Microsoft is tightening its cloud platform’s login system to make it harder for hackers to hijack users’ accounts.
Beginning next October, Microsoft’s Entra ID cloud identity management platform will block scripts from running during the login process unless they originate from “trusted Microsoft domains,” the company said on Monday.
“This is a proactive measure that further shields your users against current security risks, such as cross-site scripting (XSS), where attackers can insert malicious code into websites,” Ankur Patel, an Entra ID product manager, wrote in a blog post.
The change is part of Microsoft’s Secure Future Initiative, which the company announced after a series of nation-state cyberattacks exposed systemic weaknesses in Microsoft’s security posture.
Microsoft said it would enforce the script restrictions through a modification to the Content Security Policy browser security header, a piece of code that tells web browsers how to handle content securely.
The update will not apply to Entra External ID, which handles authentication in applications other than web browsers.
Microsoft encouraged organizations to test their sign-in processes ahead of the change “to ensure a smooth rollout.”
Persistent flaw
Software developers have understood the risks of cross-site scripting attacks for decades, but these attacks remain a powerful tool for hackers because the underlying vulnerabilities remain widespread — even in modern applications developed with the latest tools.
“At Microsoft, we still receive a steady stream of XSS reports across our services, from legacy portals to newly deployed single-page apps,” the company said in a September blog post. The Microsoft Security Response Center mitigated nearly 1,000 XSS vulnerabilities between January 2024 and mid-2025, according to the post.
“Despite advancements in browser security, content security policies (CSP), and secure-by-default libraries,” Microsoft said, “XSS remains a persistent threat vector with real-world consequences.”
