check before: 2026-01-07
Product:
Entra
Platform:
Online, World tenant
Status:
Change type:
Updated message, Admin impact
Links:
Details:
Summary:
By January 7, 2026, Microsoft Entra will switch from DigiCert Global Root G1 to G2 certificates. Organizations must trust the DigiCert G2 root CA to avoid authentication failures with Entra services. Remove any pinning to G1 and update trust settings to prevent service disruption.
Details:
Updated December 12, 2025: We have updated the content. Thank you for your patience.
Action Required: Trust the new DigiCert Certificate Authorities (CAs) for Microsoft Entra
Starting January 7, 2026, Microsoft Entra will migrate its DigiCert certificates from the G1 root CA to the G2 root CA. Clients that pin to the DigiCert G1 root or do not trust the DigiCert G2 root may experience authentication failures.
What are G1 and G2 root CAs?
Certificate Authorities (CAs) issue digital certificates that establish trust for secure communications. A root CA is the top-level certificate in a trust chain. DigiCert Global Root G1 is the current root CA used by Microsoft Entra services. DigiCert Global Root G2 is the newer root CA that Microsoft is migrating to for improved security and compliance. If your systems do not trust the G2 root, authentication and secure connections to Microsoft Entra services will fail.
Why you're receiving this message:
Our reporting indicates that one or more users in your organization may be using Microsoft Entra ID.
When this will happen:
January 7, 2026.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-12-09
updated:
2025-12-18
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
Microsoft Entra is transitioning from the DigiCert Global Root G1 certificate to the DigiCert Global Root G2 certificate, requiring organizations to update their systems to trust the new G2 certificate by January 7, 2026, to avoid authentication failures.
Direct effects for Operations**
Authentication Failures
If the DigiCert G2 root CA is not trusted, users will experience authentication failures when accessing Microsoft Entra services, leading to service disruption.
- roles: IT Administrators, End Users
- references: https://knowledge.digicert.com/general-information/digicert-root-and-intermediate-ca-certificate-updates-2023, https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list
" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list
Service Disruption
Failure to trust the new root CA may result in inability to access critical services such as login.live.com and graph.windows.net, impacting business operations.
- roles: IT Administrators, Business Users
- references: https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=certificate-authority-chains#certificate-pinning, https://learn.microsoft.com/answers/tags/133/azure
Increased Support Requests
Authentication issues may lead to a surge in support requests from users unable to access services, straining IT support resources.
- roles: Help Desk Staff, IT Support Managers
- references: https://learn.microsoft.com/azure/azure-portal/supportability/how-to-create-azure-support-request, https://learn.microsoft.com/answers/tags/133/azure
Compliance Risks
Organizations may face compliance risks if they fail to update their trust settings, potentially leading to data security issues.
- roles: Compliance Officers, IT Security Managers
- references: https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list, https://knowledge.digicert.com/general-information/digicert-root-and-intermediate-ca-certificate-updates-2023
" target="_blank" rel="nofollow noopener noreferrer">https://knowledge.digicert.com/general-information/digicert-root-and-intermediate-ca-certificate-updates-2023
User Experience Degradation
Users may experience frustration and decreased productivity due to inability to log in or access services, impacting overall user satisfaction.
- roles: End Users, IT Administrators
- references: https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=certificate-authority-chains#certificate-pinning, https://learn.microsoft.com/answers/tags/133/azure
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-12-18 | MC Messages | Updated December 9, 2025: We have updated the content. Thank you for your patience.
Action Required: Trust the new DigiCert Certificate Authorities (CAs) for Microsoft Entra Starting January 7, 2026, Microsoft Entra will migrate its DigiCert certificates from the G1 root CA to the G2 root CA. Clients that pin to the DigiCert G1 root or do not trust the DigiCert G2 root may experience authentication failures. What are G1 and G2 root CAs? Certificate Authorities (CAs) issue digital certificates that establish trust for secure communications. A root CA is the top-level certificate in a trust chain. DigiCert Global Root G1 is the current root CA used by Microsoft Entra services. DigiCert Global Root G2 is the newer root CA that Microsoft is migrating to for improved security and compliance. If your systems do not trust the G2 root, authentication and secure connections to Microsoft Entra services will fail. Why you're receiving this message: Our reporting indicates that one or more users in your organization may be using Microsoft Entra ID. When this will happen: January 7, 2026. | Updated December 12, 2025: We have updated the content. Thank you for your patience.
