Microsoft has confirmed that a stricter Content Security Policy will be enforced on login.microsoftonline.com beginning in mid-to-late October 2026. The change is platform-level: only scripts served from a defined set of trusted Microsoft domains will be allowed to execute during authentication. Anything else — including injected scripts, third-party browser extensions that run during sign-in, or man-in-the-browser tooling — will be blocked at the policy boundary.
Why a CSP change is meaningful
The Microsoft sign-in page is, by volume, one of the most-targeted authentication endpoints on the internet. Adversaries have spent years researching ways to inject scripts into the sign-in flow — via compromised browser extensions, malicious user scripts, look-alike phishing pages embedding the real sign-in form, and similar techniques — precisely because the payoff for landing arbitrary JavaScript at the moment of authentication is enormous. A strict Content Security Policy directly raises the cost of every one of those attack patterns by ensuring the browser refuses to execute non-Microsoft scripts on the sign-in origin.
What you should check before October
Most organizations will see no operational impact from this change because they do not rely on third-party scripts running on the Microsoft sign-in page. A few will. Organizations that have customized the sign-in branding or behavior with vendor JavaScript — for example, certain identity-monitoring tools, accessibility overlays, or older single-sign-on shims — should test their flows in the preview window Microsoft is providing. Browser extensions that interact with sign-in (password managers, password-rotation agents, secure-browser extensions) also deserve a once-over, although mainstream commercial tools are already aligned with stricter sign-in policies.
Direction of travel
This change is consistent with the broader 2026 hardening pattern across Entra ID: jailbreak/root detection in Authenticator, the Entra Connect Sync hard-match block, the migration to DigiCert Global Root G2, and now stricter sign-in script policies. Each is small in isolation; together they shift the assumed baseline of what a healthy Microsoft identity tenant looks like. If your identity model is still grounded in 2022 assumptions, the gap continues to widen.
How Lorexus engages
Our practice maps your tenant against the shipping platform changes — sign-in policy, Authenticator integrity, Conditional Access — and prioritizes the controls that reduce blast radius the most for the least operational disruption.