Microsoft announced a significant security upgrade for Microsoft Entra ID authentication on November 25, 2025, via its Entra Blog.
The change blocks external script injection during sign-ins to help combat threats such as cross-site scripting (XSS).
This proactive step aligns with Microsoft’s Secure Future Initiative, which prioritizes hardening identity systems against evolving attacks.
The update modifies the Content Security Policy (CSP) header on login.microsoftonline.com pages.
CSP acts as a browser-enforced allowlist, dictating which scripts can load or execute.
Previously, external scripts from untrusted sources could run, opening the door to XSS exploits in which attackers inject malicious JavaScript to steal credentials or hijack sessions.
Key Technical Changes and Timeline
Starting mid-to-late October 2026, Entra ID will enforce stricter CSP rules globally. Scripts will load only from Microsoft-trusted CDN domains, specified via the script-src directive.
For example, allowed sources include Microsoft’s own CDNs (e.g., *.microsoftonline.com) and verified partners, while blocking arbitrary external URLs.
Inline scripts embedded directly in HTML gain protection through nonces. A nonce is a one-time, cryptographically random token generated per page load.
Browsers check if inline <script> tags include a matching nonce attribute, like <script nonce=”randomValue123″>code here</script>.
Without it, execution fails. This follows CSP best practices outlined in resources like content-security-policy.com/script-src and /nonce.
The policy applies solely to browser-based sign-ins on login.microsoftonline.com URLs. Microsoft Entra External ID remains unaffected, preserving custom tenant experiences.
Preparation Steps For Organizations
Organizations that use browser extensions or tools that inject scripts into Entra sign-in pages experience disruptions.
Common culprits include password managers, debugging tools, or custom automation scripts that dynamically append <script> tags.
To assess impact, admins should simulate sign-ins with browser developer consoles open (F12 in Chrome/Edge).
Violations appear as red console errors, such as “Refused to execute inline script because it violates the following Content Security Policy directive: ‘script-src ‘nonce-…’ ‘strict-dynamic’ …’.” Test across user roles and scenarios, as issues may vary per flow.
Microsoft advises switching to non-intrusive alternatives. Compliant tools use sidecar authentication or APIs without page modifications no action needed for standard users.
Product Manager II Megna Kokkalera emphasized thorough testing to ensure a seamless rollout.
This CSP hardening adds a critical defense layer, reducing XSS risks that persist despite being a 25-year-old threat, per Microsoft’s MSRC blog.
