Microsoft Entra Certificate Update to Move Services to DigiCert G2 Root – What You Need to Know

Microsoft is preparing a security update to its Entra identity platform that could quietly break authentication if organizations are not ready. Microsoft Entra will transition from DigiCert’s legacy G1 root certificate to the newer G2 root later this month.

DigiCert Global Root G1 and G2 certificates are root-level digital certificates issued by DigiCert that serve as the foundation of trust for secure internet communications. The G1 root is an older certificate authority root that has been widely used for years. Moreover, the G2 root is a newer generation designed to meet modern security standards, such as stronger cryptographic algorithms and compliance with evolving industry requirements. These roots are embedded in operating systems and browsers to validate SSL/TLS certificates, which ensures encrypted and authenticated connections between clients and servers.

Starting on January 7, 2026, Microsoft Entra services will migrate from DigiCert Global Root G1 to DigiCert Global Root G2 certificates. Clients that pin to the DigiCert G1 root or do not trust the DigiCert G2 root could subsequently experience authentication errors. This change will impact various domains, including login.live.com, login.windows.net, autologon.microsoftazuread-sso.com, and graph.windows.net.

Microsoft has already migrated the login.microsoftonline.com domain to the DigiCert G2 root in Feb 2025. Consequently, customers using this domain will not face any impact because their client systems already recognize and trust the DigiCert G2 certificate.

Actions required by administrators

Microsoft recommends that administrators should trust all root and subordinate CAs from the Azure Certificate Authority in their enterprise environments. They must also ensure that systems trust the “DigiCert Global Root G2” root and its subordinate CAs.

Additionally, it’s advised to remove any client-side pinning to the DigiCert Global Root CA root certificate. This includes reviewing and updating certificate pinning configurations in custom applications, SDK or library configurations, as well as network devices that enforce CA pinning for outbound TLS connections.

Lastly, IT administrators should test connectivity by making test TLS calls (using tools such as curl, PowerShell’s Invoke‑WebRequest, or browsers) to the affected Microsoft Entra endpoints. They must also update Java keystores by adding new root certificates using the Java keytool utility.

Legacy and custom environments

It’s highly recommended that special attention should be given to older or custom environments, particularly embedded systems that might not include the DigiCert G2 root certificate. This also applies to identity-related components such as federation servers, VPNs, and reverse proxies that rely on Microsoft Entra for authentication. To ensure smooth operation, administrators should perform comprehensive end-to-end testing (including login processes and token acquisition) to confirm compatibility after the certificate update.