Week 5 · 7 min read
January 26 – February 2, 2026
Act by
- 16 Feb 2026 — CISA's deadline for U.S. federal (FCEB) agencies to patch CVE-2026-21509, an actively exploited Microsoft Office security-feature-bypass zero-day that Microsoft fixed in an out-of-band update on 26 January. It isn't a legal mandate for private orgs, but it's a useful forcing function: the flaw affects Microsoft 365 Apps and Office 2016 / 2019 / LTSC 2021 / LTSC 2024 and sits on CISA's Known Exploited Vulnerabilities list. Prioritize pushing the out-of-band Office update across your estate. (MSRC Security Update Guide)
- 15 Jun 2026 — Conditional Access enforcement for All resources policies that carry resource exclusions begins. Only tenants with such a policy are affected; if you own custom apps that request only OIDC or a limited set of directory scopes, confirm they can handle CA challenges (MFA / device compliance) before this date. (Microsoft Entra Blog)
- 31 Mar 2027 — Managing Microsoft Sentinel in the Azure portal is sunset (extended from 1 Jul 2026). Begin planning the move to the Defender portal now; new capabilities ship there only. (Microsoft Sentinel Blog)
What changed
Microsoft pushed the deadline for managing Microsoft Sentinel in the Azure portal from 1 July 2026 to 31 March 2027, citing feedback from customers running Sentinel at scale. The Azure portal experience still works until then, but capabilities like Security Copilot, the Sentinel data lake and graph, attack disruption over sources such as AWS and Proofpoint, and future SOAR/case-management work are Defender-portal only. For interns, this means the unified Defender portal is where net-new SOC tooling lands — treat Azure-portal Sentinel as legacy and get comfortable in the Defender portal. (Microsoft Sentinel Blog)
Microsoft announced a Conditional Access enforcement change for policies that target All resources and include one or more resource exclusions. Today, a sign-in from a client requesting only OIDC scopes or a limited set of directory scopes bypasses such a policy; after enforcement (now 15 June 2026), the policy applies regardless of the scopes requested. Most tenants see no change because most apps request broader scopes, but affected tenants get Microsoft 365 Message Center notices. It matters on shift because it closes a quiet CA bypass path — expect new MFA/compliance challenges on a narrow set of flows and be ready to explain the change if users report unexpected prompts. You can also opt in early or override the behavior per-policy while you test. (Microsoft Entra Blog)
Microsoft Purview Data Security Investigations (DSI) reached general availability on 27 January. DSI lets data-security teams scope investigation-relevant data across Microsoft 365 — emails, Teams messages, documents, and even Copilot prompts and responses — run AI-powered deep content analysis to surface sensitive data and risk, and act on it in one workflow, including a new purge mitigation action that deletes overshared or sensitive content without leaving the investigation. It targets scenarios a SOC increasingly inherits: data breach and leak investigations, credential exposure, insider fraud, and sensitive data exposed in Teams. GA also brings usage-based pricing — billed separately for investigation storage and for the compute consumed during AI analysis — and access flows through existing Microsoft Purview role groups, so treat it as a capability to reach for on a data-exposure incident rather than one to leave running blind. (Microsoft Security Blog)
Defender for Cloud reworked its Cloud Infrastructure Entitlement Management (CIEM) recommendation logic across Azure, AWS, and GCP (effective 2 February). Inactive-identity detection now evaluates unused role assignments instead of sign-in activity, the inactivity lookback extends from 45 to 90 days, identities under 90 days old are skipped, and the Permissions Creep Index (PCI) metric is deprecated. Onboarding no longer needs elevated high-risk permissions, and AWS SAML/SSO and GCP identities require CloudTrail / Cloud Logging ingestion in the Defender CSPM plan to be fully evaluated. Expect your inactive-identity and over-permissioned-role recommendation counts to shift after this change — don't read the movement as a real posture change without checking the new logic. (Microsoft Defender for Cloud release notes)
Defender for Cloud added threat protection for AI agents built with Azure AI Foundry (2 February), in preview as part of the Defender for AI Services plan. It covers agents from development through runtime and targets threats aligned to OWASP guidance for LLM and agentic AI systems. As organizations stand up Foundry-based agents, this extends Defender coverage to a new attack surface the SOC will increasingly see in alerts. (Microsoft Defender for Cloud release notes)
Defender for Office 365 extended sender-blocking to Microsoft Teams. Admins can now block malicious external domains and email addresses directly from the Defender portal's Tenant Allow/Block List, and those entries flow through to the Teams Admin Center blocked domains and users list. Blocking is near-real-time: new external chat messages, meeting invites, and channel communications from a flagged organization are halted and existing messages from those senders are removed. For a SOC this closes a response gap — when a Teams-based phishing or impersonation campaign is identified, you can shut down the abusing external org from the same console you triage email in instead of pivoting to Teams admin. It shipped in the January/early-February updates and rolls out to tenants from mid-February. (Defender for Office 365 what's new, Block domains and addresses in Teams)
Two Teams post-delivery protections that were previously reserved for Defender for Office 365 Plan 2 became available to Plan 1 by default: zero-hour auto purge (ZAP) for Teams, which retroactively removes messages found malicious after delivery, and admin management of quarantined Teams messages from the Defender portal. This brings a post-delivery safety net to Plan 1 tenants — malicious Teams messages that slip past initial filtering can be auto-purged or pulled from quarantine without a Plan 2 license. (Defender for Office 365 what's new)
Worth knowing
The Sentinel-to-Defender move is the piece to internalize this week. The 30 January extension to 31 March 2027 buys planning time, not a reprieve: net-new SIEM capability — Security Copilot, the data lake and graph, attack disruption across sources like AWS and Proofpoint, and future SOAR and case-management work — ships in the Defender portal only, and the Azure-portal experience is now legacy. Analytics rules, playbooks, workbooks, and the underlying Log Analytics workspace all carry forward, but the unified RBAC (URBAC) groundwork sits on the critical path, so the practical takeaway for interns is to get fluent in the Defender portal now rather than at cutover. (Microsoft Sentinel Blog)
Two identity-hardening changes bracket the window. Alongside the Conditional Access enforcement change above, Microsoft began rolling out jailbreak/root detection for Microsoft Entra credentials in the Microsoft Authenticator app from February 2026, progressing from warning mode to blocking mode — users on jailbroken or rooted devices will eventually be unable to use Entra accounts in Authenticator. Both changes raise the baseline for how much a compromised or tampered client can do, and both are worth flagging to users before the prompts and blocks appear. (Microsoft Entra what's new)
No scheduled Microsoft Patch Tuesday fell in this window — the January 2026 updates released on 13 January and February's land on 10 February — but the lull wasn't quiet. On 26 January Microsoft shipped an out-of-band emergency patch for CVE-2026-21509, an actively exploited Office security-feature-bypass zero-day (CVSS 7.8) that bypasses the OLE mitigations protecting users from vulnerable COM/OLE controls. Exploitation needs a user to open a specially crafted Office file — the Preview Pane isn't an attack vector — and it affects Microsoft 365 Apps and Office 2016 through LTSC 2024. CISA added it to the Known Exploited Vulnerabilities catalog with a 16 February federal patch deadline. Use the gap between cycles to confirm both January's fixes and this out-of-band Office update are fully deployed across the estate — Defender Vulnerability Management will show which devices are still exposed — and to stage patch-verification and hunting for the 10 February release. (MSRC Security Update Guide)