Microsoft Accelerates Post-Quantum Cryptography Migration to 2029
Microsoft has moved up its quantum-safe security roadmap, with Azure CTO Mark Russinovich announcing that the Microsoft Quantum Safe Program (QSP) will now target a full transition to post-quantum cryptography (PQC) by 2029—pulling timelines in significantly as research suggests cryptographically relevant quantum computers could arrive sooner than expected. The company is folding PQC requirements directly into its Secure Future Initiative (SFI), with clear ownership, measurable milestones, and transparent progress reporting. "Advances in quantum research and development have shifted the risk horizon," Russinovich said, noting that the engineering work required to prepare is substantial enough that organizations must begin now.
Key focus areas include upgrading network cryptography to TLS 1.3, building crypto-agility into stored data systems so algorithms can be swapped without architectural redesigns, and transitioning trust chains—including code signing, certificate issuance, key protection, and update pipelines—to PQC algorithms. Security teams can audit their current transport-layer posture with a free SSL/TLS checker to identify legacy protocols (TLS 1.0, 1.1, and 1.2) that will need to be retired as part of any quantum-safe migration.
Microsoft stressed that crypto-agility requires either self-describing cryptographic metadata or versioned ciphertext formats, so implementations can read legacy data while writing with the newest approved algorithms. A well-designed crypto-agile system should support older formats long enough to enable full migration while defaulting to the latest approved configuration for new writes. Given the "harvest now, decrypt later" threat—where adversaries stockpile encrypted traffic today to decrypt once quantum capability matures—any organization holding long-lived sensitive data is exposed. A privacy checkup can help identify which communications, credentials, and stored records carry the longest exposure windows.
The announcement follows U.S. President Donald Trump's recent executive order imposing hard deadlines for federal agencies to migrate high-value assets and high-impact systems to PQC. Google committed in March to making Chrome's HTTPS connections quantum-safe and migrating its own infrastructure to PQC by 2029, with Cloudflare announcing parallel plans the same year. With Microsoft, Google, and Cloudflare all converging on 2029, the date is rapidly hardening into an industry-wide benchmark for post-quantum readiness.