check before: 2026-01-07
Product:
Entra
Platform:
Online, World tenant
Status:
Change type:
Updated message, Admin impact
Links:
Details:
Summary:
By January 7, 2026, Microsoft Entra will switch from DigiCert Global Root G1 to G2 certificates. Organizations must trust the DigiCert G2 root CA to avoid authentication failures with Entra services. Remove any pinning to G1 and update trust settings to prevent service disruption.
Details:
Updated December 12, 2025: We have updated the content. Thank you for your patience.
Action Required: Trust the new DigiCert Certificate Authorities (CAs) for Microsoft Entra
Starting January 7, 2026, Microsoft Entra will migrate its DigiCert certificates from the G1 root CA to the G2 root CA. Clients that pin to the DigiCert G1 root or do not trust the DigiCert G2 root may experience authentication failures.
What are G1 and G2 root CAs?
Certificate Authorities (CAs) issue digital certificates that establish trust for secure communications. A root CA is the top-level certificate in a trust chain. DigiCert Global Root G1 is the current root CA used by Microsoft Entra services. DigiCert Global Root G2 is the newer root CA that Microsoft is migrating to for improved security and compliance. If your systems do not trust the G2 root, authentication and secure connections to Microsoft Entra services will fail.
Why you're receiving this message:
Our reporting indicates that one or more users in your organization may be using Microsoft Entra ID.
When this will happen:
January 7, 2026.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-12-09
updated:
2025-12-18
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Authentication Failures
If the DigiCert G2 root CA is not trusted, users will experience authentication failures when accessing Microsoft Entra services, leading to service disruption.
- roles: IT Administrators, End Users
- references: https://knowledge.digicert.com/general-information/digicert-root-and-intermediate-ca-certificate-updates-2023, https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list
" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list
Service Disruption
Failure to trust the new root CA may result in inability to access critical services such as login.live.com and graph.windows.net, impacting business operations.
- roles: IT Administrators, Business Users
- references: https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=certificate-authority-chains#certificate-pinning, https://learn.microsoft.com/answers/tags/133/azure
Increased Support Requests
Authentication issues may lead to a surge in support requests from users unable to access services, straining IT support resources.
- roles: Help Desk Staff, IT Support Managers
- references: https://learn.microsoft.com/azure/azure-portal/supportability/how-to-create-azure-support-request, https://learn.microsoft.com/answers/tags/133/azure
Compliance Risks
Organizations may face compliance risks if they fail to update their trust settings, potentially leading to data security issues.
- roles: Compliance Officers, IT Security Managers
- references: https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list, https://knowledge.digicert.com/general-information/digicert-root-and-intermediate-ca-certificate-updates-2023
" target="_blank" rel="nofollow noopener noreferrer">https://knowledge.digicert.com/general-information/digicert-root-and-intermediate-ca-certificate-updates-2023
User Experience Degradation
Users may experience frustration and decreased productivity due to inability to log in or access services, impacting overall user satisfaction.
- roles: End Users, IT Administrators
- references: https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=certificate-authority-chains#certificate-pinning, https://learn.microsoft.com/answers/tags/133/azure
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Enhanced Security Protocols
Migrating to the DigiCert G2 root CA enhances security by using more robust encryption methods, reducing the risk of security breaches and ensuring compliance with modern security standards. This is crucial for roles in IT Security and Compliance.
- next-steps: Conduct a security audit to assess current trust settings and update them to include DigiCert G2. Provide training for IT Security staff on new protocols.
- roles: IT Security, Compliance Officer
- references: https://knowledge.digicert.com/general-information/digicert-root-and-intermediate-ca-certificate-updates-2023, https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list
Streamlined IT Operations
Updating trust settings for the new root CA can streamline IT operations by reducing authentication failures and the need for reactive troubleshooting, leading to improved service availability and user experience. This benefits IT Operations and Help Desk roles.
- next-steps: Create a detailed plan for updating trust settings across all systems. Schedule a maintenance window to implement changes and monitor for any issues post-update.
