Microsoft plans to enhance the security of the Entra ID authentication system against external script injection attacks starting in mid-to-late October 2026.
This update will implement a strengthened Content Security Policy that allows script downloads only from Microsoft-trusted content delivery network domains and inline script execution only from Microsoft-trusted sources during sign-ins.
After rollout, it will protect users against various security risks, including cross-site scripting attacks in which attackers inject malicious code into websites to steal credentials or compromise systems.
The update policy will apply only to browser-based sign-in experiences at URLs beginning with login.microsoftonline.com, and Microsoft Entra External ID will not be affected.
"This update strengthens security and adds an extra layer of protection by allowing only scripts from trusted Microsoft domains to run during authentication, blocking unauthorized or injected code from executing during the sign-in experience," said Megna Kokkalera, product manager for Microsoft Identity and Authentication Experiences.
Microsoft urged organizations to test sign-in scenarios before the October 2026 deadline to identify and address any dependencies on code-injection tools.
IT administrators can identify potential impact by reviewing sign-in flows in the browser developer console: violations will appear in red text with details about the blocked scripts.
CSP policy violation (Microsoft)
Microsoft also advised enterprise customers to stop using browser extensions and tools that inject code or scripts into sign-in pages before the change takes effect. These will no longer be supported and will stop working, although users will still be able to sign in.
"This update to our Content Security Policy adds an additional layer of protection by blocking unauthorized scripts, further helping safeguard your organization against evolving security threats," Kokkalera added.
... continue reading