Microsoft said it will update the Content Security Policy for Entra ID sign-ins to block unauthorized script injection, allowing only scripts from trusted Microsoft domains to run during browser-based authentication at login.microsoftonline.com. The company said the change will apply only to browser-based sign-in experiences and will not affect Microsoft Entra External ID. The update is scheduled to roll out globally starting mid-to-late October 2026.
Microsoft described the change as a proactive measure under its Secure Future Initiative (SFI) to guard against cross-site scripting attacks that can inject malicious code into websites. The revised policy will permit script downloads only from Microsoft trusted CDN domains and will allow inline execution only from a Microsoft trusted source.
Organizations are being urged to test sign-in flows in advance to ensure there is no friction and to avoid browser extensions or tools that inject code into the Entra sign-in experience; Microsoft recommends switching to tools that do not inject scripts. To detect policy violations during testing, users can run a sign-in with the browser developer console open and check the Console for errors such as “Refused to load the script” related to the script-src and nonce directives.
Microsoft said the change is limited to URLs beginning with login.microsoftonline.com and will be rolled out globally starting mid-to-late October 2026; Microsoft Entra External ID will not be affected. The company framed the update as part of its effort to strengthen authentication and reduce the risk of injected or unauthorized code during sign-in.
The policy update is one element of a broader multi-year SFI effort; in a third progress report Microsoft said it has deployed more than 50 new detections, achieved 99.6% adoption of phishing-resistant multi-factor authentication, and made a series of infrastructure and platform changes including enforcing mandatory MFA, migrating Entra ID signing VMs to Azure Confidential Compute, decommissioning unused tenants and apps, expanding recovery and passkey support, increasing threat hunting coverage, tightening code-signing controls, publishing CVEs and paying $17 million in bounties.