Week 20, 2026 — Signal Roundup
Entra ID begins enforcing Conditional Access for OIDC-only sign-ins; Windows Autopatch hotpatch goes on by default; Defender XDR alert tuning reaches GA; Purview adds dynamic-group label scoping; and Patch Tuesday fixes 120 vulnerabilities.
Entra ID now enforces Conditional Access for OIDC-only sign-in flows
Microsoft began enforcing Conditional Access policies for authentication requests that use only OIDC or limited directory scopes (openid, profile, User.Read) from 13 May, as part of a phased rollout completing in June. Previously, policies that targeted all resources and included resource exclusions did not apply in this scenario, allowing some sign-ins to bypass controls including MFA. Tenants should audit any CA policy with "target all resources + exclusions" configured and verify the enforcement change does not block legitimate application sign-ins before the rollout completes.
Windows Autopatch enables hotpatch updates by default from May 2026
The May 2026 Windows security update is the first month where hotpatch is on by default for all eligible Autopatch-managed devices (Windows 11 Enterprise 24H2, VBS enabled, April 2026 baseline taken). Hotpatch applies security fixes to running processes without requiring a restart, reducing the time devices spend exposed after Patch Tuesday. Admins who are not ready can opt out at tenant or group level in the Intune admin centre — the window to act before automatic deployment has already opened, so check eligibility and policy settings this week.
Source: Microsoft Windows IT Pro Blog
Defender XDR: alert tuning rules reach GA, identity security dashboard in preview
Microsoft's May Defender XDR update promotes built-in alert tuning rules to general availability, letting teams suppress alerts generated by common benign activity in Defender for Endpoint and Defender for Office 365 without affecting Automated Investigation and Response. A new Identity Security dashboard is also in public preview, consolidating risk signals for user accounts and non-human identities such as service principals and workload identities in one view. For SOC teams managing tenant-wide detection content, the alert tuning rules GA reduces noise-driven escalation fatigue without requiring custom suppression queries.
Source: Microsoft Tech Community — Defender XDR Monthly News
Purview: sensitivity label policies can now target dynamic and non-mail-enabled groups
Extended scoping for sensitivity label policies is rolling out in May, with general availability expected by month end. Admins can now scope label policies to dynamic security groups and non-mail-enabled security groups — options that were previously unsupported, forcing reliance on static distribution groups. For organisations where group membership is driven by HR system sync, this removes the need for a parallel static group and allows label deployment to stay current with staff changes automatically.
Source: m365admin.handsontek.net
Patch Tuesday May 2026 — 120 vulnerabilities patched, no zero-days
Microsoft's May update addresses 120 vulnerabilities including 14 remote code execution flaws, with no actively exploited zero-days disclosed this month. Several fixes cover Microsoft Office components that can be triggered by opening a malicious document or via the preview pane, making client endpoint patching the standard priority this cycle. Worth noting alongside the regular update: Microsoft Secure Score now surfaces a recommendation for devices that have not yet transitioned to Secure Boot 2023 certificates, which expire in June 2026.
Source: BleepingComputer