This update aims to protect users from unauthorized code and is part of Microsoft’s Secure Future Initiative to strengthen its cloud identity platform.
Microsoft will enforce a stricter Content Security Policy (CSP) on Entra ID login pages. This means only scripts hosted on trusted Microsoft domains will run.
Any scripts from third-party tools, browser extensions, or injected by compromised web content will be blocked.
The goal is to prevent attacks such as cross-site scripting (XSS), in which hackers inject malicious code into web pages.
By blocking external scripts, Microsoft aims to reduce risks such as credential theft, session hijacking, and other threats to authentication.
Microsoft has announced that the global rollout of the new CSP will start in mid-to-late October 2026. Customers will receive regular communications from Microsoft before the change happens, allowing time to prepare, review, and test their environments.
The updated policy will affect browser-based sign-in flows for addresses that start with login.microsoftonline.com.
The change will not affect Microsoft Entra External ID or non-browser-based logins.
Most users and organizations will not need to do anything; as usual, sign-in will continue to work if no code-injecting browser extensions or tools are involved.
However, organizations that use tools, extensions, or plugins that inject or modify scripts on the sign-in page will be affected. Such tools will stop functioning, although users can still log in.
Microsoft suggests that IT admins test their login flows in advance. Administrators can open their browser’s developer console while logging in and look for CSP violations shown in red messages.
It is essential to test all relevant sign-in scenarios to spot possible issues.
If tools that inject scripts are detected, organizations should switch to alternatives that do not modify the authentication flow.
This new policy will help protect accounts and provide a more secure login experience. By taking early action and preparing for CSP enforcement, organizations can ensure a smooth transition when the update goes live in 2026.
Microsoft advises teams to review their sign-in environments now to avoid disruptions and keep user accounts safe as online threats evolve.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
The post Microsoft to Enhance Protections by Blocking External Scripts in Entra ID Logins appeared first on Cyber Security News.
This website uses cookies.