M365 Roundup, March 2026: E7 Arrives and Entra Gets an Undo Button
TL;DR
- Microsoft 365 E7 and Microsoft Agent 365 become generally available on May 1, 2026.
- Microsoft Entra Backup and Recovery enters public preview, restoring users, groups, applications, Conditional Access policies, and other core directory objects from daily backups.
- External MFA in Entra ID is now generally available and replaces Custom Controls, which are deprecated on September 30, 2026.
- SharePoint One-Time Passcode authentication retires starting July 2026, with new external sharing moving to Entra B2B from May 2026.
- Entra registration campaigns will start nudging MFA-capable users toward passkeys automatically in Microsoft-managed tenants from early April 2026.
May 1, 2026 is the date to circle this month: Microsoft 365 E7 and Agent 365 both go GA, Microsoft's clearest signal yet that agents are becoming a licensed product line. The identity side is just as busy, with Entra gaining a Microsoft-managed backup and restore capability, external MFA reaching general availability, and passkey nudges going automatic. Everything that matters from March, by product.
A note on how we compile this: CloudCapsule is purpose built for MSPs scaling a security practice on Microsoft 365. Tenant scans average 60 seconds and collect over 200 data points, and remediation and policy management now ship in the portal, so you can deploy fixes right where you find the gaps.


Microsoft Entra
Entra Backup and Recovery enters public preview
Microsoft Entra Backup and Recovery builds identity resilience into daily operations with an always-on, Microsoft-managed solution that restores critical identity objects to a known-good state. It provides automatic backups, point-in-time visibility into configuration changes, and a built-in safeguard that prevents the backups themselves from being disabled, deleted, or altered.
The public preview restores core directory objects from one backup a day within the last 5 days, covering users, groups, applications, service principals, Conditional Access policies, authentication method policy, authorization policy, and named locations.

Details: Strengthen identity resilience with Microsoft Entra Backup and Recovery (opens in new tab)
External MFA is generally available
External multifactor authentication (previously known as external authentication methods) has reached GA, letting you integrate trusted third-party MFA providers while keeping Entra ID as the central identity control plane. External MFA replaces Custom Controls, which will be deprecated on September 30, 2026, so plan the migration now.

Details: External MFA in Microsoft Entra ID is now generally available (opens in new tab)
Registration campaigns start pushing passkeys automatically
Microsoft Registration Campaigns will support passkeys (FIDO2), nudging users toward phishing-resistant credentials during sign-in. Eligible tenants can opt users into passkey registration prompts, and tenants in the Microsoft-managed state will be switched automatically.
Your tenant is affected in the Microsoft-managed state when all of the following are true: the passkeys (FIDO2) authentication method policy is enabled, self-service setup is allowed, no AAGUID restrictions are configured (Target specific AAGUIDs is not selected), and the Authentication Methods Registration Campaign state is set to Microsoft-managed. When those conditions are met, these settings change automatically:
- The targeted authentication method changes from Microsoft Authenticator to passkeys (FIDO2).
- Days allowed to snooze drops from three days to one day, and is no longer configurable.
- Limit number of snoozes is disabled, and is no longer configurable.
- Targeting expands to all MFA-capable users, and is no longer configurable; default user targeting changes from voice call or text message users to all MFA-capable users.
Affected users will see passkey registration nudges at sign-in after completing MFA. Rolling out early April 2026, complete in late May 2026.
Entra Tenant Governance enters public preview
Mergers, acquisitions, and shadow IT leave organizations with a fragmented tenant landscape. Microsoft Entra Tenant Governance provides a centralized, risk-informed way to discover, govern, and continuously secure all related tenants.

Details: Microsoft Entra Tenant Governance: secure and manage multi-tenant environments (opens in new tab)

Admin and licensing
Microsoft 365 E7 is coming May 1
Built for what Microsoft calls the agentic moment, Microsoft 365 E7 and Microsoft Agent 365 will be generally available as of May 1, 2026. A new top-tier suite is also a new licensing conversation with every enterprise client.

