLP Warn Dialog Now Includes Justification and False Positive Fields
The DLP warning dialog in new Outlook for Windows now includes justification, false positive reporting, and acknowledgment fields, matching the behavior of classic Outlook. MSPs managing DLP policies should confirm that client configurations include appropriate justification options and that compliance teams are reviewing override and false positive reports.
Outlook Background Sync Now On by Default When App Is Closed
Outlook now syncs email in the background even when the app is closed; users can disable this in Settings > General > Offline. This may affect battery life and data usage on managed devices. Assess whether this behavior conflicts with client endpoint management policies or mobile device profiles.
OneDrive
Custom OneDrive Folder Name Now in Deferred Ring
Admins can now set a custom name for the local OneDrive sync folder via Group Policy, replacing the default “OneDrive – {org name}” convention. This reached the Deferred ring June 1, 2026. Shorter folder names increase available path length for nested files (relevant for clients with deep folder structures) so MSPs managing Deferred ring deployments should plan rollout and update GPO configurations.
Move Folders to OneDrive from File Explorer Now in Deferred Ring
A right-click context menu option to move local folders directly to OneDrive reached the Deferred ring June 1, 2026. This feature may prompt end users to inadvertently move large local folder structures to OneDrive; communicate expected behavior to clients and confirm storage quotas are adequate before this lands broadly.
Mark of the Web for Outlook Attachments Now in Deferred Ring
Email attachments saved to OneDrive from Outlook now include the Mark of the Web security tag, enabling Windows Protected View when opened. This reached the Deferred ring as of June 1. No admin action is required, but MSPs should be aware it may affect workflows where users rely on immediate full editing of downloaded attachments.
SharePoint
SharePoint Server Patch Released May 12, 2026
KB 5002863 (version 16.0.19725.20280) was released for SharePoint Server Subscription Edition; KB 5002870 and 5002872 for SharePoint Server 2019; KB 5002868 and 5002869 for SharePoint Server 2016. MSPs managing on-premises SharePoint farms must apply the May 2026 cumulative update to maintain security patch compliance. Schedule patching windows if you haven’t already.
Custom Skills for Copilot in SharePoint Now GA
Users can now create and save reusable, site-specific Copilot skills using natural language to automate repeatable multi-step workflows. Custom skills are user-created and site-scoped, so MSPs should assess whether clients need governance controls around skill creation to prevent unintended automation or data exposure.
June 2026 is a high-action month for MSPs, with hard deadlines around Entra hard-match changes, hotpatch opt-outs, Work IQ billing configuration, and the AgentsInfo table retirement all requiring attention before July 1. The broader theme is clear: AI capabilities are expanding rapidly across the Microsoft 365 stack, and the compliance, governance, and licensing structures around them are maturing just as fast. Staying current with these changes is the difference between managing client environments proactively and reacting to problems after they’ve already landed.
Featured image by Jonas Leupe on Unsplash
