Microsoft is taking a major defensive step to strengthen the security of its Entra ID (formerly Azure AD) sign-in process. The company has announced a significant update to its online security policy that will effectively block unauthorized code injections from running during user authentication. This change is scheduled to take effect about a year from now.

The core of this security enhancement involves updating the Content Security Policy (CSP) for the “login.microsoftonline.com” sign-in page. The goal is to ensure that the Entra ID authentication experience is cleaner and more secure by only allowing scripts that originate from Microsoft’s own, trusted domains to execute.

Building a Wall Against Cross-Site Scripting (XSS)

This policy upgrade is designed to enhance overall security by adding a critical layer of defense. By strictly limiting which scripts can run, Microsoft aims to prevent any unauthorized or malicious code from executing during the sign-in sequence.

Specifically, the new policy will restrict script downloads to only those coming from Microsoft’s trusted Content Delivery Network (CDN) locations and will only permit inline scripts if they are verified as coming from a Microsoft trusted source.

This proactive measure is part of the ongoing Secure Future Initiative (SFI), which is a broad, multi-year commitment by Microsoft to prioritize security above all else in product design. The security push is intended to safeguard users from sophisticated attacks, particularly cross-site scripting (XSS) attacks, where hackers attempt to inject harmful code into legitimate websites.

The deployment of this updated security policy is planned to roll out globally between mid-to-late October 2026. It’s important to note that this change specifically targets the browser-based sign-in pages for URLs starting with login.microsoftonline.com and will not affect the Microsoft Entra External ID service.

Prepare for the Change

Microsoft is urging all organizations to take action now to ensure a smooth transition. They need to thoroughly test all their existing sign-in workflows well in advance of the 2026 launch date to identify and fix any potential compatibility issues that could disrupt the user experience.

Customers are also strongly advised to stop using any browser extensions or specialized tools that inject their own code or scripts into the Entra sign-in process. If such tools are currently in use, the recommendation is to immediately switch to alternatives that do not interfere with or inject code into the Microsoft Entra authentication experience.

To help organizations prepare, Microsoft suggests a simple diagnostic step: run a sign-in attempt while the browser’s Developer Tools are open. By checking the Console tool within the developer view, users can look for specific errors. Any message that says “Refused to load the script” and references the “script-src” and “nonce” directives will flag a violation of the upcoming Content Security Policy.

The Bigger Picture: Microsoft’s Security Overhaul

This CSP update is just one part of Microsoft’s extensive Secure Future Initiative (SFI), which began in November 2023 and was expanded in May 2024. The initiative followed a critical report from the U.S. Cyber Safety Review Board (CSRB) that concluded the company’s security practices were “inadequate” and required a complete “overhaul.”

In its most recent update this month, Microsoft highlighted significant progress:

• Threat Detection: They have deployed over 50 new detection mechanisms across their infrastructure to actively hunt for high-priority attack tactics.

• Phishing-Resistant MFA: Adoption of phishing-resistant multi-factor authentication for users and devices is now nearly universal, hitting a high of 99.6%.

• Mandatory MFA: Microsoft has enforced Multi-Factor Authentication across all services, including for every user of Azure services.

• Infrastructure & Code: They have migrated the majority of their Entra ID signing virtual machines to Azure Confidential Compute, improved memory safety in critical drivers using the Rust programming language, and almost entirely restricted code signing to validated production identities.

• Legacy Systems: The company has also removed security risks by decommissioning hundreds of thousands of old, unused tenants and thousands of old Entra ID applications. They also stopped using Active Directory Federation Services (ADFS) in their own production environment.

Microsoft stressed the importance of aligning security strategies with Zero Trust principles. They advise organizations to automate the detection, response, and fixing of vulnerabilities using integrated security tools and threat intelligence. Maintaining constant visibility into security events across both cloud and on-premises environments is key to achieving faster containment and recovery after an incident.