Details: March 2026 Partner Center announcements (opens in new tab)

Microsoft 365 Apps, SharePoint, and OneDrive
SPO one-time passcodes retire in favor of Entra B2B
SharePoint One-Time Passcode (SPO OTP) authentication in OneDrive and SharePoint starts retiring in July 2026, and new external sharing begins using Microsoft Entra B2B instead from May 2026:
- May 2026: Invitation and authentication for new external sharing begins transitioning to Microsoft Entra B2B. Users who previously authenticated via SPO OTP keep access to specific people links even without a B2B guest account yet.
- July 2026: Retirement of SPO OTP authentication begins. External users without a guest account get access denied on previously shared specific people links. Restoring access requires creating a guest account in Entra B2B, or having an allowed user share or re-share at least one file, folder, or site.
Retirement is expected to complete by August 31, 2026. If your clients lean on specific-people links with external recipients, this is the external sharing change to plan for now.
Expiration policies for internal sharing links
To reduce unintended long-term access to internal content, admins can automatically expire "People in your organization" sharing links in SharePoint and OneDrive after a defined period, cutting exposure from stale links. Rolling out mid-March 2026, complete by late June 2026.
Targeted restores in Microsoft 365 Backup
Microsoft 365 Backup gains granular restore: admins can browse, search, and restore individual files or folders from restore points for protected SharePoint sites and OneDrive accounts, instead of restoring whole sites. Rolling out late April 2026, complete by early May 2026.

Markdown editing lands in OneDrive and SharePoint
OneDrive and SharePoint now support viewing and editing Markdown (.md) files directly in the browser, no downloads or third-party tools needed. Rolling out mid-April 2026, complete by late May 2026.

Custom names for the OneDrive sync folder
IT admins can set a custom name for the local OneDrive sync root folder on Windows devices using the policy Set a custom name for the OneDrive sync folder (String ID CustomSyncRootFolderName). The default "OneDrive - (organization name)" folder name contributes to Windows path length problems in deeply nested structures; now you can shorten it. Rolled out mid-March 2026, complete March 18, 2026 (previously early April).

A cleaner OneDrive Activity Center on macOS
The OneDrive Activity Center on macOS is getting a refresh: a cleaner, more intuitive way to check sync status, manage files, and resolve issues from the desktop. Rolling out early April 2026, complete by late May 2026.


Microsoft Purview
Item-level oversharing remediation in DSPM
Data Risk Assessments in Data Security Posture Management now support item-level investigation and remediation of SharePoint. New item-level insights such as sensitivity label status and sharing link details make it easier to pinpoint overshared content, and admins can act directly on selected items: resolving findings, notifying owners, applying sensitivity labels, or removing sharing links. Requires E5 or the Purview Suite add-on. Rolling out early March 2026, complete by mid-March 2026.

Credential scanning in the Data Security Posture Agent
The Data Security Posture Agent gains credential scanning to discover exposed credentials across scoped locations. The agent analyzes selected data locations to detect sensitive credential types, including Microsoft Entra user credentials, private keys, and API tokens, and provides risk scores, AI-generated insights, confidence ratings, and credential categories in a single task board view for review and action. Requires the Agent add-on. Rolling out late June 2026, complete by early July 2026.

AI triage summaries for DLP alerts in Defender XDR
Security analysts get AI-generated summaries and categorizations from the Purview Data Security Triage Agent surfaced on DLP alerts in Microsoft Defender XDR, speeding up triage. Rolling out mid-August 2026, complete by late August 2026.

Hard delete with a priority cleanup workflow
Data Lifecycle Management adds a priority cleanup workflow that lets administrators permanently delete (hard delete) specific OneDrive and SharePoint content types, even when retention policies or holds are in place. Rolling out late May 2026, complete by mid-June 2026.


