Microsoft to Block Unauthorized Scripts in Entra ID

Microsoft to Block Unauthorized Scripts in Entra ID Logins with 2026 CSP Update Source: thehackernews.com/2025/11/m… Microsoft plans to tighten security for Entra ID authentication by blocking unauthorized script injections beginning in 2026. The change centres on an update to the platform’s Content Security Policy (CSP), which governs which scripts can run during the sign-in process at login.microsoftonline.com. Under the revised policy, only scripts sourced from trusted Microsoft domains will be permitted to execute. The goal is to prevent malicious or injected code from running during browser-based authentication flows. Microsoft stated that the update “strengthens security and adds an extra layer of protection by allowing only scripts from trusted Microsoft domains to run during authentication.” The change restricts script downloads to Microsoft-trusted CDN domains and allows inline script execution only when sourced from Microsoft. The update applies exclusively to browser-based sign-ins at login.microsoftonline.com. Microsoft Entra External ID will not be impacted.