Introduction
Microsoft 365 doesn't stop changing. Every month brings new features, deprecations, security enforcement deadlines, and licensing shifts that directly affect how you manage your tenant. Miss one critical update and you're firefighting. Miss several and you're accumulating risk.
That's why we publish this monthly roundup. February 2026 was a particularly dense month: over 25 significant changes landed across security, identity, compliance, collaboration, and administration. The dominant themes were MFA enforcement going fully live, the EWS retirement timeline becoming concrete, expanded Copilot integrations across the suite, and a continued push toward legacy protocol retirement.
This article is structured for busy admins and IT leads. Each section includes a summary table with impact ratings and required actions so you can triage quickly. If you only have five minutes, read the executive summary below and the prioritized action list at the end.
Top 5 Most Impactful Changes
Executive Summary: February 2026
- MFA enforcement is now live for M365 Admin Center. Admin accounts without MFA registered are blocked. If you have shared, orphaned, or break-glass admin accounts without MFA — they can no longer sign in. (BleepingComputer)
- EWS retirement timeline confirmed. Exchange Web Services will be permanently removed April 1, 2027. Phased disablement begins October 2026. If your organization has apps using EWS, migration planning starts now. (Office 365 IT Pros)
- SharePoint CSP enforcement coming in March. February activated report-only mode. Next month, strict Content Security Policy enforcement will block untrusted scripts. Audit your custom SharePoint solutions immediately.
- Entra ID app deactivation is GA. You can now reversibly disable app registrations without deleting them — essential for security investigations and tenant hygiene. (Microsoft Learn)
- Exchange ActiveSync versions below 16.1 blocked March 1. Devices on older EAS versions lose mail/calendar sync. Identify affected devices before the cutoff.
Security & Defender
February's biggest security story is the MFA enforcement that went live on February 9. This was long anticipated but still caught some organizations off guard — particularly SMBs with shared admin accounts and automation scripts using user identities.
| Change | Impact | Action Required |
|---|---|---|
| MFA enforced for M365 Admin Center — All accounts signing into admin portals must have MFA registered. Blocked otherwise. Microsoft Learn | Critical | Verify all admin accounts have MFA. Check break-glass accounts (FIDO2/certificate-based auth). Migrate scripts using user identities to service principals. |
| Defender XDR: Built-in alert tuning rules — Automatic suppression of high-volume, low-fidelity alerts to reduce noise. r/msp | Medium | Review alert volume baselines. Verify critical alerts are not inadvertently suppressed. Custom rules still override built-in ones. |
| Block external Teams users from Defender — Security teams can now block external Teams users via the Tenant Allow/Block List in the Defender portal. r/msp | Medium | Update SOC playbooks to include Defender as a blocking surface for malicious external Teams users. |
| Defender for O365 Plan 1: Teams message user reporting — End-user reporting of suspicious Teams messages now available in Plan 1 (previously Plan 2 only). Planet Technologies | Medium | Enable the Teams message reporting feature in the Defender portal if you have Plan 1. |
MFA Enforcement: What You Need to Know
This is Phase 1 of Microsoft's mandatory MFA rollout. As of February 9, 2026, every account accessing the Microsoft 365 admin center must have at least one MFA method registered. No exceptions, no grace period.
- Shared admin accounts — These need to be eliminated or converted to named accounts with MFA.
- Break-glass (emergency access) accounts — Configure FIDO2 passkeys or certificate-based authentication to satisfy the MFA requirement.
- Service accounts using user identities — Scripts using ROPC (Resource Owner Password Credential) flow are incompatible with MFA. Migrate to service principals or managed identities.
- Phase 2 (Azure CLI, PowerShell, SDK, REST APIs) — began October 1, 2025. If you postponed it, you can request an extension until July 1, 2026.
