Enhance protection of Microsoft Entra ID authentication by blocking external script injection

AnkurPatel

Microsoft

Nov 25, 2025

Microsoft is further enhancing security of the Microsoft Entra ID authentication experience by blocking external script injection. [Action may be required]

As part of Microsoft’s Secure Future Initiative, we’re making an important update to our Content Security Policy (CSP) that will enhance the security of the Microsoft Entra ID sign-in experience. Thi...

Updated Nov 19, 2025

Version 1.0

Microsoft

Joined October 11, 2019

View Profile

Microsoft Entra Blog

Stay informed on how to secure access for any identity to any resource, anywhere, with comprehensive identity and network access solutions powered by AI.

Visit the homepage

MOB_RMA

Copper Contributor

Dec 30, 2025

Would the error "refused to load script" already be present, if we test logins today? This looks smore like an error that will happen, "after" the CSP enforcement has been set. How can we find problematic logins in advance?

MegnaKokkalera

Microsoft

Jan 30, 2026

Hi MOB_RMA! Thanks for your question. The error will still show up in the dev console today, but the script identified in the error won't be blocked until global enforcement happens in mid-to-late Oct. The error in the console is just a way for you to identify what scripts will be blocked before enforcement happens.

We recommend you go through your regular sign-in flows with the dev console open to identify any errors that show up. This will help you find problematic logins in advance.
Hope this helps!

Blog Post

Enhance protection of Microsoft Entra ID authentication by blocking external script injection

Microsoft is further enhancing security of the Microsoft Entra ID authentication experience by blocking external script injection. [Action may be required]