Microsoft to Block External Script Injection in Entra ID Sign-In for Stronger Security

Microsoft has announced that it’s working on a major security update for Entra ID that will block external script injection during authentication. As part of its Secure Future Initiative, the company has made an update to its Content Security Policy (CSP) to only allow scripts from trusted Microsoft domains to run on the sign-in page.

Thanks to this change, common threats like cross-site scripting (XSS) can be mitigated. For those unaware, it is a technique that attackers use to inject malicious code into login flows. Microsoft says organizations will have a stronger and more reliable layer of protection during authentication with robust script permissions.

In the announcement blog post, Microsoft noted that the new CSP rules will roll out globally starting mid-to-late October 2026, and that it’ll send periodic reminders before enforcement. “Note that the updated Content Security Policy will only apply to browser-based sign-in experiences, only for URLs that start with login.microsoftonline.com,” Microsoft added. “Microsoft Entra External ID will see no impact.”

For most organizations, nothing will change unless they rely on tools or browser extensions that inject code into the sign-in experience. Microsoft warns that those tools will stop working once the new CSP goes live. That being said, users will still be able to sign in normally.

If you’re an admin, you can test environments by running a sign-in flow with the browser’s dev console open. Any CSP violations will appear in red, helping teams identify extensions or scripts that will break after enforcement.

Microsoft says this proactive step adds another meaningful layer of defense against modern security threats and encourages IT teams to validate their sign-in flows ahead of the rollout to ensure everything continues to work smoothly.