May 2026 is packed with Microsoft 365 updates hitting identity, device management, security, licensing, and AI, and some of them come with hard deadlines you really can’t ignore.
This isn’t an exhaustive list of everything Microsoft shipped this month. Instead, we’ve pulled out the changes that actually matter for how you manage tenants, keep clients protected, control costs, and stay ahead of what’s coming.
Intune
Higher-Frequency Windows App Inventory Updates
App inventory now refreshes most active Windows devices multiple times per day, replacing the previous 7-day cycle. The expanded data includes install paths, uninstall commands, architecture, and per-user install scope. This capability requires a new device configuration policy targeting Entra-enrolled Windows 11 devices; it does not activate automatically. Deploy the policy to start benefiting from near-real-time software asset visibility for compliance and vulnerability management.
Modernized SSO for Linux via Microsoft Identity Broker
A new C++ identity broker replaces the legacy Java broker for Linux endpoints, enabling phishing-resistant MFA (CBA, smart cards, PIV keys), full Entra ID device join, and Conditional Access enforcement. The Java runtime dependency is removed, which reduces the attack surface and simplifies deployment. MSPs managing Linux fleets can now enforce the same Zero Trust controls already in place for Windows and macOS.
visionOS and tvOS Automated Device Enrollment (Including Government Cloud)
Userless Automated Device Enrollment for Apple TV and Vision Pro devices is now available in Intune Plan 2, including GCC High and DoD environments, with remote management actions and custom profile support. This enables MSPs to manage shared-use Apple devices — conference rooms, kiosks, training headsets — in regulated environments. Confirm Intune Plan 2 licensing is in place before attempting deployment.
Managed Apple Account Restriction to Org-Owned Devices
Intune now allows organizations to restrict Managed Apple Accounts to organization-owned devices only, blocking personal Apple IDs on corporate hardware. This is a critical control for regulated clients in financial services, healthcare, and other sectors where corporate identity data must not reside on unmanaged personal devices.
Entra ID
Entra Connect Sync to Cloud Sync Migration — Plan for Change
Starting July 2026, Microsoft will begin phased notifications to customers to migrate from Entra Connect Sync to cloud-native Entra Cloud Sync, with initial waves targeting tenants with straightforward configurations. MSPs managing hybrid identity environments need to start assessing client readiness now. Review the feature comparison guide, identify which tenants are likely in early waves, and build migration runbooks before notifications arrive.
Hard Match Blocked for Users with Entra Roles (Effective June 1, 2026)
Effective June 1, 2026, Entra Connect Sync and Cloud Sync will block hard-matching new AD objects to existing cloud users that hold Entra roles. This change prevents account takeover via AD attribute manipulation. MSPs must audit any sync configurations that rely on hard-matching privileged accounts before June 1. Review audit logs for recent OnPremisesObjectIdentifier changes on role-assigned users to identify exposure.
SCIM Provisioning Apps Moving to Modern Authentication — Plan for Change
Provisioning jobs using OAuth 2.0 Authorization Code grant will need to be updated to OAuth 2.0 Client Credentials or workload identity federation; timing varies by application. Some gallery apps that cannot support modern auth may be retired entirely. MSPs managing SaaS provisioning integrations should inventory affected apps now and plan reconfiguration ahead of the relevant deadlines.
SAP SuccessFactors Provisioning Moving to Workload Identity Auth (Basic Auth Deprecated November 2026)
A new workload identity-based authentication option for SAP SuccessFactors provisioning is available from May 2026. SAP is deprecating basic auth by November 2026, and no automatic migration will occur. MSPs managing SuccessFactors integrations must migrate provisioning jobs before that deadline to avoid integration failures.
Entra Backup and Recovery (Public Preview)
Entra Backup and Recovery is now in public preview, providing a built-in daily backup of critical directory objects (users, groups, apps, Conditional Access policies, and more) with 5-day retention for P1/P2 tenants, plus difference reports and recovery jobs. This gives MSPs a native safety net for accidental or malicious tenant changes. Evaluate it as a complement to or replacement for third-party backup tooling for Entra objects.
Defender
Custom Data Collection Now Generally Available
Custom telemetry collection rules are now GA, with the per-rule event limit increased from 25,000 to 75,000 events per device per 24-hour window. MSPs running advanced threat hunting or specialized monitoring for clients can now deploy custom collection rules in production with confidence and higher event thresholds.
Secure Boot 2023 Certificate Recommendation in Microsoft Secure Score
A new Secure Score recommendation identifies devices not yet transitioned to Secure Boot 2023 certificates, ahead of the June 2026 expiration of older certificates. Devices remaining on expired Secure Boot certificates will lose early-boot security protections. MSPs must identify and remediate affected devices across client fleets before June 2026.
Selective Response Actions for High-Value Assets (Preview)
Admins can now restrict which response actions — isolation, containment, and others — can be applied to designated Tier-0 and high-value devices during security operations. This prevents accidental isolation of critical infrastructure during incident response. MSPs should define high-value asset policies for clients with sensitive operational systems before this feature reaches GA.