- roles: IT Operations, Help Desk
- references: https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=certificate-authority-chains#certificate-pinning, https://learn.microsoft.com/azure/azure-portal/supportability/how-to-create-azure-support-request
User Experience Improvement
Ensuring that users trust the new DigiCert G2 root CA will prevent authentication issues, leading to a smoother user experience when accessing Entra services. This is particularly important for roles in User Support and Customer Experience.
- next-steps: Communicate with users about the upcoming changes and provide guidance on how to verify their systems are updated. Monitor user feedback post-implementation to identify any remaining issues.
- roles: User Support, Customer Experience
- references: https://learn.microsoft.com/answers/tags/133/azure, https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
Imagine you are the manager of a law firm, and your office building is switching from using a traditional lock system (G1) to a more advanced digital lock system (G2) for security reasons. To ensure everyone can still enter the building without any issues, you need to make sure that all employees have the new digital keys that work with the G2 locks. If someone tries to use an old key (G1), they won't be able to get in.
In the world of IT, Microsoft Entra is making a similar switch from an older security certificate (DigiCert Global Root G1) to a newer one (DigiCert Global Root G2). These certificates are like digital keys that ensure secure communication between your organization's systems and Microsoft Entra services. If your systems don't recognize or trust the new G2 certificate, it will be like trying to use an old key on a new lock, resulting in authentication failures.
To avoid any disruptions, you need to update your systems to trust the new G2 certificate. This involves checking your settings and ensuring that your systems are configured to accept the new digital keys. Just like you would update the locks and distribute new keys in your office, you'll need to update your IT systems to recognize and trust the new G2 certificate by January 7, 2026.
If you need assistance, there are resources available, much like how you might consult a locksmith for help with new locks. You can refer to the DigiCert documentation or reach out to community experts for guidance. By preparing now, you can ensure a smooth transition and continued access to Microsoft Entra services without any hiccups.
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-12-18 | MC Messages | Updated December 9, 2025: We have updated the content. Thank you for your patience.
Action Required: Trust the new DigiCert Certificate Authorities (CAs) for Microsoft Entra Starting January 7, 2026, Microsoft Entra will migrate its DigiCert certificates from the G1 root CA to the G2 root CA. Clients that pin to the DigiCert G1 root or do not trust the DigiCert G2 root may experience authentication failures. What are G1 and G2 root CAs? Certificate Authorities (CAs) issue digital certificates that establish trust for secure communications. A root CA is the top-level certificate in a trust chain. DigiCert Global Root G1 is the current root CA used by Microsoft Entra services. DigiCert Global Root G2 is the newer root CA that Microsoft is migrating to for improved security and compliance. If your systems do not trust the G2 root, authentication and secure connections to Microsoft Entra services will fail. Why you're receiving this message: Our reporting indicates that one or more users in your organization may be using Microsoft Entra ID. When this will happen: January 7, 2026. | Updated December 12, 2025: We have updated the content. Thank you for your patience.
Action Required: Trust the new DigiCert Certificate Authorities (CAs) for Microsoft Entra Starting January 7, 2026, Microsoft Entra will migrate its DigiCert certificates from the G1 root CA to the G2 root CA. Clients that pin to the DigiCert G1 root or do not trust the DigiCert G2 root may experience authentication failures. What are G1 and G2 root CAs? Certificate Authorities (CAs) issue digital certificates that establish trust for secure communications. A root CA is the top-level certificate in a trust chain. DigiCert Global Root G1 is the current root CA used by Microsoft Entra services. DigiCert Global Root G2 is the newer root CA that Microsoft is migrating to for improved security and compliance. If your systems do not trust the G2 root, authentication and secure connections to Microsoft Entra services will fail. Why you're receiving this message: Our reporting indicates that one or more users in your organization may be using Microsoft Entra ID. When this will happen: January 7, 2026. |
| 2025-12-18 | MC How Affect | Who is affected: Organizations using Microsoft Entra ID services.
