Microsoft 365 Services Getting Root Certificate Authority Switch in 2025
Microsoft gave notice this week that currently used Transport Layer Security (TLS) certificates associated with Microsoft 365 services and Azure Communication Services "will expire in May 2025."
In place of these expiring certificates, Microsoft is updating its services to use "TLS certificates from a different set of Root Certificate Authorities" (CAs). The announcement specifically named "DigiCert Global Root G2" as one of the CAs getting favored. It's said to be "widely trusted by operating systems including Windows, macOS, Android, and iOS and by browsers such as Microsoft Edge, Chrome, Safari, and Firefox."
The switchover to these alternative Root CAs for Microsoft 365 services is an ongoing process that began "in January 2022 and will continue through October 2022," Microsoft indicated.
Meanwhile, Microsoft wants application builders, as well as application users, to ensure that they'll be able to handle the coming certificate switch, effective in May 2025.
The switch is not expected to pose issues for most organizations, although there's a possible exception in cases when app developers used a so-called "certificate pinning" approach. Certificate pinning occurs when developers had specified a list of acceptable CAs for an application. In such cases, there could be "certificate validation errors" after the May 2025 date.
These validation errors "may impact the availability or function of your application," Microsoft explained, in this document on the topic.
Microsoft's advisory message was mostly aimed at developers that integrate their applications with Microsoft 365 services, and that used certificate pinning. However, Microsoft offered some general advice to organizations using those apps, suggesting that they prod their software vendor.
"If you use an application that integrates with Microsoft Teams, Skype, Skype for Business Online, or Microsoft Dynamics APIs and you are unsure if it uses certificate pinning, check with the application vendor," the document advised.
Application developers can prepare for the coming change by updating their source code to "add the properties of the new CAs," the document added.
Microsoft noted that being able to add CAs or edit them on short notice is a best practice approach in general. Some industry regulations may require the ability to replace CAs "within seven days in some circumstances," it added.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.