Microsoft Entra ID & Exchange/SharePoint: Multiple Critical Vulnerabilities (CVE-2026-55008, CVE-2026-56164, CVE-2026-55040)


This text was generated using artificial intelligence (AI).On July 13, 2026, Microsoft announced a strategic change to its identity and access management system, Microsoft Entra ID. Starting September 1, 2026, passkeys will be phased in as the default method for multi-factor authentication (MFA). The goal of this measure is to strengthen account security through phishing-resistant login methods while phasing out vulnerable methods such as SMS and voice calls.

The transition affects all organizations using Microsoft Entra ID in the public cloud. Separate timelines will be announced for other cloud environments. The official Microsoft announcement is available in the Microsoft 365 Message Center at MC1426371 available.

Update July 14, 2026: In addition, several critical vulnerabilities in Microsoft Exchange Server, SharePoint Server, and Active Directory Federation Services have been disclosed. CVE-2026-55008 (CVSS 9.6) affects Exchange Server and allows remote code execution. CVE-2026-56164 and CVE-2026-56155 are actively exploited zero-day vulnerabilities in SharePoint and AD FS. CVE-2026-55040 (CVSS 9.1) allows for authentication bypass via JWT token forgery in AD FS. See below for details.