Identity & Entra ID
Entra ID received several notable updates in February, including a new app deactivation capability, simplified session revocation, hybrid join improvements, and stronger Authenticator protections.
| Change | Impact | Action Required |
|---|---|---|
| "Revoke sessions" replaces "Revoke MFA sessions" — New button invalidates all active user sessions (not just per-user MFA sessions). Microsoft Learn | High | Update incident response runbooks. The behavioral change is more comprehensive — all sessions are revoked. |
| Entra app deactivation — GA — Reversibly deactivate app registrations without deleting them. New token requests denied; existing tokens valid until expiry. Microsoft Learn | High | Use for suspicious app investigations and tenant hygiene. Deactivate before deleting to confirm no dependencies break. |
| Hybrid Join via Entra Kerberos — Public Preview — Hybrid Azure AD Join without AD FS or Entra Connect Sync. CloudCapsule | Medium | Evaluate if this simplifies your hybrid join deployment, especially if reducing AD FS dependency. |
| Azure subscription required for guest governance — Entra ID Governance features for guest users now require a linked Azure subscription. Microsoft Learn | High | Link a valid Azure subscription. Without it, new guest governance configurations fail. |
| Authenticator: Jailbreak/root detection — Rolling out warning, blocking, then wipe modes for Entra credentials on jailbroken/rooted devices. Microsoft Learn | Medium | Notify end users in advance. No admin config needed — secure by default. |
| Soft deletion for cloud security groups — Deleted groups enter a 30-day retention window. Restorable with all memberships and properties. r/msp | Low | Update runbooks for group deletion procedures. Leverage restore before contacting Microsoft support. |
Entra App Deactivation: Why This Matters
The new app deactivation feature fills a gap that has existed since the early days of Azure AD. Previously, investigating a suspicious application meant either leaving it active (risky) or deleting it (destructive). Now you can set "isDisabled": true via the Entra admin center or Microsoft Graph API, which immediately blocks new token requests while preserving all configuration, permissions, and metadata for forensic review.
PATCH https://graph.microsoft.com/beta/applications/{applicationObjectId}
{ "isDisabled": true }Compliance & Purview
Microsoft Purview received updates across posture reporting, sensitive information type detection, role management, and eDiscovery workflows.
| Change | Impact | Action Required |
|---|---|---|
| Purview Posture Reports — GA — Executive-ready dashboards for data protection posture across Information Protection and DLP. Near-real-time insights. Microsoft Learn | Medium | Access via Microsoft Purview portal. No configuration needed. Use for board-level compliance reporting. |
| Sensitive information type (SIT) detection improvement — OOB SITs now use strict proximity matching. Fewer false positives, but alert volumes may change. CloudCapsule | High | Review DLP alert volumes. Some previously-triggered alerts may stop; some previously-missed content may now trigger. Adjust policies if needed. |
| Purview high-privileged roles mapped to Entra roles — Purview Content Reader, Writer, and Administrator roles now align with Entra roles. r/sysadmin | Medium | Audit current Purview role assignments. Verify no unintended privilege escalation. |
| eDiscovery: Secure temporary containers for exports — Exports expire after 14 days. Review sets and case-level data sources deprecated in Content cases. r/msp | High | Ensure legal teams know exports must be retrieved within 14 days. Update eDiscovery workflow documentation. |
| eDiscovery: Tenant-level process report — Monitor all eDiscovery processes across the tenant in a single view. r/msp | Low | Use as a central dashboard for eDiscovery operations auditing. |
Microsoft Teams
Teams received a wave of updates focused on external collaboration controls, meeting intelligence, and phone system improvements.
| Change | Impact | Action Required |
|---|---|---|
| Trust indicators for external collaborators — Visual badges: External-Familiar, External-Unfamiliar, Guest, Email Verified, Unverified. Microsoft Tech Community | High | Review trusted domain list in External Access settings. Communicate badge meanings to users. |
| Customizable meeting recap templates — Speaker Summary, Executive Summary, or custom prompt-based templates for AI-generated post-meeting recaps. Microsoft Tech Community | Low | No admin action. Communicate to power users and managers. Requires M365 Copilot license. |
| External Collaboration Administrator RBAC role — New dedicated role for managing external access policies without broader admin privileges. r/msp | Medium | Assign this role to staff managing external access instead of full Teams Service Administrator. |
| Simplified external collaboration settings — Three predefined modes: Open, Controlled, Custom. r/msp | Medium | Evaluate which mode matches your current configuration. Verify backward compatibility after rollout. |
| Simplified meeting URLs — Shorter, cleaner join links. r/msp | Medium | Audit automated workflows and calendar integrations that parse Teams meeting URLs. Regex-based parsing may break. |
| Queues app: Shared call history & 45-day reporting — Unified call/voicemail history for queue members; reporting extended from 30 to 45 days. Microsoft Tech Community | Low | Configure access permissions for shared history. |
| Multi-message forwarding — Select up to 5 messages and forward them together. Microsoft Tech Community | Low | No action required. |
| Designer bot & Designer banners retired — Removed February 27, 2026. r/sysadmin | Low | Direct users to designer.microsoft.com or Copilot Create. |
SharePoint & OneDrive
The standout SharePoint change this month is the Content Security Policy (CSP) in report-only mode. This is a warning shot: strict CSP enforcement arrives in March 2026, and any custom SharePoint solutions using inline scripts or third-party embeds will break if not remediated now.