Microsoft Copilot
Copilot Cowork: describe the outcome, delegate the work
Cowork is a new way to delegate work to Copilot. Describe the outcome you want and Cowork grounds the work in your emails, meetings, messages, files, and data. Powered by Work IQ, it draws on signals across Outlook, Teams, Excel, and the rest of Microsoft 365 to act with the understanding you would bring yourself. Rolling out late March 2026.
Details: Copilot Cowork: a new way of getting work done (opens in new tab) and the full Wave 3 announcement roundup (opens in new tab).
Federated connectors bring MCP to Copilot
Federated Copilot connectors let users securely connect Copilot to third-party sources and retrieve data in real time using the Model Context Protocol (MCP). The connectors do not store or index customer data in Microsoft services; access happens in real time under the user's identity, while admins keep full governance through the Microsoft 365 admin center.
Microsoft-published federated connectors available at GA include Canva, HubSpot, Linear, Intercom, Google Calendar, Google Contacts, Notion, S&P Global, Moody's, and LSEG. Rolling out late April 2026, complete by late May 2026.

Claude Sonnet joins Copilot Chat
Anthropic's Claude Sonnet is available in Copilot Chat in Frontier, alongside the latest OpenAI models, giving users a choice of model per task. Rolling out gradually, expected complete late March 2026.

Copilot Notebooks features land in Frontier Public
Several new Copilot Notebooks features arrive in the Frontier Public environment to help users learn faster, create content more efficiently, and collaborate within their organization. Rolling out early April 2026 through early May 2026.

Full breakdown: Copilot Notebooks enhancements for creation, collaboration, and learning (opens in new tab)

Microsoft Teams
Teams will name the bots crashing your meetings
To protect meeting content and increase visibility into automated participants, Teams is introducing detection of external meeting assistant bots as they attempt to join meetings. Organizers get awareness and control, and administrators get clear controls for how detected bots are handled across the organization. Rolling out early June 2026, complete by mid-June 2026.

Video recap for meetings (Copilot required)
Teams is adding video-based meeting recaps: narrated video highlights from recorded meetings that combine key takeaways with short clips of the important moments, for catching up on missed meetings fast. Requires a Copilot license. Rolling out late April 2026, complete by early May 2026.

Up to 10 phone numbers on one Teams account
Teams Phone user multi-line lets administrators assign up to 10 telephone numbers to a single Teams Phone user, all within one account. Users make and receive calls from multiple business numbers across Teams desktop, mobile, and devices without switching accounts or hardware. Rolling out late April 2026, complete by mid-May 2026.
Catch up view on Teams mobile
A new consolidated view helps mobile users triage conversations that need attention across chats, meeting chats, and followed channels or threads. Rolling out and completing early May 2026.


Microsoft Outlook
Follow a meeting from Outlook mobile
Outlook mobile adds a follow option for meetings you cannot attend: organizers are prompted to record, and followers receive key updates and follow-up items. Rolling out mid-April 2026 (previously mid-March), complete by end of April 2026 (previously mid-April).


Microsoft Edge
Cross-tenant MAM for Edge work profiles
Organizations can apply Intune App Protection Policies to Edge work profiles even when the device is managed by another tenant. That protects corporate data in cross-tenant scenarios like contractors, partners, and mergers, without extra device enrollment or disruption to the user. Rolling out early April 2026, complete by mid-April 2026.
Details: Microsoft Edge cross-tenant support using Intune MAM (opens in new tab)

Microsoft Intune
Windows Autopatch update readiness
Update readiness surfaces risks and blockers before Windows updates deploy, helping IT teams prepare devices proactively and cut failures, downtime, and reactive troubleshooting. Capabilities light up in the Windows Autopatch blade of the Intune admin portal starting March 2, 2026.

Details: Windows Autopatch update readiness overview (opens in new tab)
Track the changes without living in message center
Half of this month's updates quietly move security settings in tenants you manage. CloudCapsule scans 250+ controls in about 60 seconds per tenant and now deploys fixes from the same portal, so what Microsoft changes, you can see and remediate.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


