Microsoft will upgrade the Entra ID authentication system in October 2026 to prevent external script injection attacks. The update will enforce a stricter Content Security Policy, allowing scripts only from trusted Microsoft domains, thus enhancing protection against cross-site scripting threats. Organizations should prepare by reviewing sign-in flows and discontinuing unsupported code-injection tools.

Microsoft is rolling out a passwordless sign-in option for its services, utilizing passkeys as the default authentication method. This move aims to enhance security and simplify the login process for users by eliminating traditional passwords. The transition is part of a broader industry trend toward more secure and user-friendly authentication methods.