Linux Offline Security Intelligence Update Configuration via Defender and Intune Portals
Offline security intelligence update settings for Linux endpoints can now be configured directly from the Defender or Intune portal, eliminating the need for manual endpoint configuration. MSPs supporting clients with offline or air-gapped Linux fleets should migrate to portal-based configuration to simplify ongoing management.
Licensing
Microsoft 365 Commercial Price Increase Effective July 1, 2026
Prices increase July 1, 2026 for Office 365 E3/E5, Microsoft 365 E3/E5, Business, Frontline, EMS, Windows, Entra P1/P2, and per-device SKUs. Existing customers on multi-year agreements are protected until their next renewal after July 1. MSPs must review all client renewal dates immediately; customers renewing before July 1 can lock in current pricing, while those renewing after will pay the new rates.
New Capabilities Bundled into Existing SKUs (Rolling Out CY26 Q3, Complete by August 1, 2026)
Microsoft 365 E3/E5 and EMS E3 will gain Intune Remote Help, Advanced Analytics, Intune Plan 2, Privilege Management, Microsoft Cloud PKI, Intune Application Management, and Defender for Office 365 Plan 1 at no additional cost, completing rollout by August 1, 2026. Clients currently paying for standalone Intune Suite add-ons or Defender for Office P1 may be able to reduce licensing costs. Audit client add-on subscriptions against the new bundle inclusions before August 2026.
Microsoft 365 E5 Now Includes Security Copilot (400 SCUs per 1,000 Licenses/Month)
E5 customers will receive Security Copilot capacity automatically — 400 SCUs per month per 1,000 seats, up to a maximum of 10,000 SCUs per month — with 30-day advance notice sent before activation. MSPs managing E5 tenants must prepare for this activation: review deployment documentation, ensure proper role assignments, and communicate the change to clients before their activation window opens.
Microsoft 365 E7 Pricing Unchanged but Receives E5 Packaging Changes
E7 pricing is not affected by the July 2026 increase, but all new capabilities added to E5 will also apply to E7. Clients on E7 should be informed they will receive the same new feature inclusions as E5 customers — relevant context for clients evaluating whether to upgrade or remain on E7.
Purview
Data Security Posture Management (DSPM) Now Generally Available
The new unified DSPM is GA, combining the previous DSPM and DSPM for AI (classic) versions into a single experience with guided workflows, posture reports, AI observability, and item-level oversharing remediation for SharePoint. MSPs advising clients on data security strategy now have a GA tool for proactive risk management and AI governance. Evaluate it for clients with Copilot deployments or active data compliance requirements.
Data Security and Compliance Protections for Microsoft Agent 365 (GA)
Purview now provides GA-level data security and compliance coverage for Agent 365, including sensitivity label enforcement and compliance policy application to agent interactions. As clients deploy AI agents, MSPs must ensure Purview policies extend to agent activity. Include these controls in Copilot and agent deployment checklists going forward.
Sensitivity Label Auto-Labeling Policy Enhancement — Override Lower-Priority Labels (GA)
Auto-labeling policies for SharePoint and OneDrive files can now be configured to always override existing lower-priority labels, including manually applied ones. This strengthens automated data classification enforcement for clients. MSPs should review existing auto-labeling policies to determine whether enabling override behavior aligns with each client’s data governance requirements.
eDiscovery Review Set Limit Increased to 100
The maximum number of review sets per eDiscovery case has increased from 20 to 100 for cases with premium feature support. No action is required, but this removes a common bottleneck for clients with large or complex legal matters; worth communicating to clients with active eDiscovery workflows.
DLP Unsaved File Protection (Preview)
DLP Unsaved File Protection extends just-in-time DLP protection to files that have not yet been saved, including new files and files with unsaved modifications on endpoints. This closes a gap where sensitive data could be exfiltrated before a file was written to disk. MSPs managing clients with strict DLP requirements should evaluate this preview for early adoption.
Teams
Sensitivity Label Inheritance for Meeting Recordings and Loop Notes
Meeting recordings and Loop meeting notes now automatically inherit the sensitivity label applied to the meeting when label inheritance is enabled in policy. This closes a compliance gap where recorded content could escape the meeting’s data handling controls. MSPs managing regulated clients should verify that label inheritance policies are correctly configured.
External Domains Anomalies Report
A new report in Teams Admin Center detects unusual spikes, new domains, or abnormal engagement patterns with external organizations, updated daily. This provides proactive visibility into potential data exfiltration or shadow collaboration risks across client tenants without requiring custom alerting infrastructure.
User Reported Security Signals in Teams Admin Center
End-user security reports from Teams messages are now visible and downloadable in TAC Protection reports. This surfaces user-identified threats directly in the admin console, enabling MSPs to identify policy gaps and respond to emerging threats without relying solely on automated detection.
