Microsoft Entra ID Sign-In CSP Blocks Script Injection

Introduction

Microsoft is hardening the Microsoft Entra ID sign-in experience as part of the Secure Future Initiative (SFI). The upcoming Content Security Policy (CSP) enforcement is designed to prevent external script injection during authentication—an area frequently targeted by attackers—by limiting what scripts can load and execute on the sign-in page.

What’s new

Microsoft will add and enforce a stricter CSP header for the Entra ID sign-in experience on login.microsoftonline.com. Key changes include:

• Script downloads restricted to trusted Microsoft CDN domains Only scripts sourced from Microsoft-approved content delivery networks will be allowed to load.

• Inline script execution restricted to trusted Microsoft sources (nonce-based) Inline scripts will be governed via CSP nonce patterns, preventing arbitrary inline code from running.

• Scope limited to browser-based sign-ins on login.microsoftonline.com This is specific to interactive sign-in pages in a browser.

• No impact to Microsoft Entra External ID Microsoft states Entra External ID experiences are not affected by this update.

Timeline

• Global enforcement: Microsoft Entra ID will enforce the updated CSP mid-to-late October 2026.
• Communications: Microsoft will send periodic updates ahead of rollout.

Impact on IT administrators and end users

For most organizations, this will be a “silent” security improvement. However, environments that use browser extensions, scripts, or third-party tools that inject code into the sign-in page should expect breakage of that injected functionality.

Important nuance: Microsoft indicates that even if injected tools stop working, users can still sign in—but any overlay, instrumentation, customization, or helper logic that depends on injection may fail.

Typical items to review include:

• Password managers or “security” extensions that modify login pages
• Helpdesk or SSO troubleshooting overlays
• Custom branding or UX modifications implemented via injection
• Monitoring or analytics tools that hook into sign-in UI via browser scripting

Recommended actions / next steps

1. Inventory and reduce sign-in page injection dependencies Microsoft explicitly recommends avoiding extensions or tools that inject code into the Entra sign-in experience.

2. Test sign-in flows with Developer Tools open Run through your common sign-in scenarios (managed devices, unmanaged devices, different browsers, conditional access variations) with the browser dev console open and look for CSP violations (typically shown in red).

3. Assess different user personas and flows Because violations may only appear for specific teams or user setups (due to extensions or local tooling), test with multiple user groups and device configurations.

4. Replace impacted tools with non-injecting alternatives If you find business-critical tooling that relies on script injection, begin evaluating alternatives now—script injection into the sign-in page will no longer be supported once enforcement begins.

Why this matters

Authentication pages are high-value targets. Enforcing CSP at the sign-in boundary is a meaningful step to reduce the attack surface for injected or malicious scripts, improving resilience against modern web-based identity attacks while keeping the user sign-in experience intact for compliant configurations.