Skip to content
Teams Direct Routing

Microsoft Teams Direct Routing certificate changes in 2026

Updated June 2026 · 6 min read

Microsoft is replacing the certificate authority chain its servers use for Teams Direct Routing and Operator Connect. Every Session Border Controller connected to Teams has to trust the new root CAs, or, once Microsoft rotates its certificates, the mutual-TLS handshake fails and calls stop connecting. Full enforcement lands in June 2026.

What is actually changing

Direct Routing connects your SBC to Microsoft over mutual TLS. Both sides present certificates, and each side has to trust the other’s issuing authority. Microsoft is changing the root CAs behind its own server certificates, the ones your SBC must trust when Teams connects to it.

The driver is Google’s Chrome Root Program Policy (v1.6, February 2025), which deprecates the Client Authentication Extended Key Usage (EKU) in TLS server certificates. To stay compliant, Microsoft’s server certificates move to Server Authentication EKU only, issued from an updated set of root CAs. Microsoft’s guidance lists several root CAs that must all be present and trusted in your SBC’s TLS configuration.

Importantly, your SBC’s own certificate does not change. It still has to be issued by a CA on Microsoft’s approved SBC certificate issuer list. What changes is the trust store on your SBC: the list of Microsoft roots it accepts.

The timeline

Feb 2026

mTLS-enabled SBCs should have the new root CA certificates installed in their trust store.

Mar 2026

Every connected SBC should have its trust store fully updated with all of the new Microsoft root CAs.

Apr 2026

Microsoft begins rotating its server-side certificates. Un-updated SBCs start failing the TLS handshake.

Jun 2026

Full enforcement. Server Authentication EKU is required, and calls drop on any SBC that has not been updated.

Exact dates and the root CA list come from Microsoft’s advisories (for example Message Center post MC1213773) and Microsoft Learn. Confirm the current list against Microsoft Learn before you make changes.

What happens if you do nothing

Nothing, right up until Microsoft rotates its server-side certificates. At that point an SBC that still trusts only the old roots will reject Microsoft’s certificate, the mutual-TLS handshake will fail, and inbound and outbound Teams calls will stop connecting. Because the same connection underpins Operator Connect, that path is affected too.

What to do if you run your own SBC

  • Install Microsoft’s new root CA certificates into every SBC’s trusted root store, all of them, not just one.
  • Confirm your SBC’s own certificate is still issued by an approved Microsoft SBC certificate issuer, and renew early if it expires near the cutover.
  • Validate mutual TLS to Microsoft’s SIP proxies after updating, ideally in a maintenance window, before the rotation begins.
  • Repeat for every SBC in the cluster and every region. A missed node drops calls for the tenants it serves.
  • Track Microsoft’s Message Center and the certified-SBC firmware notes, since vendor updates may be required.

If you run on Spanvox, this is already handled

With Spanvox Direct Routing as a Service, the SBC, its trust store and the full certificate lifecycle are ours to run. The 2026 root CA update is part of the service: your customers’ Teams calls keep connecting, with nothing to schedule, patch or test on your side. It is the same reason ITSPs and PBX vendors hand Direct Routing to a managed provider in the first place.

Start free See how it works

FAQ

Is Microsoft Teams Direct Routing being deprecated?

No. Direct Routing remains fully supported. Microsoft is changing the certificate authority chain its servers use, which means every connected SBC must update its trust store. The feature itself is not going away.

Does my SBC certificate need to be reissued?

Your SBC’s own certificate (the one it presents to Teams) is not changing, as long as it is still issued by a CA on Microsoft’s approved SBC certificate issuer list. What changes is the set of Microsoft root CAs your SBC must trust for Microsoft’s server-side certificates.

What happens if I do nothing?

Once Microsoft rotates its server certificates, an SBC whose trust store has not been updated will fail the mutual-TLS handshake and calls will stop connecting. This affects Direct Routing and Operator Connect alike.

Does this also affect Operator Connect?

Yes. The root CA change applies to both Direct Routing and Operator Connect, because both rely on the same mutual-TLS connection to Microsoft’s SIP proxies.

How does Spanvox handle this?

If your Teams calling runs on Spanvox Direct Routing as a Service, we manage the SBC trust store and certificates for you. The root CA update and ongoing certificate lifecycle are part of the service, so your customers’ calls keep connecting with nothing to do on your side.