Skip to main content

M365 Roundup, March 2026: E7 Arrives and Entra Gets an Undo Button

Nick Ross8 min read

TL;DR

  • Microsoft 365 E7 and Microsoft Agent 365 become generally available on May 1, 2026.
  • Microsoft Entra Backup and Recovery enters public preview, restoring users, groups, applications, Conditional Access policies, and other core directory objects from daily backups.
  • External MFA in Entra ID is now generally available and replaces Custom Controls, which are deprecated on September 30, 2026.
  • SharePoint One-Time Passcode authentication retires starting July 2026, with new external sharing moving to Entra B2B from May 2026.
  • Entra registration campaigns will start nudging MFA-capable users toward passkeys automatically in Microsoft-managed tenants from early April 2026.

May 1, 2026 is the date to circle this month: Microsoft 365 E7 and Agent 365 both go GA, Microsoft's clearest signal yet that agents are becoming a licensed product line. The identity side is just as busy, with Entra gaining a Microsoft-managed backup and restore capability, external MFA reaching general availability, and passkey nudges going automatic. Everything that matters from March, by product.

A note on how we compile this: CloudCapsule is purpose built for MSPs scaling a security practice on Microsoft 365. Tenant scans average 60 seconds and collect over 200 data points, and remediation and policy management now ship in the portal, so you can deploy fixes right where you find the gaps.

CloudCapsule automated security assessments and policy management
Microsoft Entra ID logo

Microsoft Entra

Entra Backup and Recovery enters public preview

Microsoft Entra Backup and Recovery builds identity resilience into daily operations with an always-on, Microsoft-managed solution that restores critical identity objects to a known-good state. It provides automatic backups, point-in-time visibility into configuration changes, and a built-in safeguard that prevents the backups themselves from being disabled, deleted, or altered.

The public preview restores core directory objects from one backup a day within the last 5 days, covering users, groups, applications, service principals, Conditional Access policies, authentication method policy, authorization policy, and named locations.

Microsoft Entra Backup and Recovery restoring directory objects

Details: Strengthen identity resilience with Microsoft Entra Backup and Recovery (opens in new tab)

External MFA is generally available

External multifactor authentication (previously known as external authentication methods) has reached GA, letting you integrate trusted third-party MFA providers while keeping Entra ID as the central identity control plane. External MFA replaces Custom Controls, which will be deprecated on September 30, 2026, so plan the migration now.

External MFA configuration in Microsoft Entra ID

Details: External MFA in Microsoft Entra ID is now generally available (opens in new tab)

Registration campaigns start pushing passkeys automatically

Microsoft Registration Campaigns will support passkeys (FIDO2), nudging users toward phishing-resistant credentials during sign-in. Eligible tenants can opt users into passkey registration prompts, and tenants in the Microsoft-managed state will be switched automatically.

Your tenant is affected in the Microsoft-managed state when all of the following are true: the passkeys (FIDO2) authentication method policy is enabled, self-service setup is allowed, no AAGUID restrictions are configured (Target specific AAGUIDs is not selected), and the Authentication Methods Registration Campaign state is set to Microsoft-managed. When those conditions are met, these settings change automatically:

  • The targeted authentication method changes from Microsoft Authenticator to passkeys (FIDO2).
  • Days allowed to snooze drops from three days to one day, and is no longer configurable.
  • Limit number of snoozes is disabled, and is no longer configurable.
  • Targeting expands to all MFA-capable users, and is no longer configurable; default user targeting changes from voice call or text message users to all MFA-capable users.

Affected users will see passkey registration nudges at sign-in after completing MFA. Rolling out early April 2026, complete in late May 2026.

Entra Tenant Governance enters public preview

Mergers, acquisitions, and shadow IT leave organizations with a fragmented tenant landscape. Microsoft Entra Tenant Governance provides a centralized, risk-informed way to discover, govern, and continuously secure all related tenants.

Microsoft Entra Tenant Governance multi-tenant view

Details: Microsoft Entra Tenant Governance: secure and manage multi-tenant environments (opens in new tab)

Microsoft Admin logo

Admin and licensing

Microsoft 365 E7 is coming May 1

Built for what Microsoft calls the agentic moment, Microsoft 365 E7 and Microsoft Agent 365 will be generally available as of May 1, 2026. A new top-tier suite is also a new licensing conversation with every enterprise client.