Action Required: Trust the new DigiCert Certificate Authorities (CAs) for Microsoft Entra Starting January 7, 2026, Microsoft Entra will migrate its DigiCert certificates from the G1 root CA to the G2 root CA. Clients that pin to the DigiCert G1 root or do not trust the DigiCert G2 root may experience authentication failures. What are G1 and G2 root CAs? Certificate Authorities (CAs) issue digital certificates that establish trust for secure communications. A root CA is the top-level certificate in a trust chain. DigiCert Global Root G1 is the current root CA used by Microsoft Entra services. DigiCert Global Root G2 is the newer root CA that Microsoft is migrating to for improved security and compliance. If your systems do not trust the G2 root, authentication and secure connections to Microsoft Entra services will fail. Why you're receiving this message: Our reporting indicates that one or more users in your organization may be using Microsoft Entra ID. When this will happen: January 7, 2026. |
| 2025-12-18 | MC How Affect | Who is affected: Organizations using Microsoft Entra ID services.
What will happen: If DigiCert G2 certificates are not trusted, authentication failures will occur when accessing Microsoft Entra services. Impacted domains include: login.microsoftonline.com login.live.com login.windows.net autologon.microsoftazuread-sso.com graph.windows.net What you can do to prepare: Trust all Root and Subordinate CAs listed in the Azure Certificate Authority details documentation. Ensure you trust the "DigiCert Global Root G2" root and its subordinate CAs (documented since September 2025). Remove any client-side pinning to the DigiCert Global Root CA root certificate. Update your settings now to avoid service disruption. Help and support: For details about DigiCert certificates, refer to DigiCert documentation. For guidance on issuer/certificate pinning, see Azure documentation. Get answers from community experts in Microsoft Q&A. If you have a support plan and need technical help, create a support request. Compliance considerations: No compliance considerations identified, review as appropriate for your organization. | Who is affected: Organizations using Microsoft Entra ID services.
What will happen: If DigiCert G2 certificates are not trusted, authentication failures will occur when accessing Microsoft Entra services. Impacted domains include: login.live.com login.windows.net autologon.microsoftazuread-sso.com graph.windows.net Note: The login.microsoftonline.com domain has already been migrated to the DigiCert G2 root in Feb 2025. Customers using this domain will not be impacted, as their client systems already trust DigiCert G2. What you can do to prepare: Trust all Root and Subordinate CAs listed in the Azure Certificate Authority details documentation. Ensure you trust the "DigiCert Global Root G2" root and its subordinate CAs (documented since September 2025). Remove any client-side pinning to the DigiCert Global Root CA root certificate. Update your settings now to avoid service disruption. Help and support: For details about DigiCert certificates, refer to DigiCert documentation. For guidance on issuer/certificate pinning, see Azure documentation. Get answers from community experts in Microsoft Q&A. If you have a support plan and need technical help, create a support request. Compliance considerations: No compliance considerations identified, review as appropriate for your organization. |
| 2025-12-18 | MC Last Updated | 12/09/2025 20:14:35 | 2025-12-12T18:18:57Z |
| 2025-12-18 | MC Summary | By January 7, 2026, Microsoft Entra will switch from DigiCert Global Root G1 to G2 certificates. Organizations must trust the DigiCert G2 root CA and remove pinning to G1 to avoid authentication failures with Entra services like login.microsoftonline.com. Update settings promptly to prevent disruption. | By January 7, 2026, Microsoft Entra will switch from DigiCert Global Root G1 to G2 certificates. Organizations must trust the DigiCert G2 root CA to avoid authentication failures with Entra services. Remove any pinning to G1 and update trust settings to prevent service disruption. |
| 2025-12-10 | MC prepare | https://knowledge.digicert.com/general-information/digicert-root-and-intermediate-ca-certificate-updates-2023
https://learn.microsoft.com/answers/tags/133/azure https://learn.microsoft.com/azure/azure-portal/supportability/how-to-create-azure-support-request https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=certificate-authority-chains#certificate-pinning https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list mailto:aadgdev@microsoft.com | https://knowledge.digicert.com/general-information/digicert-root-and-intermediate-ca-certificate-updates-2023
https://learn.microsoft.com/answers/tags/133/azure https://learn.microsoft.com/azure/azure-portal/supportability/how-to-create-azure-support-request https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=certificate-authority-chains#certificate-pinning https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list |