| Change | Impact | Action Required |
|---|---|---|
| SharePoint CSP in report-only mode — CSP headers report untrusted scripts and inline JavaScript. Strict enforcement (blocking) comes in March 2026. r/msp | Critical | Use report-only mode NOW to identify custom solutions that will break. Remediate non-compliant scripts before March enforcement. |
| Centralized site branding via PowerShell — Manage SharePoint site branding programmatically at scale. r/msp | Low | Review PowerShell commands. Useful for MSPs and organizations with many sites. |
| SharePoint Admin Center: Dark mode default — Follows OS-level dark mode preference. LinkedIn | Low | No action required. |
| Purview Data Risk Assessments: SharePoint item-level investigation — Deeper analysis of specific files within SharePoint sites. r/msp | Medium | Use to investigate specific flagged items rather than site-level summaries. |
| OneDrive: Custom sync folder name — April 2026 — Set a custom name for the OneDrive sync root folder to avoid path length issues. Planet Technologies | Medium | Plan a shorter folder name. Set via Group Policy or Intune. Rolling out April 2026. |
Exchange Online
February was a pivotal month for Exchange Online. The EWS retirement timeline is now official and non-negotiable, and the Exchange ActiveSync version block goes live March 1. Both require immediate action.
| Change | Impact | Action Required |
|---|---|---|
| EWS retirement timeline confirmed — October 2026: phased disablement. April 2027: permanent removal. No extensions. Office 365 IT Pros | Critical | Check EWS usage in Admin Center reports. Identify all apps using EWS. Begin migration to Microsoft Graph. Configure AppID AllowList by August 2026 if still needed. |
| Block EAS versions below 16.1 — March 1, 2026 — Older Exchange ActiveSync versions lose mail/calendar sync. r/msp | Critical | Run Get-MobileDevice to identify affected devices. Upgrade or block before March 1. |
| Actionable Messages for moderation approvals — Moderation approve/reject now works from any Outlook client. r/msp | Low | No action needed. Improved workflow for moderators. |
| PowerShell database property string format change — Certain database properties in Exchange Online cmdlets are changing format. r/msp | Medium | Audit scripts that parse database property strings. Test before the format change takes effect. |
EWS Retirement: The Full Timeline
Exchange Web Services has been the backbone of mail, calendar, and contact integrations for nearly 20 years. Microsoft Graph now provides near-complete API parity, and the retirement timeline is final.
| Date | Milestone |
|---|---|
| Before August 2026 | Configure AppID AllowList and set EWSEnabled=True if you still need EWS access |
| October 1, 2026 | Phased EWS disablement begins — blocked by default unless explicitly configured |
| April 1, 2027 | Full and permanent EWS retirement — no extensions, no exceptions |
| May 2027 | Expected complete removal across all servers |
Your immediate steps should be to check EWS usage in the Microsoft 365 Admin Center → Reports → Usage → Exchange → EWS usage, identify every application and vendor relying on EWS, and begin migration planning to Microsoft Graph. According to UpTech Media, many third-party vendors have already migrated, but custom-built integrations and legacy line-of-business applications are the most common stragglers. The relevant Message Center notification is MC1227454.
If your organization uses EWS for anything — calendar sync, room booking, contact management, archive tools — this is the single most important action item from February's changes. The April 2027 deadline is absolute.
