REDMOND, WA – Microsoft has announced a significant security update for its Microsoft Entra ID platform, scheduled for the first half of 2026. The company will implement a stricter Content Security Policy (CSP) on its login pages to block the execution of unauthorized scripts.

This security measure is designed to protect users and organizations from identity-centric attacks, including cross-site scripting (XSS) and data injection vulnerabilities. By enforcing a new HTTP header, Microsoft aims to prevent attackers from injecting malicious code into the Entra ID login experience, which could be used to steal credentials or access tokens.

Details of the Content Security Policy Update

The new Content Security Policy will explicitly control which resources, such as scripts and stylesheets, are allowed to load on the Microsoft Entra ID login pages. The policy will prevent browsers from rendering content from unapproved domains. This change directly targets the threat of malicious script injection, a common vector for credential theft and account takeover attacks.

Microsoft stated that this move is part of its commitment to advancing security and clarifying the security posture of its identity platform. The update addresses a scenario where custom branding features could be implemented using unsupported methods, potentially creating security gaps.

Impact on Customizations and Required Actions

The stricter CSP will impact organizations that have implemented customizations on their Entra ID login pages using unsupported methods. Any custom HTML, CSS, or JavaScript that is not configured through the official Company Branding feature within the Microsoft Entra admin center will cease to function once the policy is enforced.

Microsoft has confirmed that all supported customization capabilities, such as configuring logos, background images, and certain text elements through the designated admin tools, will continue to work without issue. Administrators are advised to review their existing login page configurations and remove any unsupported code. Organizations must migrate any necessary customizations to supported methods before the 2026 deadline to ensure a seamless login experience for their users.