Skip to Content

How do I prevent Azure login failures before the 2026 certificate update?

By: Author Alex Lim

Posted on

Categories Microsoft

Home » Microsoft » How do I prevent Azure login failures before the 2026 certificate update?

Is your organization prepared for the Microsoft Entra DigiCert G2 migration?

Microsoft has formally announced a mandatory security update affecting all Microsoft Entra services. By January 7, 2026, the platform will transition its root of trust from DigiCert Global Root G1 to DigiCert Global Root G2.

This migration is not optional. Systems that fail to update their certificate trust stores will lose connectivity. Administrators must verify their environments immediately to prevent widespread authentication outages.

Understanding the Change: G1 vs. G2

To maintain secure communications, servers present digital certificates. These certificates validate identity. A “Root Certification Authority” (CA) issues these certificates.

  • Current State (G1): Microsoft Entra currently relies on the DigiCert Global Root G1. This has been the standard for years.
  • Future State (G2): Microsoft is migrating to DigiCert Global Root G2. This newer standard offers improved security compliance and aligns with evolving cryptographic best practices.

The Core Risk: Certificate Pinning

The primary risk involves applications using certificate pinning. Pinning occurs when developers hard-code an application to trust only a specific certificate (in this case, G1).

When Microsoft switches to G2, applications pinning G1 will reject the new certificate. This rejection breaks the “handshake” required for secure connection. Consequently, the application will fail to log in or access data.

You are at risk if your applications:

  • Explicitly specify a limited list of trusted CAs.
  • Lack the G2 Root CA in their trust store.
  • Hard-code the G1 certificate thumbprint.

Impacted Domains

If your systems do not trust the new G2 root, connections to the following critical endpoints will fail:

  • login.microsoftonline.com (Core Azure AD/Entra ID login)
  • login.live.com (Microsoft Account authentication)
  • login.windows.net (Legacy Azure AD endpoints)
  • autologon.microsoftazuread-sso.com (Single Sign-On services)
  • graph.windows.net (Azure AD Graph API)

Advisory Action Plan

Administrators must take specific steps to ensure business continuity. Execute the following protocol before the January 2026 deadline:

  1. Audit Trust Stores: Verify that the DigiCert Global Root G2 certificate exists in the trust store of all servers, load balancers, and client devices.
  2. Remove Dependencies: Identify applications that pin the DigiCert Global Root G1. Update the code to stop pinning this specific certificate.
  3. Trust the Chain: Ensure your systems trust the G2 root and its subordinate CAs. Microsoft documented these subordinates in September 2025.
  4. Test Connectivity: In a staging environment, simulate a lack of G1 trust to identify potential points of failure.

Failure to act will result in service disruptions for any user or application attempting to authenticate via Microsoft Entra.