Category
stayInformed
Severity
normal
Major change
False
Last modified
2025-12-03 21:44:55
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
—
Action by (AI)
2026-10-15 00:00:00
Services
Microsoft Entra
Tags
Feature update, User impact, Admin impact
Master tags
Admin, Security
Roadmap IDs
One-line summary
Microsoft Entra ID sign-in will enforce a stricter Content Security Policy, blocking non-Microsoft scripts and injected code, starting rollout in October 2026 to enhance security against XSS threats.
Similar updates
More like thisMC1193419 (Updated) Content Security Policies (CSP) are coming to SharePoint Online and might impact your custom SPFx solutions
(Updated) Content Security Policies (CSP) are coming to SharePoint Online and might impact your custom SPFx solutions SharePoint Online will enforce Content Security Policy from March 1, 2026, blocking scripts from non-trusted sources and requiring remediation for non-compliant SPFx solutions. Updated March 13, 2026: We have updated the timeline..
MC1102784 Microsoft Teams on the web: New Private Preview for Sign in with Apple and Google for consumers may affect enterprise
...consumers may affect enterprise Teams web sign-in will add Apple and Google login options for consumer Microsoft accounts;We’re introducing a new sign-in experience that enhances flexibility and accessibility for a limited number of users on Microsoft Teams for the web. Learn more Add company branding to your organization's sign-in page -.
MC1189663 (Updated) Retirement of external access token for actionable messages – moving to Microsoft Entra authentication
(Updated) Retirement of external access token for actionable messages – moving to Microsoft Entra authentication Actionable messages using external access tokens retire May 15, 2026; switch to Microsoft Entra authentication to maintain functionality and improve security. [Introduction] We’re retiring the use of external access tokens for .
MC1180712 Microsoft Copilot Studio - Strengthen security of Copilot Studio agents with additional threat protection
Microsoft Copilot Studio - Strengthen security of Copilot Studio agents with additional threat protection Copilot Studio agents gain enhanced security with external threat detection, available December 10, 2025; admins can integrate Microsoft Defender or other providers via Entra and Power Platform. Update: Release of this feature has been.
MC1097225 (Updated) Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview)
(Updated) Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview) Entra ID expands passkey policy in November 2025 public preview, enabling group-based passkey controls, new API schema, and broader attestation support for FIDO2/passkey providers. ...thentication methods policy in Microsoft Entra.
MC1179154 (Updated) Microsoft Authenticator app: Upcoming changes to jailbreak and root detection
(Updated) Microsoft Authenticator app: Upcoming changes to jailbreak and root detection Microsoft Authenticator will block and wipe Entra credentials from jailbroken/rooted iOS and Android devices, with phased rollout starting late February 2026 for Android and April for iOS. Updated February 24, 2026: We have u... [Introduction] Starting end of.
Details
Summary
Microsoft Entra ID will enhance authentication security by enforcing a Content Security Policy that blocks external script injection, allowing only trusted Microsoft scripts. This rollout begins mid-October 2026, affecting browser-based sign-ins on login.microsoftonline.com, with no impact on Entra External ID tenants.
Body (from Message Center)
Introduction
As part of Microsoft’s Secure Future Initiative, we’re updating our Content Security Policy for the Microsoft Entra ID sign-in experience. This change adds an extra layer of protection by allowing only scripts from trusted Microsoft domains to run during authentication, blocking unauthorized or injected external code. This proactive measure helps safeguard users against threats like cross-site scripting (XSS), further strengthening security for your organization.
When this will happen
General Availability (Production/Worldwide only):
- Rollout begins mid-October 2026
- Expected completion by late October 2026
Periodic communications will be sent closer to release.
How this affects your organization
Who is affected:
- Organizations using browser-based sign-in experiences on URLs starting with login.microsoftonline.com.
- No impact to Microsoft Entra External ID tenants.
What will happen:
- A new Content Security Policy header will be added to Microsoft Entra sign-in pages.
- Scripts will only be allowed from Microsoft trusted CDN domains.
- Inline script execution will only be allowed from trusted Microsoft sources.
- Browser extensions or tools that inject code into the sign-in page will stop working, though users can still sign in.
What you can do to prepare
- If you do not use tools or extensions that inject code into the sign-in experience, no action is required.
- If you do use such tools, switch to alternatives that don’t inject code.
- Test your sign-in flows thoroughly before rollout to identify and resolve any issues early. Testing instructions can be found on our CSP Guide for Microsoft Entra ID.
Learn more:
- Content Security Policy Overview for Microsoft Entra ID
- Microsoft Entra ID Content Security Policy Public Blog Post on Techcommunity
- Microsoft Secure Future Initiative
- The CSP nonce guide | Content Security Policy (CSP) quick reference guide
- The CSP script-src directive guide | Content Security Policy (CSP) quick reference guide
- Why XSS still matters: MSRC’s perspective on a 25-year-old threat | Microsoft Blog
Compliance considerations
No compliance considerations identified; review as appropriate for your organization.
Raw JSON (for debugging)
Expand/collapse the full payload below.
Show/hide raw
{
"snapshot_item": {
"action_required_by": null,
"ai_action_required_by": "2026-10-15T00:00:00Z",
"ai_actions": [
"Test sign-in flows for compatibility",
"Replace tools/extensions that inject code into sign-in pages"
],
"ai_master_tags": [
"Admin",
"Security"
],
"ai_model": "gpt-4.1",
"ai_summary": "Microsoft Entra ID sign-in will enforce a stricter Content Security Policy, blocking non-Microsoft scripts and injected code, starting rollout in October 2026 to enhance security against XSS threats.",
"ai_topics": [
"Entra"
],
"category": "stayInformed",
"details_map": {
"Summary": "Microsoft Entra ID will enhance authentication security by enforcing a Content Security Policy that blocks external script injection, allowing only trusted Microsoft scripts. This rollout begins mid-October 2026, affecting browser-based sign-ins on login.microsoftonline.com, with no impact on Entra External ID tenants."
},
"id": "MC1191924",
"importance": 0,
"is_major_change": false,
"last_modified": "2025-12-03T21:44:55Z",
"ms_products": [
"Entra"
],
"platforms": null,
"roadmap_ids": [],
"services": [
"Microsoft Entra"
],
"severity": "normal",
"tags": [
"Feature update",
"User impact",
"Admin impact"
],
"title": "Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection"
}
}