Microsoft is further enhancing security of the Microsoft Entra ID authentication experience by blocking external script injection. [Action may be required]
As part of Microsoft’s Secure Future Initiative, we’re making an important update to our Content Security Policy (CSP) that will enhance the security of the Microsoft Entra ID sign-in experience. This update strengthens security and adds an extra layer of protection by allowing only scripts from trusted Microsoft domains to run during authentication, blocking unauthorized or injected code from executing during the sign-in experience.
This is a proactive measure that further shields your users against current security risks, such as cross-site scripting (XSS), where attackers can insert malicious code into websites. As a result, you can be assured that your users receive stronger protection, and your organization remains ahead of new security challenges.
Megna Kokkalera, Product Manager II leading this effort, will walk us through this update.
When will you see this change?
Microsoft Entra ID will enforce CSP globally starting mid-to-late October 2026. Periodic communications will be sent prior to release.
How will this affect your organization?
We're adding a new Content Security Policy header to the Microsoft Entra sign-in experience to enhance security and harden against unauthorized script injection.
Here’s what we’re specifically changing on login.microsoftonline.com:
- Only allow script downloads from Microsoft trusted CDN domains. See the CSP script src guide for examples and guidance.
- Only allow inline script execution from Microsoft trusted source. See the CSP nonce guide for information on inline script execution.
Note that the updated Content Security Policy will only apply to browser-based sign-in experiences, only for URLs that start with login.microsoftonline.com. Microsoft Entra External ID will see no impact.
What do you need to do to prepare?
Microsoft recommends not using browser extensions or tools that inject code or script into the Microsoft Entra sign-in experience. If you follow this advice, your experience will remain unchanged, and no further action is needed.
If you use tools or browser extensions that inject code or script into the Microsoft Entra sign-in page, switch to alternative tools that don’t inject code. Code and script injection will no longer be supported, and these tools will stop working, though users can still sign in.
You can identify the exact impact in your tenant using the instructions below:
- Go through a sign-in flow with the dev console open to identify any violations.
- Information about the violation will be displayed in red. (If a specific team or person is causing the violation, it will only show up in their flows. Accordingly, it is recommended to thoroughly assess different sign-in scenarios within your organization.)
- Here is an example of how the violation would show up in the console:
This update to our Content Security Policy adds an additional layer of protection by blocking unauthorized scripts, further helping safeguard your organization against evolving security threats. To ensure a smooth rollout, please test your sign-in flows thoroughly ahead of time. This will help you catch and address any issues early, so your users stay protected, and your sign-in experience remains seamless.
Megna Kokkalera
Product Manager II
Microsoft Identity, Authentication Experiences
LinkedIn: Megna Kokkalera | LinkedIn
Additional resources
- Content Security Policy overview for Microsoft Entra ID
- Microsoft Secure Future Initiative (SFI)
- CSP script src guide
- CSP nonce guide
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Microsoft