Microsoft is stepping up its security game for Entra ID authentication. They’ve announced plans to block unauthorized script injection attacks starting in late 2026, a move aimed at bolstering user protection.
This proactive measure involves updating their Content Security Policy (CSP) for the “login.microsoftonline.com” sign-in experience. It will only allow scripts from trusted Microsoft domains to execute, effectively blocking malicious or injected code.
This initiative is part of Microsoft’s broader Secure Future Initiative (SFI), a multi-year commitment to prioritizing security in product design and defending against evolving cyber threats. Learn more about SFI here: Microsoft Secure Future Initiative.
The updated CSP will specifically restrict script downloads to Microsoft’s trusted CDN domains and inline script execution to a Microsoft trusted source. This applies to browser-based sign-in flows, not Microsoft Entra External ID.
Microsoft is urging organizations to test their sign-in flows thoroughly ahead of the mid-to-late October 2026 rollout to ensure a smooth transition and no disruptions to the user experience.
They also advise customers to avoid using browser extensions or tools that inject code into the Microsoft Entra sign-in experience, recommending alternative tools if necessary.
To identify any CSP violations, users can check their browser’s developer console for “Refused to load the script„ errors related to “script-src” and “nonce„ directives. You can find more information on CSP here: Content-Security-Policy script-src and Content-Security-Policy nonce.
The SFI, launched in November 2023 and expanded in May 2024, came after a US Cyber Safety Review Board report criticized Microsoft’s security culture. Read the TechCommunity blog for details: Microsoft Entra Blog.
In their November 2025 SFI progress report, Microsoft highlighted significant advancements, including deploying over 50 new detections and achieving 99.6% adoption of phishing-resistant multi-factor authentication. More on the progress can be found here: SFI Progress Report.
Other key changes include mandatory MFA across all services, automatic recovery capabilities, expanded passkey and Windows Hello support, and improved memory safety in UEFI firmware using Rust.
Microsoft has also migrated 95% of Entra ID signing VMs to Azure Confidential Compute, moved 94.3% of security token validation to its standard identity SDK, and decommissioned ADFS in their productivity environment.
They’ve also removed 560,000 unused tenants and 83,000 unused Entra ID apps, advanced threat hunting by tracking 98% of production infrastructure, and almost entirely locked code signing to production identities.
In 2025, Microsoft published 1,096 CVEs, including 53 no-action cloud CVEs, and paid out $17 million in bounties, demonstrating their commitment to security research and remediation.
The move to restrict unauthorized scripts in Entra ID logins is a direct response to the persistent efforts of sophisticated adversaries who continuously seek to compromise critical enterprise systems, including email platforms and authentication mechanisms.
This enhanced security posture follows past incidents where vulnerabilities in Microsoft Exchange servers allowed threat actors to access sensitive government accounts, prompting a wide-ranging Secure Future Initiative across the company. The company has been under scrutiny for past security failures.
Furthermore, these efforts extend to protecting foundational services like Active Directory, which remains a prime target for cyberattacks seeking to escalate privileges and disrupt critical infrastructure. Vulnerabilities in Active Directory continue to be exploited.
Indeed, the constant evolution of hacking tools, used by groups such as ToddyCat to steal Microsoft 365 access tokens and corporate emails, underscores the ongoing necessity for such robust security updates. Sophisticated threats demand a proactive defense.