Microsoft to Block Unauthorized Scripts in Entra ID Logins with 2026 CSP Update

Microsoft to Block Unauthorized Scripts in Entra ID Logins with 2026 CSP Update

Briefly

"The update to its Content Security Policy (CSP) aims to enhance the Entra ID sign-in experience at "login.microsoftonline[.]com" by only letting scripts from trusted Microsoft domains run. "This update strengthens security and adds an extra layer of protection by allowing only scripts from trusted Microsoft domains to run during authentication, blocking unauthorized or injected code from executing during the sign-in experience,"

"Specifically, it only allows script downloads from Microsoft trusted CDN domains and inline script execution from a Microsoft trusted source. The updated policy is limited to browser-based sign-in experiences for URLs beginning with login.microsoftonline.com. Microsoft Entra External ID will not be affected. The change, which has been described as a proactive measure, is part of Microsoft's Secure Future Initiative ( SFI) and is designed to safeguard users against cross-site scripting (XSS) attacks that make it possible to inject malicious code into websites."

"Microsoft is urging organizations to test their sign-in flows thoroughly ahead of time to ensure that there are no issues and the sign-in experience has no friction. It's also advising customers to refrain from using browser extensions or tools that inject code or script into the Microsoft Entra sign-in experience. Those who follow this approach are recommended to switch to other tools that don't inject code."