Validate per tenantAgent 365 licensing and prerequisites need tenant-by-tenant validation

Agent 365 is available through Microsoft 365 E7 and may also be available through standalone or add-on licensing depending on tenant eligibility, programme and commercial terms. Because packaging and prerequisites are evolving, do not assume coverage from a lower SKU or from a previous quote. Validate the current terms with Microsoft Product Terms, the customer's CSP / partner and the tenant's actual eligibility before designing the rollout.

Action: confirm the current Agent 365 quote line, prerequisites and eligible base licences with the CSP / partner before including Agent 365 in a project scope or budget.

Billing rollingMicrosoft 365 E7 commerce cycles reflect the 1 May GA

Microsoft 365 E7 went GA on 1 May and bundles Microsoft 365 E5-level productivity / security capabilities with Microsoft 365 Copilot, Agent 365 and advanced identity / security capabilities. June is one of the first practical commercial planning windows after the 1 May GA for customers comparing their existing E5 + Copilot + Agent 365 + Entra Suite stack against Microsoft 365 E7. If E7 is on the renewal radar, this is the right moment to map the existing stack against E7 list before the next renewal cycle locks in.

PreviewPower Platform inventory shows connector footprint per resource

A new connectors column rolls out across canvas apps, model-driven apps, cloud flows, agent flows and agents, letting admins see at a glance which connectors each resource calls. Public preview from 2 June. Pairs well with the Advanced Connector Policies GA later in the month for governance teams responsible for the maker estate.

KB5094126Windows 11 June cumulative update: desktop.ini hardening

The June Patch Tuesday update introduces security hardening for the processing of desktop.ini in content downloaded from remote locations. The side effect known so far: some users see missing custom folder icons or localised folder names. Test against your standard images before broad deployment, especially in environments that rely on branded folder icons or localised file shares.

Action: confirm pilot ring sees no regression in branded / localised folder rendering before broad ring opens. Link KB to the change ticket.

GAPower Platform Advanced Connector Policies (ACP) generally available

ACP is GA, giving admins finer control over which connectors and which connector operations can run in which environments. Material for tenants with a sizeable maker community across multiple environments; pairs with the new connectors-column inventory preview from 2 June. Worth a fresh look at existing DLP connector policies before rolling out the more granular ACP rules.

Action: inventory current connector DLP groupings; identify where ACP gives meaningful enforcement value over what DLP groups already cover.

Rolling outConditional Access improved enforcement for All-resources policies with exclusions

Microsoft Entra ID started rolling out improved enforcement for Conditional Access policies targeting All resources with resource exclusions from 13 May 2026, with rollout continuing through the June window. Tenants with policies that relied on the older exclusion behaviour may see previously masked blocks, MFA prompts or session controls.

Action: filter the Conditional Access tenant for any All-resources policy with exclusions, review sign-in logs / report-only impact, and confirm sign-ins to previously excluded scopes still behave as expected.

Retires 15 JunMicrosoft Sentinel Repositories REST API: older versions retired

Source Control actions using older Sentinel Repositories REST API versions stop working from 15 June. CI / CD pipelines and infrastructure-as-code wiring that pushes Sentinel content packs through Git must be on the current API surface. The break tends to surface during the next pipeline run rather than instantly.

Action: grep the IaC repo and Git-backed Sentinel content pipelines for old API versions; pin to current ones in the deployment definitions.

GAWork IQ API generally available, billing through Copilot Credits

Work IQ API GA. Custom agents and third-party AI platforms can ground on Microsoft 365 data with security and governance enforced at the API layer. Billing flows through Copilot Credits, meaning end-user use of grounded agents incurs charges back to the tenant. Important to surface to finance before makers start scaling third-party agents on top of Microsoft 365 content.

Action: align Copilot Credits monitoring with the makers' agent deployment plan; set a usage alert threshold in commerce.

Rolling outMicrosoft 365 Copilot app redesign

A streamlined, chat-centred experience with a simplified prompt and response layout and a refreshed navigation model. Visible to nearly all Copilot users in June. Update internal training screenshots and any embedded video walkthroughs the L&D team relies on.

GAAgentic capabilities in Word, Excel and PowerPoint

Copilot can plan, execute and refine multi-step work in-app: drafting a document end-to-end, running an analytical workflow across an Excel model, building a deck from a brief. Significant change-management impact on end-user training and on how the L&D and IT teams think about Copilot adoption metrics.

Rolling outCopilot Notebooks UI refresh with Teams meeting grounding

Notebooks now bring chats, output creations and references into a single UI, with the OneNote-side experience kept in sync. Notebooks can also ground on individual Teams meetings: transcripts, notes, chats and shared content as a single knowledge source per meeting. Useful for project reviews and incident retrospectives.

Rolling outCopilot Notebooks expanding to Copilot Chat tier

Notebooks is no longer Microsoft 365 Copilot licence-only. It is rolling out to broader Copilot Chat users in June. Watch for licensing-tier confusion among end users who may not realise the same Notebook can present a different feature set depending on the viewer's licence. A short FAQ in the internal Copilot hub avoids a wave of helpdesk tickets.

