By Divya
Publication Date: 2025-11-28 05:33:00
Microsoft has announced a significant security change to the Microsoft Entra ID sign-in experience that will block external scripts from running during user logins.
The update is designed to stop unauthorized or injected code from executing on the login page. It is part of Microsoft’s broader Secure Future Initiative to harden its cloud identity platform.
The change enforces a stricter Content Security Policy (CSP) on Microsoft Entra ID sign-in pages.
Once this policy is in place, only scripts loaded from trusted Microsoft domains will be allowed to run during authentication. Any scripts injected by browser extensions, third-party tools, or compromised web content will be blocked from execution.
Microsoft says this is a proactive step to protect organizations from common web attacks, such as cross-site scripting (XSS), in which attackers inject malicious code into legitimate web pages.
By tightly controlling which scripts can run, Microsoft aims to reduce the…
