Microsoft will upgrade the Entra ID authentication system in October 2026 to prevent external script injection attacks. The update will enforce a stricter Content Security Policy, allowing scripts only from trusted Microsoft domains, thus enhancing protection against cross-site scripting threats. Organizations should prepare by reviewing sign-in flows and discontinuing unsupported code-injection tools.

Microsoft is rolling out a passwordless sign-in option for its services, utilizing passkeys as the default authentication method. This move aims to enhance security and simplify the login process for users by eliminating traditional passwords. The transition is part of a broader industry trend toward more secure and user-friendly authentication methods.

Microsoft is introducing a new default background image for Microsoft Entra and consumer authentication flows, set to roll out in August and September 2025. This visual update aims to modernize the user experience by providing a cleaner, consistent look across all sign-in screens without affecting functionality or requiring user action. The change is part of a broader effort to enhance authentication experiences based on customer feedback.

Amazon has taken action to block an APT29 campaign that was targeting Microsoft device code authentication. This intervention is part of ongoing efforts to thwart sophisticated cyber threats and protect user data against malicious actors exploiting vulnerabilities.

Microsoft is investigating authentication issues affecting Microsoft 365 users, particularly with multi-factor authentication (MFA) and password resets, following numerous customer reports. The problems stem from a recent change intended to enhance MFA functionality, and Microsoft is implementing configuration updates to mitigate the impact while working on a permanent solution. The incident primarily affects users in regions such as Europe, the Middle East, Africa, and Asia Pacific.