Microsoft is set to boost the security of its Entra ID authentication system against external script injection attacks starting around mid-to-late October 2026. The company will implement a stricter Content Security Policy that restricts script downloads and inline script execution to only Microsoft-trusted sources during sign-ins. This measure aims to defend against threats like cross-site scripting attacks, where malicious code is injected into websites to steal user credentials or compromise systems. The new policy will apply specifically to browser-based sign-ins at URLs starting with login.microsoftonline.com, while Microsoft Entra External ID will remain unaffected. Megna Kokkalera, a product manager at Microsoft, highlighted that this update adds a vital layer of protection by preventing unauthorized scripts from executing during authentication. Organizations are encouraged to test their sign-in processes ahead of the 2026 deadline to pinpoint any dependencies on code-injection tools, as they will no longer be supported after the policy change. IT administrators can monitor sign-in flows for blocked scripts using the browser developer console. This initiative is part of Microsoft's Secure Future Initiative (SFI), launched in November 2023 after a report from the Cyber Safety Review Board criticized the company's security culture. Alongside the Entra ID updates, Microsoft has also made changes to Microsoft 365 security defaults to block access via outdated authentication protocols and disabled ActiveX controls in its Office apps. Recently, they began rolling out a new Teams feature aimed at preventing screen capture during meetings, further underscoring their commitment to enhancing security measures.