Microsoft 365 E7 announcement

Details: March 2026 Partner Center announcements (opens in new tab)

Microsoft 365 Apps logo

Microsoft 365 Apps, SharePoint, and OneDrive

SPO one-time passcodes retire in favor of Entra B2B

SharePoint One-Time Passcode (SPO OTP) authentication in OneDrive and SharePoint starts retiring in July 2026, and new external sharing begins using Microsoft Entra B2B instead from May 2026:

  • May 2026: Invitation and authentication for new external sharing begins transitioning to Microsoft Entra B2B. Users who previously authenticated via SPO OTP keep access to specific people links even without a B2B guest account yet.
  • July 2026: Retirement of SPO OTP authentication begins. External users without a guest account get access denied on previously shared specific people links. Restoring access requires creating a guest account in Entra B2B, or having an allowed user share or re-share at least one file, folder, or site.

Retirement is expected to complete by August 31, 2026. If your clients lean on specific-people links with external recipients, this is the external sharing change to plan for now.

To reduce unintended long-term access to internal content, admins can automatically expire "People in your organization" sharing links in SharePoint and OneDrive after a defined period, cutting exposure from stale links. Rolling out mid-March 2026, complete by late June 2026.

Targeted restores in Microsoft 365 Backup

Microsoft 365 Backup gains granular restore: admins can browse, search, and restore individual files or folders from restore points for protected SharePoint sites and OneDrive accounts, instead of restoring whole sites. Rolling out late April 2026, complete by early May 2026.

Granular file and folder restore in Microsoft 365 Backup

Markdown editing lands in OneDrive and SharePoint

OneDrive and SharePoint now support viewing and editing Markdown (.md) files directly in the browser, no downloads or third-party tools needed. Rolling out mid-April 2026, complete by late May 2026.

Markdown file editing in OneDrive and SharePoint

Custom names for the OneDrive sync folder

IT admins can set a custom name for the local OneDrive sync root folder on Windows devices using the policy Set a custom name for the OneDrive sync folder (String ID CustomSyncRootFolderName). The default "OneDrive - (organization name)" folder name contributes to Windows path length problems in deeply nested structures; now you can shorten it. Rolled out mid-March 2026, complete March 18, 2026 (previously early April).

Custom OneDrive sync folder name policy

A cleaner OneDrive Activity Center on macOS

The OneDrive Activity Center on macOS is getting a refresh: a cleaner, more intuitive way to check sync status, manage files, and resolve issues from the desktop. Rolling out early April 2026, complete by late May 2026.

Redesigned OneDrive Activity Center on macOS
Microsoft Purview logo

Microsoft Purview

Item-level oversharing remediation in DSPM

Data Risk Assessments in Data Security Posture Management now support item-level investigation and remediation of SharePoint. New item-level insights such as sensitivity label status and sharing link details make it easier to pinpoint overshared content, and admins can act directly on selected items: resolving findings, notifying owners, applying sensitivity labels, or removing sharing links. Requires E5 or the Purview Suite add-on. Rolling out early March 2026, complete by mid-March 2026.

Item-level investigation in Purview Data Risk Assessments

Credential scanning in the Data Security Posture Agent

The Data Security Posture Agent gains credential scanning to discover exposed credentials across scoped locations. The agent analyzes selected data locations to detect sensitive credential types, including Microsoft Entra user credentials, private keys, and API tokens, and provides risk scores, AI-generated insights, confidence ratings, and credential categories in a single task board view for review and action. Requires the Agent add-on. Rolling out late June 2026, complete by early July 2026.

Credential scanning in the Purview Data Security Posture Agent

AI triage summaries for DLP alerts in Defender XDR

Security analysts get AI-generated summaries and categorizations from the Purview Data Security Triage Agent surfaced on DLP alerts in Microsoft Defender XDR, speeding up triage. Rolling out mid-August 2026, complete by late August 2026.

Data Security Triage Agent summaries on DLP alerts in Defender XDR

Hard delete with a priority cleanup workflow

Data Lifecycle Management adds a priority cleanup workflow that lets administrators permanently delete (hard delete) specific OneDrive and SharePoint content types, even when retention policies or holds are in place. Rolling out late May 2026, complete by mid-June 2026.

