Microsoft announced plans to improve the security of Entra ID authentication by blocking malicious script injection attacks starting in a year.
Content Security Policy (CSP) updates are intended to enhance the Entra ID sign-in experience at ‘login.microsoftonline’.[.]com’ to only allow scripts to run from trusted Microsoft domains.
“This update strengthens security and adds an additional layer of protection by allowing only scripts from trusted Microsoft domains to run during authentication and blocking the execution of unauthorized or injected code during the sign-in experience,” the Windows maker said.
Specifically, we only allow script downloads from Microsoft’s trusted CDN domains and inline script execution from Microsoft’s trusted sources. The updated policy is limited to browser-based sign-in experiences for URLs that begin with login.microsoftonline.com. Microsoft Entra external IDs are not affected.
The change is described as a precautionary measure and is part of Microsoft’s Secure Future Initiative (SFI), designed to protect users from cross-site scripting (XSS) attacks that allow the injection of malicious code into websites. It is scheduled to be rolled out worldwide from mid-to-late October 2026.
Microsoft recommends that organizations thoroughly test their sign-in flow in advance to ensure there are no issues and the sign-in experience is flawless.
We also advise customers to refrain from using browser extensions or tools that inject code or script into the Microsoft Entra sign-in experience. Those following this approach are encouraged to switch to other tools that do not inject code.
To identify CSP violations, run the sign-in flow with the Developer Console open, access the browser’s console tools within the developer tools, and check for “Script load refused” errors that violate the “script-src” and “nonce” directives.
Microsoft’s SFI is a multi-year effort to put security first when designing new products and better prepare for increasingly sophisticated cyber threats.
This was first introduced in November 2023 and expanded in May 2024 following a report from the US Cyber Safety Review Board (CSRB) that concluded the company’s “security culture is inadequate and requires a complete overhaul.”
In its third progress report released this month, the tech giant said it has deployed more than 50 new detections across its infrastructure targeting high-priority tactics, techniques and procedures, reaching a 99.6% adoption rate of phish-resistant multi-factor authentication (MFA) for users and devices.
Other notable changes enacted by Microsoft include:
Enforced mandatory MFA across all services, including all Azure service users Introduced automatic recovery with Quick Machine Recovery, expanded passkey and Windows Hello support, and improved memory safety for UEFI firmware and drivers using Rust Migrated 95% of Microsoft Entra ID signing VMs to Azure Confidential Compute and migrated 94.3% of Microsoft Entra ID security token validation to standard ID Software development kit (SDK) Retire use of Active Directory Federation Services (ADFS) in our productivity environments Retire an additional 560,000 unused and obsolete tenants and 83,000 unused Microsoft Entra ID apps across Microsoft production and productivity environments Advanced threat hunting with central tracking of 98% of production infrastructure Achieve complete network device inventory and mature asset lifecycle management Almost completely locks down code signing for production IDs Publishes 1,096 CVEs, including 53 no-action cloud CVEs, pays $17 and receives 1 million bounty
“To adhere to Zero Trust principles, organizations must use integrated security tools and threat intelligence to automate vulnerability detection, response, and remediation,” Microsoft said. “Maintaining real-time visibility into security incidents across hybrid and cloud environments enables faster containment and recovery.”
Source link
