Microsoft is updating its Content Security Policy (CSP) for Entra ID, a popular sign-in service. The update will block external script injection during authentication, protecting users from common threats like cross-site scripting (XSS). Starting mid-to-late October 2026, only scripts from trusted Microsoft domains will run on the sign-in page.
This change aims to strengthen security and mitigate attacks that inject malicious code into login flows. Organizations relying on tools or browser extensions for sign-in experiences may need to adapt, as these will stop working once the new CSP is enforced. However, users can still sign in normally. Admins can test environments by running a sign-in flow with dev console open, helping teams identify problematic scripts.
The update adds another layer of defense against modern security threats and encourages IT teams to validate their sign-in flows before the rollout.
Source: https://windowsreport.com/microsoft-to-block-external-script-injection-in-entra-id-sign-in-for-stronger-security