Teams Phone User Multi-Line (Up to 10 Numbers per User)
Admins can now assign up to 10 phone numbers to a single Teams user via Teams Admin Center, supported on desktop and Teams phone devices. This eliminates workarounds for clients with multi-role or multi-region calling requirements. MSPs should evaluate existing routing configurations that may be replaceable with this native capability.
Copilot Call Delegation (Frontier Program)
Copilot Call Delegation allows Copilot to answer incoming Teams calls on a user’s behalf, gather caller context, and schedule follow-up appointments via Microsoft Bookings. A Microsoft 365 Copilot license is required. MSPs should identify users who would benefit, confirm Bookings is configured, and communicate the license dependency to clients before enabling.
Copilot
Prepaid Capacity Pack Credits as Sole Billing Method
Admins can now create capacity pack policies that force Copilot pay-as-you-go usage to draw exclusively from prepaid credits, preventing unexpected overage charges. This enables predictable spend management for clients using consumption-based Copilot scenarios — a meaningful control for MSPs managing budgets across multiple tenants.
Power Users Insights in Copilot Dashboard
The Adoption tab in the Copilot Dashboard now classifies users as power, habitual, novice, or non-Copilot users based on usage frequency, rolling out in May. This gives MSPs data-driven segmentation to focus Copilot enablement efforts and justify license assignments or reassignments to clients.
Copilot Dashboard Export by Day (Public Preview)
Admins can now download de-identified Copilot usage metrics aggregated by user and day for the most recent 28 days. This supports faster, evidence-based decisions on license optimization and adoption interventions across client tenants.
Agent Store Submission via Agent Builder
Users can now submit custom agents for admin review and approval before publication to the organization’s Agent Store. MSPs need to establish an approval workflow for client tenants to prevent ungoverned agent proliferation; this feature provides the control mechanism to do so.
Organizational Messages Now Support Email Delivery and User Segments
Admins can send organizational messages via email in addition to Windows surfaces, and can target dynamic usage-based audiences rather than only static groups. This enables more effective Copilot adoption campaigns and change communications at scale without requiring separate tooling or manual list management.
Outlook
Copilot Chat Available in Pop-Out Windows
Copilot chat is now accessible in popped-out message windows, allowing users to use Copilot while reading or composing detached emails (May 8, 2026). No admin action is required, but this confirms Copilot license entitlement is being surfaced across more Outlook surfaces — relevant context for client communications about Copilot rollout scope.
Background Email Sync When Outlook is Closed
New Outlook now syncs email in the background even when the app is closed; users can disable this in Settings > General > Offline. MSPs should verify this behavior aligns with client security and data residency requirements, and communicate the new setting location to end users where relevant.
DLP Warn Dialog Now Includes Justification and False Positive Reporting Fields
The DLP warn dialog in new Outlook now matches classic Outlook behavior, including justification, false positive reporting, and acknowledgement fields (March 6, 2026). This closes a feature parity gap that may have been blocking some clients from migrating to new Outlook. MSPs managing DLP-sensitive clients should revalidate new Outlook readiness in light of this change.
OneDrive
Custom OneDrive Folder Name via Group Policy
Admins can now set a custom name for the local OneDrive sync folder, replacing the default “OneDrive – {organization name}” convention to increase available path length. This directly addresses path-length errors in deeply nested file structures. MSPs deploying OneDrive at scale should evaluate this policy for clients with complex folder hierarchies.
Deferred Ring Update Targeting May 29, 2026 (v26.040)
The Deferred ring is receiving Improved First Run Experience, Custom Folder Name, Mark of the Web for Outlook attachments, and macOS login item management via command line, with a target date of May 29, 2026. MSPs using the Deferred ring for controlled rollouts should validate these features in test environments ahead of that date.
Mark of the Web for Outlook Attachments
Email attachments saved to OneDrive from Outlook now include the Mark of the Web security tag, ensuring Windows Protected View applies when files are opened. No admin action is required, but this is worth communicating to clients as a meaningful security improvement for users saving email attachments to OneDrive.
OneDrive Sync Health Dashboard Now Supports Government Clouds
GCC, GCC High, and DoD environments can now use the Sync Health Dashboard to monitor sync status and identify issues. MSPs serving government cloud clients can now proactively monitor OneDrive sync health with the same tooling available in commercial tenants.
SharePoint
May 2026 Security Updates for SharePoint Server
Security patches released May 12, 2026 cover SharePoint Server Subscription Edition, 2019, and 2016, including language packs and Office Online Server. Any MSP managing on-premises SharePoint deployments must apply these patches promptly to address security vulnerabilities across all supported versions.
Admin Center
No updates this month.
May 2026 comes down to two things: deadlines you can’t miss — the June 1 hard match block, the June 2026 Secure Boot certificate expiration, and the July 1 price increase — and a bunch of features that just went from preview to production across Purview, Defender, and Intune. These are the updates that’ll actually impact your clients, your billing calls, and your security setup this month. Getting ahead of these deadlines is what’ll set you apart from MSPs who are always playing catch-up.
Photo by Jonathan Francisca on Unsplash