Priority cleanup hard delete workflow in Purview
Microsoft Copilot logo

Microsoft Copilot

Copilot Cowork: describe the outcome, delegate the work

Cowork is a new way to delegate work to Copilot. Describe the outcome you want and Cowork grounds the work in your emails, meetings, messages, files, and data. Powered by Work IQ, it draws on signals across Outlook, Teams, Excel, and the rest of Microsoft 365 to act with the understanding you would bring yourself. Rolling out late March 2026.

Details: Copilot Cowork: a new way of getting work done (opens in new tab) and the full Wave 3 announcement roundup (opens in new tab).

Federated connectors bring MCP to Copilot

Federated Copilot connectors let users securely connect Copilot to third-party sources and retrieve data in real time using the Model Context Protocol (MCP). The connectors do not store or index customer data in Microsoft services; access happens in real time under the user's identity, while admins keep full governance through the Microsoft 365 admin center.

Microsoft-published federated connectors available at GA include Canva, HubSpot, Linear, Intercom, Google Calendar, Google Contacts, Notion, S&P Global, Moody's, and LSEG. Rolling out late April 2026, complete by late May 2026.

Federated Copilot connectors using the Model Context Protocol

Claude Sonnet joins Copilot Chat

Anthropic's Claude Sonnet is available in Copilot Chat in Frontier, alongside the latest OpenAI models, giving users a choice of model per task. Rolling out gradually, expected complete late March 2026.

Model selection including Claude Sonnet in Microsoft 365 Copilot

Copilot Notebooks features land in Frontier Public

Several new Copilot Notebooks features arrive in the Frontier Public environment to help users learn faster, create content more efficiently, and collaborate within their organization. Rolling out early April 2026 through early May 2026.

New Copilot Notebooks features in Frontier Public

Full breakdown: Copilot Notebooks enhancements for creation, collaboration, and learning (opens in new tab)

Microsoft Teams logo

Microsoft Teams

Teams will name the bots crashing your meetings

To protect meeting content and increase visibility into automated participants, Teams is introducing detection of external meeting assistant bots as they attempt to join meetings. Organizers get awareness and control, and administrators get clear controls for how detected bots are handled across the organization. Rolling out early June 2026, complete by mid-June 2026.

External bot detection joining a Teams meeting

Video recap for meetings (Copilot required)

Teams is adding video-based meeting recaps: narrated video highlights from recorded meetings that combine key takeaways with short clips of the important moments, for catching up on missed meetings fast. Requires a Copilot license. Rolling out late April 2026, complete by early May 2026.

Video recap for Microsoft Teams meetings

Up to 10 phone numbers on one Teams account

Teams Phone user multi-line lets administrators assign up to 10 telephone numbers to a single Teams Phone user, all within one account. Users make and receive calls from multiple business numbers across Teams desktop, mobile, and devices without switching accounts or hardware. Rolling out late April 2026, complete by mid-May 2026.

Catch up view on Teams mobile

A new consolidated view helps mobile users triage conversations that need attention across chats, meeting chats, and followed channels or threads. Rolling out and completing early May 2026.

Catch up view in Teams mobile
Microsoft Outlook logo

Microsoft Outlook

Follow a meeting from Outlook mobile

Outlook mobile adds a follow option for meetings you cannot attend: organizers are prompted to record, and followers receive key updates and follow-up items. Rolling out mid-April 2026 (previously mid-March), complete by end of April 2026 (previously mid-April).

Follow a meeting option in Outlook mobile
Microsoft Edge logo

Microsoft Edge

Cross-tenant MAM for Edge work profiles

Organizations can apply Intune App Protection Policies to Edge work profiles even when the device is managed by another tenant. That protects corporate data in cross-tenant scenarios like contractors, partners, and mergers, without extra device enrollment or disruption to the user. Rolling out early April 2026, complete by mid-April 2026.

Details: Microsoft Edge cross-tenant support using Intune MAM (opens in new tab)

Microsoft Intune logo

Microsoft Intune

Windows Autopatch update readiness

Update readiness surfaces risks and blockers before Windows updates deploy, helping IT teams prepare devices proactively and cut failures, downtime, and reactive troubleshooting. Capabilities light up in the Windows Autopatch blade of the Intune admin portal starting March 2, 2026.

Windows Autopatch update readiness in the Intune admin portal

Details: Windows Autopatch update readiness overview (opens in new tab)

Track the changes without living in message center

Half of this month's updates quietly move security settings in tenants you manage. CloudCapsule scans 250+ controls in about 60 seconds per tenant and now deploys fixes from the same portal, so what Microsoft changes, you can see and remediate.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading