Microsoft has announced new restrictions on script execution within its Entra ID login pages to reduce cross-site scripting (XSS) exposure and account takeover (ATO) attempts.
The change, scheduled to take effect globally in mid-to-late October 2026, followed ongoing investigations into how malicious script injection continued to undermine identity-based defenses across cloud environments.
The company said the update would modify the Content Security Policy (CSP) header on login.microsoftonline.com, permitting scripts only from trusted Microsoft domains and blocking all third-party or injected code. CSP is a browser security mechanism that controls how web content loads and executes and is widely used to mitigate code-injection attacks.
Microsoft said the update is part of its broader Secure Future Initiative, which aims to harden cloud infrastructure after a series of nation-state intrusions highlighted weaknesses in identity security.
The company has previously reported a steady flow of XSS disclosures across both legacy and modern applications, highlighting how persistent these vulnerabilities remain even with secure-by-default development practices.
Why Script Controls Matter For Identity Security
Because injected scripts can tamper with login pages or siphon authentication tokens, identity providers remain a high-value target for threat actors.
Microsoft emphasized that the new restrictions would apply only to browser-based Entra ID sign-ins and would not affect Entra External ID or non-browser authentication flows.
The company advised organizations to discontinue browser extensions that inject scripts into the sign-in experience.
“If you use tools or browser extensions that inject code or script into the Microsoft Entra sign-in page, switch to alternative tools that don’t inject code. Code and script injection will no longer be supported, and these tools will stop working, though users can still sign in,” Microsoft said.
Administrators were also encouraged to test sign-in flows early using browser dev tools to find potential CSP violations.
“To ensure a smooth rollout, please test your sign-in flows thoroughly ahead of time,” Microsoft advised. “This will help you catch and address any issues early, so your users stay protected, and your sign-in experience remains seamless.”
