Microsoft has announced a significant security upgrade to its Microsoft Entra ID authentication process, as part of the company’s broader Secure Future Initiative.
Microsoft is updating its Content Security Policy (CSP) to block the execution of external scripts during user sign-ins.
This proactive measure is designed to shield organizations from evolving cyber threats, specifically cross-site scripting (XSS) attacks, where hackers attempt to inject malicious code into legitimate websites.
What Is Changing?
Currently, some browser extensions or tools may inject scripts into the sign-in page to modify its behavior or appearance. Starting in mid-to-late October 2026, Microsoft will enforce a stricter policy on login.microsoftonline.com.
Under this new rule, only scripts from trusted Microsoft domains will be allowed to run. Any unauthorized or external code attempting to execute during the login process will be automatically blocked.
This change ensures that the sign-in experience remains a closed, secure environment, preventing attackers from exploiting vulnerabilities in third-party scripts.
It is important to note that this update applies only to browser-based sign-ins on the specific Microsoft login URL; Microsoft Entra External ID will not be affected.
Microsoft advises organisations to stop using any browser extensions or custom tools that modify the Entra ID sign-in page via script injection.
While the login process itself will continue to function for users, any tools relying on injecting code will stop working once the update is enforced.
To get ready, IT administrators should test their sign-in flows ahead of the 2026 deadline. You can identify potential issues now by opening the developer console in your browser while signing in.
If your organization uses tools that violate the new policy, error messages will appear in red text in the console.
Megna Kokkalera, Product Manager II at Microsoft, emphasized that this update adds a critical layer of defense for user identities.
By eliminating the risk of unverified scripts, Microsoft ensures that organizations stay ahead of emerging security threats while maintaining a seamless, secure sign-in experience.
Administrators are encouraged to assess their environments early to ensure a smooth transition when the policy goes into effect globally next year.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
