Nov 27, 2025Ravie LakshmananWeb Safety / Zero Belief
Microsoft has introduced plans to enhance the safety of Entra ID authentication by blocking unauthorized script injection assaults beginning a yr from now.
The replace to its Content material Safety Coverage (CSP) goals to boost the Entra ID sign-in expertise at “login.microsoftonline[.]com” by solely letting scripts from trusted Microsoft domains run.
“This replace strengthens safety and provides an additional layer of safety by permitting solely scripts from trusted Microsoft domains to run throughout authentication, blocking unauthorized or injected code from executing through the sign-in expertise,” the Home windows maker stated.
Particularly, it solely permits script downloads from Microsoft trusted CDN domains and inline script execution from a Microsoft trusted supply. The up to date coverage is restricted to browser-based sign-in experiences for URLs starting with login.microsoftonline.com. Microsoft Entra Exterior ID won’t be affected.
The change, which has been described as a proactive measure, is a part of Microsoft’s Safe Future Initiative (SFI) and is designed to safeguard customers in opposition to cross-site scripting (XSS) assaults that make it doable to inject malicious code into web sites. It is anticipated to be rolled out globally beginning mid-to-late October 2026.
Microsoft is urging organizations to check their sign-in flows completely forward of time to make sure that there are not any points and the sign-in expertise has no friction.
It is also advising clients to chorus from utilizing browser extensions or instruments that inject code or script into the Microsoft Entra sign-in expertise. Those that comply with this method are really useful to change to different instruments that do not inject code.
To establish any CSP violations, customers can undergo a sign-in circulate with the dev console open and entry the browser’s Console device throughout the developer instruments to test for errors that say “Refused to load the script” for going in opposition to the “script-src” and “nonce” directives.
Microsoft’s SFI is a multi-year effort that seeks to place safety above all else when designing new merchandise and higher put together for the rising sophistication of cyber threats.
It was first launched in November 2023 and expanded in Could 2024 following a report from the U.S. Cyber Security Assessment Board (CSRB), which concluded that the corporate’s “safety tradition was insufficient and requires an overhaul.”
In its third progress report printed this month, the tech large stated it has deployed over 50 new detections in its infrastructure to focus on high-priority ways, strategies, and procedures, and that the adoption of phishing-resistant multi-factor authentication (MFA) for customers and gadgets has hit 99.6%.
Different notable modifications enacted by Microsoft are as follows –
Enforced Necessary MFA throughout all companies, together with for all Azure service customers
Launched Automated restoration capabilities through Fast Machine Restoration, expanded passkey and Home windows Howdy assist, and improved reminiscence security in UEFI firmware and drivers by utilizing Rust
Migrated 95% of Microsoft Entra ID signing VMs to Azure Confidential Compute and moved 94.3% of Microsoft Entra ID safety token validation to its customary identification Software program Improvement Equipment (SDK)
Discontinued the usage of Energetic Listing Federation Providers (ADFS) in our productiveness surroundings
Decommissioned 560,000 further unused and aged tenants and 83,000 unused Microsoft Entra ID apps throughout Microsoft manufacturing and productiveness environments
Superior menace searching by centrally monitoring 98% of manufacturing infrastructure
Achieved full community system stock and mature asset lifecycle administration
Nearly solely locked code signing to manufacturing identities
Revealed 1,096 CVEs, together with 53 no-action cloud CVEs, and paid out $17 million in bounties
“To align with Zero Belief rules, organizations ought to automate vulnerability detection, response, and remediation utilizing built-in safety instruments and menace intelligence,” Microsoft stated. “Sustaining real-time visibility into safety incidents throughout hybrid and cloud environments permits quicker containment and restoration.”
