Direct answer
Microsoft Teams Direct Routing certificate authority validation test June 30 2026 SBC TLS: what buyers need to know
Microsoft Learn says a validation test that transitions Teams Direct Routing SIP endpoints to certificates issued by a new Certificate Authority was planned for June 30, 2026 at 9:00 UTC. Microsoft says the staged test can continue over 2-4 days and that SBCs unable to establish outbound TLS connections or accepting inbound connections may have trust issues with the new certificate. VoIP buyers should treat this as a SIP certificate readiness proof test, not a routine admin notice.
This brief cites the source announcement and translates the event into a buyer framework. Verify current vendor terms before changing phone, messaging, or AI routing.
What happened
- Microsoft's Direct Routing update says traffic gradually moves to new certificates during the validation test, with periods where old and new certificates can both appear.
- Microsoft says that if SBCs cannot establish outbound TLS connections or start rejecting inbound connections during the test window, the behavior indicates possible trust issues with the new certificate.
- The same Microsoft Learn page describes a dedicated test endpoint for SIP OPTIONS ping messages only, not voice traffic, at sip.g1.pstnhub.microsoft.com on port 5061.
- Microsoft's guidance says SBCs lacking updated root CAs in accepted trust stores may experience certificate validation errors that affect service availability or functionality.
- Erik365 independently highlighted the Message Center-driven test for Teams Direct Routing admins and warned that SBC trust-store gaps could disrupt PSTN calling.
Why this is trending
- Direct Routing sits behind real business phone numbers, contact-center paths, receptionist flows, and emergency workflows, so certificate validation failures can become calling failures.
- The change is staged and partly invisible to business users: some connections can use old certificates while others use new ones, which makes intermittent failure harder to diagnose.
- Many organizations buy Teams Phone, managed SBCs, SIP trunks, or Operator Connect alternatives without keeping a current proof packet for TLS trust stores, vendor firmware, and fallback routes.
The VoIP Stack Index take
A VoIP buyer should not assume Teams Direct Routing readiness because calls completed last week. The buyer needs a SIP certificate readiness proof packet: root CA inventory, SBC trust-store screenshots, SIP OPTIONS test evidence, TLS failure monitoring, vendor firmware status, carrier and provider owner, fallback routing for priority numbers, and rollback notes after the validation window.
SIP Certificate Readiness Proof Packet
A buyer framework for validating Teams Direct Routing and managed voice providers across root CA inventory, SIP OPTIONS testing, TLS failures, vendor firmware, fallback routing, and rollback evidence.
What buyers should do next
Export every Teams Direct Routing SBC, trunk, TLS context, firmware version, and managed-provider owner.
Compare accepted root CAs against Microsoft's current Teams SIP interface CA list and preserve screenshot or export proof.
Run the SIP OPTIONS validation test from each relevant SBC path and record the TLS handshake result.
Monitor certificate-chain errors, rejected inbound sessions, failed outbound TLS connections, and intermittent call failures during staged rollout windows.
Document fallback routing for reception, support, sales, safety, after-hours, and executive numbers before the next certificate lifecycle change.
Buyer bridge
Do the routing audit before buying the buzz.
The winning AI phone stack is the one that preserves context, controls fallback, and lets humans take over without making the customer repeat the story.
Run the AI-ready VoIP audit