Microsoft will introduce a new Content Security Policy for Microsoft Entra ID in October 2026. The measure is intended to prevent cross-site scripting.
Microsoft advises organizations not to use browser extensions or tools that inject code into the Entra ID sign-in experience. If you follow this recommendation, you don’t need to do anything. The experience will remain unchanged.
Do you use tools that inject code? Then you will need to switch to alternatives. Code and script injection will no longer be supported. These tools will stop working, although users will still be able to log in.
To determine the impact in advance, administrators can go through sign-in flows with the developer console open. Any violations will then appear in red. Microsoft emphasizes that specific teams or individuals should test their own flows, as violations are only visible in their own login attempts.
Stronger protection against attacks
The tech company will only allow scripts from trusted Microsoft domains during login. Unauthorized or injected code will not run.
The new policy is intended to protect users against cross-site scripting (XSS). In this type of attack, malicious actors attempt to inject malicious code into websites. By only allowing Microsoft scripts, these risks are largely eliminated.
The change applies specifically to login.microsoftonline.com and only affects browser-based sign-in experiences. Microsoft Entra External ID is not affected by the new policy.