Microsoft Fortifies Entra ID Against Script Injection Attacks
▼ Summary
– Microsoft will enhance Entra ID security starting October 2026 by implementing a stricter Content Security Policy to block unauthorized scripts during sign-ins.
– The update protects against cross-site scripting attacks by allowing only scripts from trusted Microsoft domains to run on login.microsoftonline.com pages.
– Organizations must test sign-in scenarios before the deadline and stop using browser extensions that inject code, as these will no longer function.
– IT administrators can identify potential issues by checking browser developer consoles for policy violations shown in red text.
– This change is part of Microsoft’s Secure Future Initiative, which also includes blocking legacy authentication protocols and disabling ActiveX controls in recent Office versions.
Microsoft is preparing to significantly enhance the security of its Entra ID authentication system by introducing a reinforced Content Security Policy. This update, scheduled for mid-to-late October 2026, is designed to defend against external script injection attacks by restricting script downloads exclusively to Microsoft-trusted content delivery network domains. Additionally, inline script execution will be permitted only from verified Microsoft sources during user sign-ins.
Once implemented, this security reinforcement will shield users from a range of threats, including cross-site scripting attacks where malicious actors insert harmful code into websites to steal login credentials or take control of systems. The new policy will specifically apply to browser-based sign-in sessions at URLs starting with login.microsoftonline.com. It is important to note that Microsoft Entra External ID remains unaffected by this change.
Megna Kokkalera, product manager for Microsoft Identity and Authentication Experiences, explained that the update introduces an additional layer of protection by ensuring only scripts from trusted Microsoft domains can execute during the authentication process. This effectively prevents unauthorized or injected code from running while users sign in, strengthening overall security.
Microsoft is encouraging organizations to proactively test their sign-in workflows ahead of the October 2026 deadline. This will help identify and resolve any dependencies on code-injection tools that could disrupt user access. IT administrators can assess potential impacts by examining sign-in flows within the browser developer console, any violations will appear highlighted in red, accompanied by detailed information about the blocked scripts.
Enterprise customers have also been advised to discontinue the use of browser extensions and other tools that inject code or scripts into sign-in pages before the update takes effect. Although such tools will no longer be supported and will cease to function, users will retain the ability to sign in without them.
Kokkalera emphasized that the revised Content Security Policy helps safeguard organizations by blocking unauthorized scripts, thereby offering improved defense against evolving cybersecurity threats.
This initiative forms part of Microsoft’s broader Secure Future Initiative, a company-wide security enhancement program launched in November 2023. The effort was prompted by a report from the U.S. Department of Homeland Security’s Cyber Safety Review Board, which concluded that Microsoft’s security culture was inadequate and required comprehensive reform.
Under the same initiative, Microsoft has already updated Microsoft 365 security defaults to block access to SharePoint, OneDrive, and Office files via outdated authentication protocols. The company has also disabled all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 applications.
Earlier this month, Microsoft began rolling out a new Teams feature, originally announced in May, which is designed to prevent screen capture attempts during online meetings.
(Source: Bleeping Computer)
