Microsoft has announced a major security upgrade coming to Microsoft Entra ID sign-ins in 2026. The company will update its Content Security Policy (CSP) to block any unauthorized or harmful scripts from running during the login process. This update is designed to improve the safety of Entra ID authentication and protect organizations from rising browser-based cyberattacks.
Starting from mid-to-late October 2026, Microsoft will tighten script permissions for all sign-in experiences on login.microsoftonline.com. With this update, only scripts coming from trusted Microsoft domains will be allowed to run.
According to Microsoft, this is an important step to prevent malicious script injection attacks that could compromise user accounts. These attacks often happen through Cross-Site Scripting (XSS), where attackers inject harmful code into websites to steal data, session tokens, or login credentials.
Microsoft explains the update clearly: during authentication, only Microsoft-trusted CDN scripts and approved inline scripts can run. Any third-party tool, script, or extension trying to inject code into the login flow will be blocked by the new policy.
This new CSP rule will only apply to browser-based login experiences on Entra ID.
Importantly, Microsoft Entra External ID is not affected by this change.
This update is part of larger Secure Future Initiative (SFI). Launched in late 2023, the SFI aims to improve the company’s overall security culture and protect users from modern threats.
The shift comes after the U.S. Cyber Safety Review Board (CSRB) stated that Microsoft needed to overhaul its internal security approach. In response, Microsoft expanded SFI in 2024, making security a top priority across all product development.
By enforcing stronger CSP rules, it aims to:
Block XSS-based script injections
Prevent unauthorized scripts from tampering with login pages
Reduce the risk of credential theft
Improve trust in the Entra login experience
Microsoft says the new policy is a proactive security measure, not a reaction to any specific attack. However, cybersecurity experts agree that XSS attacks are increasingly common, especially against identity and authentication systems.
Microsoft is strongly urging organizations to test their existing sign-in flows before the new policy goes live. This is important to ensure that custom login experiences, branding, or internal tools do not break when the updated CSP rules are enforced.
Recommendations
1. Avoid Browser Extensions That Inject Code
Microsoft warns customers not to use browser extensions or tools that insert scripts into the Entra login page. These tools will stop working once the CSP update is active.
If organizations depend on such tools, they must switch to alternatives that do not rely on script injection.
2. Test for CSP Violations
Microsoft suggests testing sign-in flows using the browser’s developer tools.
If you see errors such as:
“Refused to load the script”
“Violation of script-src or nonce directives”
…it means your current setup will break in 2026.
3. Update Custom Integrations Early
Companies using customized login pages or identity flows within Entra should validate them soon to avoid disruptions.
Alongside the CSP announcement, Microsoft shared new updates about its progress under the Secure Future Initiative. The company says it has made “major improvements” in identity protection, threat detection, and secure engineering practices.
Some important security achievements include:
-
Mandatory MFA enforced across all Microsoft services, including for Azure service users
-
Quick Machine Recovery for fast incident response
-
Expanded support for passkeys and Windows Hello
-
Improved memory safety in UEFI firmware using Rust
-
Migration of 95% of Entra ID signing VMs to Azure Confidential Compute
-
Moving 94.3% of Entra ID token validation to a standard SDK
-
Removal of Active Directory Federation Services (ADFS) from Microsoft’s environment
-
Decommissioning of 560,000 old tenants and 83,000 unused Entra apps
-
Centralized visibility across 98% of production infrastructure
-
Achieving complete network device inventory
-
Nearly 100% locking of code signing to production identities
-
Publishing 1,096 CVEs and paying $17 million in bug bounties
Microsoft says this change is essential for organizations adopting Zero Trust security principles.
Zero Trust requires strict controls on:
-
Who can access systems
-
What actions are allowed
-
Which scripts or tools can run during sensitive workflows
By limiting scripts to trusted sources, companies can better prevent unauthorized code execution during the login process, reducing the risk of account takeover or session hijacking.
Microsoft also encourages businesses to use integrated threat intelligence and automated security tools to detect and respond to vulnerabilities in real time.
Interesting Article : ASUS Fixes Critical AiCloud Router Flaw CVE-2025-59366
Pingback: OpenPLC ScadaBR XSS Exploit CVE-2021-26829: CISA Issues Warning