What will happen: If DigiCert G2 certificates are not trusted, authentication failures will occur when accessing Microsoft Entra services. Impacted domains include: login.microsoftonline.com login.live.com login.windows.net autologon.microsoftazuread-sso.com graph.windows.net What you can do to prepare: Trust all Root and Subordinate CAs listed in the Azure Certificate Authority details documentation. Ensure you trust the "DigiCert Global Root G2" root and its subordinate CAs (documented since September 2025). Remove any client-side pinning to the DigiCert Global Root CA root certificate. Update your settings now to avoid service disruption. Help and support: For details about DigiCert certificates, refer to DigiCert documentation. For guidance on issuer/certificate pinning, see Azure documentation. Get answers from community experts in Microsoft Q&A. If you have a support plan and need technical help, create a support request. Compliance considerations: No compliance considerations identified, review as appropriate for your organization. | Who is affected: Organizations using Microsoft Entra ID services.
What will happen: If DigiCert G2 certificates are not trusted, authentication failures will occur when accessing Microsoft Entra services. Impacted domains include: login.live.com login.windows.net autologon.microsoftazuread-sso.com graph.windows.net Note: The login.microsoftonline.com domain has already been migrated to the DigiCert G2 root in Feb 2025. Customers using this domain will not be impacted, as their client systems already trust DigiCert G2. What you can do to prepare: Trust all Root and Subordinate CAs listed in the Azure Certificate Authority details documentation. Ensure you trust the "DigiCert Global Root G2" root and its subordinate CAs (documented since September 2025). Remove any client-side pinning to the DigiCert Global Root CA root certificate. Update your settings now to avoid service disruption. Help and support: For details about DigiCert certificates, refer to DigiCert documentation. For guidance on issuer/certificate pinning, see Azure documentation. Get answers from community experts in Microsoft Q&A. If you have a support plan and need technical help, create a support request. Compliance considerations: No compliance considerations identified, review as appropriate for your organization. |
| 2025-12-18 | MC Last Updated | 12/09/2025 20:14:35 | 2025-12-12T18:18:57Z |
| 2025-12-18 | MC Summary | By January 7, 2026, Microsoft Entra will switch from DigiCert Global Root G1 to G2 certificates. Organizations must trust the DigiCert G2 root CA and remove pinning to G1 to avoid authentication failures with Entra services like login.microsoftonline.com. Update settings promptly to prevent disruption. | By January 7, 2026, Microsoft Entra will switch from DigiCert Global Root G1 to G2 certificates. Organizations must trust the DigiCert G2 root CA to avoid authentication failures with Entra services. Remove any pinning to G1 and update trust settings to prevent service disruption. |
| 2025-12-10 | MC prepare | https://knowledge.digicert.com/general-information/digicert-root-and-intermediate-ca-certificate-updates-2023
https://learn.microsoft.com/answers/tags/133/azure https://learn.microsoft.com/azure/azure-portal/supportability/how-to-create-azure-support-request https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=certificate-authority-chains#certificate-pinning https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list mailto:aadgdev@microsoft.com | https://knowledge.digicert.com/general-information/digicert-root-and-intermediate-ca-certificate-updates-2023
https://learn.microsoft.com/answers/tags/133/azure https://learn.microsoft.com/azure/azure-portal/supportability/how-to-create-azure-support-request https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=certificate-authority-chains#certificate-pinning https://learn.microsoft.com/azure/security/fundamentals/azure-ca-details?tabs=root-and-subordinate-cas-list |
| 2025-12-10 | MC Summary | By January 7, 2026, Microsoft Entra will switch from DigiCert Global Root G1 to G2 certificates. Organizations must trust the DigiCert G2 root CA to avoid authentication failures with Entra services and remove any client-side pinning to the G1 root. Update settings to prevent disruption. | By January 7, 2026, Microsoft Entra will switch from DigiCert Global Root G1 to G2 certificates. Organizations must trust the DigiCert G2 root CA and remove pinning to G1 to avoid authentication failures with Entra services like login.microsoftonline.com. Update settings promptly to prevent disruption. |
| 2025-12-10 | MC Last Updated | 12/09/2025 01:13:30 | 2025-12-09T20:14:35Z |
| 2025-12-10 | MC Messages | Action Required: Trust the new DigiCert Certificate Authorities (CAs) for Microsoft Entra
Starting January 7, 2026, Microsoft Entra will migrate its DigiCert certificates from the G1 root CA to the G2 root CA. Clients that pin to the DigiCert G1 root or do not trust the DigiCert G2 root may experience authentication failures. What are G1 and G2 root CAs? Certificate Authorities (CAs) issue digital certificates that establish trust for secure communications. A root CA is the top-level certificate in a trust chain. DigiCert Global Root G1 is the current root CA used by Microsoft Entra services. DigiCert Global Root G2 is the newer root CA that Microsoft is migrating to for improved security and compliance. If your systems do not trust the G2 root, authentication and secure connections to Microsoft Entra services will fail. Why you're receiving this message: Our reporting indicates that one or more users in your organization may be using Microsoft Entra ID. When this will happen: January 7, 2026. | Updated December 9, 2025: We have updated the content. Thank you for your patience.
