Microsoft has announced a significant security change to the Microsoft Entra ID sign-in experience that will block external scripts from running during user logins.
The update is designed to stop unauthorized or injected code from executing on the login page. It is part of Microsoft’s broader Secure Future Initiative to harden its cloud identity platform.
The change enforces a stricter Content Security Policy (CSP) on Microsoft Entra ID sign-in pages.
Once this policy is in place, only scripts loaded from trusted Microsoft domains will be allowed to run during authentication. Any scripts injected by browser extensions, third-party tools, or compromised web content will be blocked from execution.
Microsoft says this is a proactive step to protect organizations from common web attacks, such as cross-site scripting (XSS), in which attackers inject malicious code into legitimate web pages.
By tightly controlling which scripts can run, Microsoft aims to reduce the risk of credential theft, session hijacking, and other authentication-related threats.
The new CSP enforcement will roll out globally starting in mid-to-late October 2026. Microsoft plans to send periodic communications to customers ahead of the change so organizations have time to prepare and test their environments.
The updated policy will apply only to browser-based sign-in flows using URLs that start with login.microsoftonline.com. It will not affect Microsoft Entra External ID.
On these login pages, Microsoft will allow script downloads only from its trusted content delivery network (CDN) domains. It will enable only inline scripts validated using Microsoft’s approved methods, such as nonce-based controls.
For most organizations, no action will be required, as long as they are not using browser extensions or tools that inject code into the Microsoft Entra sign-in experience.
Users will continue to sign in as usual, and the sign-in pages will function normally under the new policy.
However, organizations that rely on tools or plugins that modify or inject scripts into the login page will be affected.
Those tools will stop working once CSP is enforced, even though users will still be able to complete the sign-in process.
Microsoft recommends switching to alternative tools that do not inject code into the authentication flow.
To understand potential impact, Microsoft advises administrators to test their sign-in flows in advance.
They can do this by logging in while keeping the browser’s developer console open and checking for CSP violations marked in red.
Different teams or scenarios may surface different violations, so organizations are encouraged to test a variety of sign-in paths.
Microsoft says this CSP update adds another layer of defense to help protect accounts and keep the sign-in experience secure and reliable as threats continue to evolve.
Organizations are urged to review their environments early to ensure a smooth transition before enforcement begins in 2026.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.