Microsoft’s Entra service for identity management and access control (Identity and Access Management, IAM) currently relies on certificates based on DigiCert Global Root G1. The manufacturer has now announced that on January 7, 2026, it will migrate to new certificates based on DigiCert Global Root G2 for the Entra service. Admins may need to take action to prevent authentication errors from occurring.
Microsoft announced this in the Microsoft 365 Message Center (a publicly accessible copy on merill.net). Starting January 7, 2026, Microsoft plans to migrate DigiCert certificates from the G1 Root CA to the G2 Root CA, the company writes there. Clients operating with a hard-pinned DigiCert G1 Root or that do not trust the DigiCert G2 Root…
Microsoft’s Entra service for identity management and access control (Identity and Access Management, IAM) currently relies on certificates based on DigiCert Global Root G1. The manufacturer has now announced that on January 7, 2026, it will migrate to new certificates based on DigiCert Global Root G2 for the Entra service. Admins may need to take action to prevent authentication errors from occurring.
Microsoft announced this in the Microsoft 365 Message Center (a publicly accessible copy on merill.net). Starting January 7, 2026, Microsoft plans to migrate DigiCert certificates from the G1 Root CA to the G2 Root CA, the company writes there. Clients operating with a hard-pinned DigiCert G1 Root or that do not trust the DigiCert G2 Root could subsequently generate authentication errors.
New Trust Anchor
Certificate Authorities (CAs) issue digital certificates on which trust for secure communication is based, Microsoft explains. The Root CA represents the highest level in the trust chain of certificates. Microsoft currently uses DigiCert Global Root G1 as the Root CA for Entra services. However, DigiCert Global Root G2 is a newer Root CA to which Microsoft is switching for improved security and compliance. If the systems in use do not trust the G2 Root, authentications and secure connections to Microsoft Entra services will fail.
Microsoft also provides a list of affected domains for admins:
- login.microsoftonline.com
- login.live.com
- login.windows.net
- autologon.microsoftazuread-sso.com
- graph.windows.net
Remedy
Microsoft recommends that IT managers classify all Root and subordinate CAs from the Azure Certificate Authority as trustworthy in their IT environment. In particular, it is important to ensure that systems trust the "DigiCert Global Root G2" root and subordinate certificate authorities. Admins should also remove any certificate pinning of the "DigiCert Global Root CA" root certificate. An instruction on certificate pinning should help with this.
At the end of 2023, Microsoft replaced certificates for Teams Phone. Despite the announcement the year before, admins were not prepared for the change – a first test by Microsoft failed beforehand. IT managers should therefore not hesitate to take action to avoid potentially locking themselves out of their IT.
(dmk)
Don’t miss any news – follow us on Facebook, LinkedIn or Mastodon.
This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.