Action Required: Trust the new DigiCert Certificate Authorities (CAs) for Microsoft Entra Starting January 7, 2026, Microsoft Entra will migrate its DigiCert certificates from the G1 root CA to the G2 root CA. Clients that pin to the DigiCert G1 root or do not trust the DigiCert G2 root may experience authentication failures. What are G1 and G2 root CAs? Certificate Authorities (CAs) issue digital certificates that establish trust for secure communications. A root CA is the top-level certificate in a trust chain. DigiCert Global Root G1 is the current root CA used by Microsoft Entra services. DigiCert Global Root G2 is the newer root CA that Microsoft is migrating to for improved security and compliance. If your systems do not trust the G2 root, authentication and secure connections to Microsoft Entra services will fail. Why you're receiving this message: Our reporting indicates that one or more users in your organization may be using Microsoft Entra ID. When this will happen: January 7, 2026. |
| 2025-12-10 | MC Title | Action Required: Trust DigiCert Global Root G2 Certificate Authority for using Entra services by January 7, 2026 | (Update)Action Required: Trust DigiCert Global Root G2 Certificate Authority for using Entra services by January 7, 2026 |
| 2025-12-10 | MC How Affect | Who is affected: Organizations using Microsoft Entra ID services.
What will happen: If DigiCert G2 certificates are not trusted, authentication failures will occur when accessing Microsoft Entra services. Impacted domains include: login.microsoftonline.com login.live.com login.windows.net autologon.microsoftazuread-sso.com graph.windows.net What you can do to prepare: Trust all Root and Subordinate CAs listed in the Azure Certificate Authority details documentation. Ensure you trust the "DigiCert Global Root G2" root and its subordinate CAs (documented since September 2025). Remove any client-side pinning to the DigiCert Global Root CA root certificate. Update your settings now to avoid service disruption. Help and support: For details about DigiCert certificates, refer to DigiCert documentation. For guidance on issuer/certificate pinning, see Azure documentation. Get answers from community experts in Microsoft Q&A. If you have a support plan and need technical help, create a support request or contact us at aadgdev@microsoft.com. Compliance considerations: No compliance considerations identified, review as appropriate for your organization. | Who is affected: Organizations using Microsoft Entra ID services.
What will happen: If DigiCert G2 certificates are not trusted, authentication failures will occur when accessing Microsoft Entra services. Impacted domains include: login.microsoftonline.com login.live.com login.windows.net autologon.microsoftazuread-sso.com graph.windows.net What you can do to prepare: Trust all Root and Subordinate CAs listed in the Azure Certificate Authority details documentation. Ensure you trust the "DigiCert Global Root G2" root and its subordinate CAs (documented since September 2025). Remove any client-side pinning to the DigiCert Global Root CA root certificate. Update your settings now to avoid service disruption. Help and support: For details about DigiCert certificates, refer to DigiCert documentation. For guidance on issuer/certificate pinning, see Azure documentation. Get answers from community experts in Microsoft Q&A. If you have a support plan and need technical help, create a support request. Compliance considerations: No compliance considerations identified, review as appropriate for your organization. |
Last updated 1 month ago ago