Intune & Endpoint Manager
Intune received reporting accuracy improvements and a new Secure Boot status report that's especially time-sensitive due to expiring certificates in June 2026.
| Change | Impact | Action Required |
|---|---|---|
| Reporting accuracy: Inactive devices excluded — Devices inactive for 12+ months are excluded from compliance/management reports. CloudCapsule | Medium | Expect improved compliance percentages. Consider running a stale device cleanup. |
| Secure Boot status report in Windows Autopatch — Shows Secure Boot status across all managed Windows devices. Critical due to 2011 certificates expiring June 2026. Microsoft Learn | High | Run the report now. Identify devices with Secure Boot enabled. Deploy certificate renewal updates before June 2026. |
| Windows: First Sign-In Restore Experience — Users can restore their environment if they missed the restore option during OOBE setup. Microsoft Tech Community | Low | Communicate the restore option to users. Reduces helpdesk calls after new device provisioning. |
Admin & Licensing
The most significant licensing change is the end of the free grace period for expired subscriptions, replaced by a paid Extended Service Term starting May 2026.
| Change | Impact | Action Required |
|---|---|---|
| Paid Extended Service Terms (EST) replacing grace period — After subscription expiry: renew, cancel, or pay a 3% monthly premium to maintain service. Production controls available Feb 16; enforcement begins May 4, 2026. Microsoft Learn | High | Review all subscriptions with AutoRenew=Off. Set end-of-term preferences before expiration. MSPs: communicate loss of free grace periods to clients. |
Notable Retirements in February 2026
Several features reached end-of-life this month. Source: r/sysadmin.
| Feature Retired | Replacement |
|---|---|
| Planner legacy task comments | Planner task chat |
| Whiteboard tab for Planner premium plans | Whiteboard app |
| Planner components in Loop pages | Loop native tasks |
| Planner integration with Viva Goals | N/A (Viva Goals also sunset) |
| iCalendar feed for Planner tasks | Outlook calendar sync |
| Endpoint-sensitive data alerts in Defender portal | Microsoft Purview DLP |
| Entra voice call authentication greeting | Standard Entra MFA (Feb 28) |
| Designer bot & Designer banners in Teams | designer.microsoft.com / Copilot Create (Feb 27) |
Copilot Quick Update
February was a big month for Microsoft 365 Copilot as well. Highlights include unified Copilot Chat experience in Teams meetings, customizable meeting recap templates with visual references from screen shares, SharePoint Lists/Sites grounding in Copilot Chat, meeting time analytics, scheduling from email threads, and brand kits in Copilot Create. All AI features require a Copilot license.
What to Do This Month
Here's a prioritized action list based on impact and urgency. Work through it top to bottom.
Priority 1 — Do This Week
- Verify all admin accounts have MFA. Check for shared, orphaned, and break-glass accounts. Configure FIDO2 or certificate-based auth for emergency access accounts. (Microsoft Learn)
- Identify devices on EAS versions below 16.1 before the March 1 block. Run
Get-MobileDeviceand upgrade or retire affected devices. - Audit SharePoint custom solutions for CSP compliance. Review report-only CSP logs to identify scripts that will break when strict enforcement arrives in March.
- Start EWS migration planning. Check Admin Center EWS usage reports. Inventory all applications and vendors using EWS. Begin scoping Microsoft Graph migration.
Priority 2 — Do This Month
- Update incident response runbooks to use the new "Revoke sessions" (not "Revoke MFA sessions") in Entra ID.
- Link an Azure subscription to Entra ID Governance if you use guest governance features.
- Review DLP alert volumes after the Purview SIT detection change. Adjust policies if needed.
- Run the Secure Boot status report in Windows Autopatch. Plan certificate renewal updates before June 2026.
- Review subscription renewal settings for the upcoming EST billing change. Set end-of-term preferences.
Priority 3 — Plan for Next Month
- Review Teams external collaboration settings and evaluate the new Open/Controlled/Custom modes.
- Assign the new Teams External Collaboration Administrator role to appropriate staff.
- Explore Purview Posture Reports for compliance reporting to leadership.
- Test Entra app deactivation as part of your app lifecycle management process.
- Communicate Copilot updates (meeting recaps, scheduling, brand kits) to power users.
February 2026 packed a significant punch. The MFA enforcement and EWS retirement announcements alone justify a thorough tenant review. The good news: most of these changes either improve your security posture or give you better tools to manage your environment. The key is staying ahead of the enforcement deadlines rather than reacting to them.
We'll be back next month with the March 2026 roundup. If you want these delivered directly to your inbox, subscribe below — or if you'd prefer a hands-on review of how these changes affect your specific environment, book a free assessment.
Need Help Navigating These Changes?
Book a free 30-minute assessment to review how February's updates affect your tenant — and get a prioritized action plan tailored to your environment.
Book Your Free Assessment