PreviewAgent 365 context mapping in Defender + Intune runtime blocking

New Agent 365 capabilities enter public preview in June. Defender surfaces asset and identity context maps per agent; Intune applies policy-based controls plus runtime blocking and alerts for OpenClaw, with the Shadow AI page in the Microsoft 365 admin centre exposing unmanaged agents touching tenant data. This is the month admins start seeing the full control plane Microsoft has been describing since May GA.

Action: open the Shadow AI page in the M365 admin centre and walk through the agent register. Record gaps in ownership / posture before scaling enforcement.

PreviewAgent 365 registry sync with AWS Bedrock and Google Cloud

Cross-platform agent observability. Admins can connect the Agent 365 registry to AWS Bedrock and Google Cloud connections to discover, inventory and (soon) lifecycle-manage agents across clouds. Relevant for organisations running AI workloads outside Azure and wanting a single agent register.

PreviewWindows 365 for Agents (US only)

A new class of Cloud PCs purpose-built for agentic workloads, managed in Intune, with the same identity, security and management controls used for employee Cloud PCs. Available only in the United States during preview. Worth a closer look for organisations piloting Agent 365 with a regulated data-residency workload.

GAViva Engage events experience

Events in Viva Engage now supports conversation before, during and after an event with publish-once cross-surface engagement spanning SharePoint, Teams and Engage. Useful for all-hands and large announcements where the discussion thread is as important as the live moment.

Rolling outViva Engage admin modernisation: sensitivity labels + new email domain

Viva Engage admin gets sensitivity-label support, a new Engage email domain, improved admin workflows and stronger governance options. Useful for tenants running a Purview information-protection programme that previously had a documented Engage gap. Mail-flow teams need the new domain on the radar for transport-rule design and SPF / DMARC alignment.

Rolling outTeams External Domains Anomalies Report

A new admin report surfaces unusual or risky external interactions: spikes, new domains, abnormal engagement patterns across Teams external communications. Pairs well with Defender for Office 365's Teams ZAP and admin domain blocking. Worth wiring into the monthly Teams admin review.

Rolling outTeams: Microsoft 365 Certified App management at tenant level

Admins can now allow only Microsoft 365 Certified SaaS apps through org-wide settings, providing a vetted middle path between "everything allowed" and explicit allowlists. Useful when the SaaS shadow IT footprint is large enough that an explicit allowlist is impractical but everything-on is not acceptable.

Default changeTeams Copilot / Facilitator transcription behaviour: default policy changes

Teams Copilot / Facilitator no longer automatically starts transcription where the default policy moves from EnabledWithTranscript to Enabled. This is not the same as a global removal of Teams recording or transcription. It affects the Copilot / Facilitator transcription-start behaviour and should be reviewed by tenants that rely on automatic transcription for eDiscovery, Communication Compliance, meeting summaries or internal meeting guidance.

Action: review Teams meeting policies, Copilot / Facilitator guidance, eDiscovery assumptions and Communication Compliance workflows that depend on automatic transcription.

GASentinel Data Lake tier ingestion for Defender XDR Advanced Hunting tables

Direct ingestion of specific Defender XDR Advanced Hunting tables into the Sentinel data lake without analytics-tier ingestion. Designed for long-retention, cost-effective storage and retrospective hunts at scale. SOC budget owners should re-look at the data-tiering plan now that the data lake takes more of the XDR surface natively.

Operational reminderDefender for Office 365 Plan 1: validate Teams ZAP + admin quarantine workflow

Teams ZAP and admin management of quarantined Teams messages are now important baseline checks for Defender for Office 365 Plan 1 tenants. Although rollout and default enablement started earlier in 2026, June is a good point to validate that the operational workflow is actually working: quarantine review, Teams blocked domains, admin actions and user communications. A real upgrade for SMB tenants where P2 was previously out of reach.

GAPurview Data Security Investigations: audit-search-driven content collection

Inside DSI, audit-log-driven content collection is GA: query by time, activities, users and keywords, and DSI pulls the associated content into the investigation. Reduces time-to-evidence for insider-risk and incident-response teams. Where available and licensed, useful as a complement to Activity Explorer in DLP validation runbooks.

Rolling outPurview DLP for Microsoft 365 Copilot: web-search controls worldwide

Purview DLP for Copilot and Copilot Chat now extends to web searches containing sensitive data, with real-time controls. Preview landed in March; worldwide rollout in June. Worth a fresh look at the DLP policies that govern Copilot prompts and groundings, especially in tenants with regulated SITs in scope.

GAPurview DLP devices dashboard: 30-minute sync confirmation

The Devices dashboard now confirms DLP policies are synced to devices within 30 minutes of application. Always-on diagnostics is GA on macOS in addition to Windows. Useful for SOC and DLP teams who previously had to wait longer or rely on Advanced Hunting to confirm a policy had landed.

GAIntune Linux support: Ubuntu 26.04 LTS in, Ubuntu 22.04 on the runway, RHEL to revalidate

Ubuntu 26.04 LTS is now supported in Intune for Linux. Ubuntu 22.04 LTS support is on the runway for retirement in August 2026, and RHEL 8 support should be validated against the current Microsoft Learn supported-distributions list before setting migration deadlines. The transition is not automatic; affected devices need an in-place upgrade or replacement before their distro support window closes.

Action: pull a Linux-by-distro Intune report; validate each distribution against the current Microsoft Learn support matrix; schedule Ubuntu 22.04 → 24.04 / 26.04 and any applicable RHEL migrations before the support window closes.