| 2025-12-10 | MC Summary | By January 7, 2026, Microsoft Entra will switch from DigiCert Global Root G1 to G2 certificates. Organizations must trust the DigiCert G2 root CA to avoid authentication failures with Entra services and remove any client-side pinning to the G1 root. Update settings to prevent disruption. | By January 7, 2026, Microsoft Entra will switch from DigiCert Global Root G1 to G2 certificates. Organizations must trust the DigiCert G2 root CA and remove pinning to G1 to avoid authentication failures with Entra services like login.microsoftonline.com. Update settings promptly to prevent disruption. |
| 2025-12-10 | MC Last Updated | 12/09/2025 01:13:30 | 2025-12-09T20:14:35Z |
| 2025-12-10 | MC Messages | Action Required: Trust the new DigiCert Certificate Authorities (CAs) for Microsoft Entra
Starting January 7, 2026, Microsoft Entra will migrate its DigiCert certificates from the G1 root CA to the G2 root CA. Clients that pin to the DigiCert G1 root or do not trust the DigiCert G2 root may experience authentication failures. What are G1 and G2 root CAs? Certificate Authorities (CAs) issue digital certificates that establish trust for secure communications. A root CA is the top-level certificate in a trust chain. DigiCert Global Root G1 is the current root CA used by Microsoft Entra services. DigiCert Global Root G2 is the newer root CA that Microsoft is migrating to for improved security and compliance. If your systems do not trust the G2 root, authentication and secure connections to Microsoft Entra services will fail. Why you're receiving this message: Our reporting indicates that one or more users in your organization may be using Microsoft Entra ID. When this will happen: January 7, 2026. | Updated December 9, 2025: We have updated the content. Thank you for your patience.
Action Required: Trust the new DigiCert Certificate Authorities (CAs) for Microsoft Entra Starting January 7, 2026, Microsoft Entra will migrate its DigiCert certificates from the G1 root CA to the G2 root CA. Clients that pin to the DigiCert G1 root or do not trust the DigiCert G2 root may experience authentication failures. What are G1 and G2 root CAs? Certificate Authorities (CAs) issue digital certificates that establish trust for secure communications. A root CA is the top-level certificate in a trust chain. DigiCert Global Root G1 is the current root CA used by Microsoft Entra services. DigiCert Global Root G2 is the newer root CA that Microsoft is migrating to for improved security and compliance. If your systems do not trust the G2 root, authentication and secure connections to Microsoft Entra services will fail. Why you're receiving this message: Our reporting indicates that one or more users in your organization may be using Microsoft Entra ID. When this will happen: January 7, 2026. |
| 2025-12-10 | MC Title | Action Required: Trust DigiCert Global Root G2 Certificate Authority for using Entra services by January 7, 2026 | (Update)Action Required: Trust DigiCert Global Root G2 Certificate Authority for using Entra services by January 7, 2026 |
| 2025-12-10 | MC How Affect | Who is affected: Organizations using Microsoft Entra ID services.
What will happen: If DigiCert G2 certificates are not trusted, authentication failures will occur when accessing Microsoft Entra services. Impacted domains include: login.microsoftonline.com login.live.com login.windows.net autologon.microsoftazuread-sso.com graph.windows.net What you can do to prepare: Trust all Root and Subordinate CAs listed in the Azure Certificate Authority details documentation. Ensure you trust the "DigiCert Global Root G2" root and its subordinate CAs (documented since September 2025). Remove any client-side pinning to the DigiCert Global Root CA root certificate. Update your settings now to avoid service disruption. Help and support: For details about DigiCert certificates, refer to DigiCert documentation. For guidance on issuer/certificate pinning, see Azure documentation. Get answers from community experts in Microsoft Q&A. If you have a support plan and need technical help, create a support request or contact us at aadgdev@microsoft.com. Compliance considerations: No compliance considerations identified, review as appropriate for your organization. | Who is affected: Organizations using Microsoft Entra ID services.
What will happen: If DigiCert G2 certificates are not trusted, authentication failures will occur when accessing Microsoft Entra services. Impacted domains include: login.microsoftonline.com login.live.com login.windows.net autologon.microsoftazuread-sso.com graph.windows.net What you can do to prepare: Trust all Root and Subordinate CAs listed in the Azure Certificate Authority details documentation. Ensure you trust the "DigiCert Global Root G2" root and its subordinate CAs (documented since September 2025). Remove any client-side pinning to the DigiCert Global Root CA root certificate. Update your settings now to avoid service disruption. Help and support: For details about DigiCert certificates, refer to DigiCert documentation. For guidance on issuer/certificate pinning, see Azure documentation. Get answers from community experts in Microsoft Q&A. If you have a support plan and need technical help, create a support request. Compliance considerations: No compliance considerations identified, review as appropriate for your organization. |
Last updated 2 weeks ago ago
