Summary:
Content Security Policy for Microsoft Entra ID sign-in is being updated to enhance security by allowing only scripts from trusted Microsoft domains.
Users will experience a stop in functionality for browser extensions or tools that inject code into the sign-in page, but sign-in will remain possible.
No action is needed if tools or extensions that inject code are not used; users should switch to alternatives if they are currently used.
A new Content Security Policy header will restrict inline script execution to trusted Microsoft sources.
Admin Impact
Medium
User Impact
Low
Release Start
15 Oct 2026
Release End
31 Oct 2026
Services
Entra
Category: Stay informed
Tags
Feature Update
User Adoption
Admin Action
History
Date Description
12/3/2025 Item Added to Message Center
Microsoft Message
Introduction
As part of Microsoft’s Secure Future Initiative, we’re updating our Content Security Policy for the Microsoft Entra ID sign-in experience. This change adds an extra layer of protection by allowing only scripts from trusted Microsoft domains to run during authentication, blocking unauthorized or injected external code. This proactive measure helps safeguard users against threats like cross-site scripting (XSS), further strengthening security for your organization.
When this will happen
General Availability (Production/Worldwide only):
Rollout begins mid-October 2026
Expected completion by late October 2026
Periodic communications will be sent closer to release.
How this affects your organization
Who is affected:
Organizations using browser-based sign-in experiences on URLs starting with login.microsoftonline.com.
No impact to Microsoft Entra External ID tenants.
What will happen:
A new Content Security Policy header will be added to Microsoft Entra sign-in pages.
Scripts will only be allowed from Microsoft trusted CDN domains.
Inline script execution will only be allowed from trusted Microsoft sources.
Browser extensions or tools that inject code into the sign-in page will stop working, though users can still sign in.
What you can do to prepare
If you do not use tools or extensions that inject code into the sign-in experience, no action is required.
If you do use such tools, switch to alternatives that don’t inject code.
Test your sign-in flows thoroughly before rollout to identify and resolve any issues early. Testing instructions can be found on our CSP Guide for Microsoft Entra ID.
Learn more:
Content Security Policy Overview for Microsoft Entra ID
Microsoft Entra ID Content Security Policy Public Blog Post on Techcommunity
Microsoft Secure Future Initiative
The CSP nonce guide | Content Security Policy (CSP) quick reference guide
The CSP script-src directive guide | Content Security Policy (CSP) quick reference guide
Why XSS still matters: MSRC’s perspective on a 25-year-old threat | Microsoft Blog
Compliance considerations
No compliance considerations identified; review as appropriate for your organization.