Microsoft to Block External Scripts\u00a0 in Entra ID Logins to Enhance Protections
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Microsoft has announced a significant security upgrade to its Microsoft Entra ID authentication process, as part of the company\u2019s broader Secure Future Initiative.<\/p>\n
Microsoft is updating its Content Security Policy (CSP) to block the execution of external scripts during user sign-ins.<\/p>\n
This proactive measure is designed to shield organizations from evolving cyber threats, specifically cross-site scripting<\/a> (XSS) attacks, where hackers attempt to inject malicious code into legitimate websites.<\/p>\n Currently, some browser extensions or tools may inject scripts into the sign-in page to modify its behavior or appearance. Starting in mid-to-late October 2026, Microsoft will enforce a stricter policy on\u00a0login.microsoftonline.com<\/em>.<\/p>\n Under this new rule, only scripts from trusted Microsoft domains will be allowed to run. Any unauthorized or external code attempting to execute during the login process will be automatically blocked.<\/p>\n This change ensures that the sign-in experience remains a closed, secure environment, preventing attackers from exploiting vulnerabilities in third-party scripts.<\/p>\n It is important to note that this update applies only to browser-based<\/a> sign-ins on the specific Microsoft login URL; Microsoft Entra External ID will not be affected.<\/p>\n Microsoft<\/a> advises organisations to stop using any browser extensions or custom tools that modify the Entra ID sign-in page via script injection.<\/p>\n While the login process itself will continue to function for users, any tools relying on injecting code will stop working once the update is enforced.<\/p>\n To get ready, IT administrators should test their sign-in flows ahead of the 2026 deadline. You can identify potential issues now by opening the developer console in your browser while signing in.<\/p>\n If your organization uses tools that violate the new policy, error messages will appear in red text in the console. <\/p>\n Megna Kokkalera, Product Manager II at Microsoft, emphasized that this update adds a critical layer of defense for user identities.<\/p>\n By eliminating the risk of unverified scripts, Microsoft ensures that organizations stay ahead of emerging security threats <\/a>while maintaining a seamless, secure sign-in experience.<\/p>\n Administrators are encouraged to assess their environments early to ensure a smooth transition when the policy goes into effect globally next year.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Microsoft to Block External Scripts\u00a0 in Entra ID Logins to Enhance Protections<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nWhat Is Changing?<\/strong><\/h2>\n