Microsoft has announced a major update to strengthen the security of Entra ID authentication. Starting in October 2026, the company will block unauthorized script injection attacks through a revised Content Security Policy (CSP) for its login platform.
Enhanced Security for Entra ID Sign-Ins
The CSP update will focus on the sign-in experience at login.microsoftonline[.]com, allowing only scripts from trusted Microsoft domains to run. Microsoft emphasized that this change prevents unauthorized or injected code from executing during the authentication process, adding an additional layer of protection for users.
The new policy only permits script downloads from Microsoft’s trusted CDN domains and allows inline script execution exclusively from verified Microsoft sources. Browser-based logins beginning with login.microsoftonline.com are affected, while Microsoft Entra External ID remains unaffected.
Proactive Measure Against XSS Attacks
This update is part of Microsoft’s Secure Future Initiative (SFI), aimed at safeguarding users from cross-site scripting (XSS) attacks, which can inject malicious code into web pages. The company is rolling out this change globally starting mid-to-late October 2026.
Organizations are advised to test their sign-in flows in advance to ensure smooth functionality. Microsoft also recommends avoiding browser extensions or tools that inject scripts during the Entra sign-in process and switching to alternatives that do not interfere with login security.
To detect potential CSP violations, users can open the browser’s developer console while going through the sign-in flow and look for errors indicating “Refused to load the script” related to script-src and nonce directives.
Microsoft’s Multi-Year Security Effort
The Secure Future Initiative, launched in November 2023 and expanded in May 2024 after a U.S. Cyber Safety Review Board (CSRB) report, prioritizes security in Microsoft product design. Recent progress reports highlight:
- Deployment of over 50 new detections targeting high-priority tactics, techniques, and procedures
- Adoption of phishing-resistant multi-factor authentication (MFA) for 99.6% of users and devices
- Mandatory MFA enforced across all services, including Azure users
- Quick Machine Recovery, expanded Passkey and Windows Hello support, and improved memory safety in UEFI firmware using Rust
- Migration of 95% of Entra ID signing VMs to Azure Confidential Compute and 94.3% of security token validation to standard SDKs
- Discontinuation of Active Directory Federation Services (ADFS) in productivity environments
- Decommissioning of 560,000 unused tenants and 83,000 Entra ID apps
- Advanced threat hunting with 98% of production infrastructure monitored centrally
- Complete network device inventory and mature asset lifecycle management
- Nearly full code signing restricted to production identities
- Publication of 1,096 CVEs, including 53 cloud CVEs requiring no action, with $17 million in bounty payments
Zero Trust Alignment
Microsoft advised organizations to align with Zero Trust principles by automating vulnerability detection, response, and remediation using integrated security tools and threat intelligence. Real-time visibility into hybrid and cloud security incidents enables faster containment and recovery, ensuring a more secure Entra ID environment.
