Microsoft Entra ID to Tighten Sign-In Security to Block Script Injection Threats

Microsoft is strengthening identity security for Entra ID customers by enforcing stricter controls on browser-based sign-ins. This upcoming update aims to block unauthorized script injection attacks and protect authentication processes from malicious code.

External script injection is a type of security vulnerability where malicious or unauthorized scripts are inserted into a web page from outside sources. When these scripts run during sensitive processes like authentication, they can steal credentials, hijack sessions, or change the page’s behavior. The external script injection attack exploits the trust a browser places in loaded scripts.

What will the new Content Security Policy enforce?

Microsoft is adding a Content Security Policy (CSP) header to browser-based sign-ins (URLs starting with login.microsoftonline.com) that will allow only scripts from Microsoft-trusted CDN domains and inline scripts from Microsoft trusted source. This is designed to block unauthorized or injected code during the authentication process. It restricts script execution to known, trusted sources and provides proactive protection against cross-site scripting attacks.

“This is a proactive measure that further shields your users against current security risks, such as cross-site scripting (XSS), where attackers can insert malicious code into websites. As a result, you can be assured that your users receive stronger protection, and your organization remains ahead of new security challenges,” explained Megna Kokkalera, Product Manager for Microsoft Identity and Authentication Experiences.

This update is part of Microsoft’s Secure Future Initiative (SFI) that launched in November 2023. It’s a multi-year, company-wide effort to embed top-tier cybersecurity across its products and operations under three guiding pillars: secure by design, secure by default, and secure operations. It emphasizes building security directly into product development, which enables robust protections without requiring additional user effort.

Microsoft plans to enforce the new security feature globally by mid-to-late October 2026. The company says organizations will receive regular reminders to ensure they are prepared for this upcoming change.

How to prepare for the upcoming changes?

Organizations should start by reviewing any tools, browser extensions, or custom scripts that interact with Microsoft Entra ID sign-in pages. If these solutions inject scripts into the authentication flow, they need to be replaced or reconfigured because the upcoming Content Security Policy will block such behavior. Administrators should also test sign-in experiences using browser developer tools to identify potential CSP violations.

Additionally, companies should communicate these changes to internal stakeholders and third-party vendors to ensure that all integrations comply with Microsoft’s new security standards.