CISA KEV: Microsoft AD FS CVE-2026-56155 Update Checklist

CISA added Microsoft AD FS CVE-2026-56155 to KEV. Confirm identity-service ownership, follow Microsoft guidance, protect recovery, and verify authorized sign-ins after maintenance.
Windows workstations and servers protected with endpoint security updates for Microsoft Defender CVE-2026-33825

Update priority: CISA added Microsoft Active Directory Federation Services CVE-2026-56155 to the Known Exploited Vulnerabilities Catalog on July 14, 2026. Treat this as a high-priority identity-service maintenance item: confirm the service owner, follow Microsoft’s current remediation guidance through an approved change, and verify that authorized sign-ins and connected services remain normal afterward.

What CISA added

CISA identifies CVE-2026-56155 as an insufficient granularity of access control issue affecting Microsoft Active Directory Federation Services. CISA assigns July 28, 2026 as the remediation due date for federal civilian executive branch agencies. That date is not a private-sector legal conclusion, but it is a strong reason for every AD FS owner to prioritize a documented maintenance plan.

Who should own the response

Assign the work to the team responsible for AD FS, directory services, identity governance, connected applications, monitoring, and recovery. If a managed provider operates any part of the service, request a written status that identifies the service owner, Microsoft-guidance review, planned remediation, validation owner, and expected completion time.

Use a protected identity-service maintenance plan

  1. Confirm the AD FS inventory, service owner, business dependencies, and current support status against Microsoft’s security guidance.
  2. Record the approved change window, recovery owner, communication contact, and validation criteria before changing a production identity service.
  3. Verify that current backups, recovery material, and authorized administrator access are protected and available to the people who may need them during maintenance.
  4. Apply the Microsoft-supported remediation through the organization’s normal identity-service maintenance process.
  5. After the change, confirm approved user sign-in, critical application integration, monitoring, and business workflows are operating normally.
  6. Review normal identity and service monitoring for unexpected access or reliability errors, then record the completed result and remaining exceptions in the change record.

Keep temporary controls broad and safe

Do not weaken authentication, directory safeguards, monitoring, or recovery protections while maintenance is underway. If the required remediation cannot be completed promptly, escalate the business risk to the identity-service owner and use a documented, high-level exposure-reduction plan until the service can be brought to a supported state. Any temporary control needs to preserve authorized federation activity and critical business access.

What to tell users and customers

Keep the message short and accurate: identity-service maintenance is being prioritized because of a publicly reported security issue; the team has an approved remediation and validation plan; and affected users will receive a maintenance-window notice if their work could be interrupted. Do not state that an incident occurred unless the organization has confirmed one.

Keep the next review easy

Retain the Microsoft-guidance review, completed change record, recovery confirmation, validation notes, and an owner for every remaining exception. For broader security maintenance guidance, visit the FixItPhill Security hub.

Official sources

Picture of admin

admin

Leave a Reply

Sign up for our Newsletter

Get the latest information on what is going on in the I.T. World.