{"id":14111,"date":"2025-12-04T07:01:01","date_gmt":"2025-12-03T22:01:01","guid":{"rendered":"https:\/\/m365jp.net\/?p=14111"},"modified":"2025-12-04T07:02:01","modified_gmt":"2025-12-03T22:02:01","slug":"mc1191924-microsoft-entra-id-enhance-protection-of-the-authentication-experience-by-blocking-external-script-injection","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2025-12-04-mc1191924-microsoft-entra-id-enhance-protection-of-the-authentication-experience-by-blocking-external-script-injection","title":{"rendered":"MC1191924 | Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection"},"content":{"rendered":"<div class=\"postie-post\">\n<div>\n<hr>\n<table id=\"section\">\n<tbody>\n<tr>\n<th width=\"95%\">MC1191924 | Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr>\n<table id=\"data\">\n<tbody>\n<tr>\n<th>Classification<\/th>\n<td>stayInformed<\/td>\n<\/tr>\n<tr>\n<th>Last Updated<\/th>\n<td>12\/03\/2025 21:44:55<\/td>\n<\/tr>\n<tr>\n<th>Start Time<\/th>\n<td>12\/03\/2025 21:44:46<\/td>\n<\/tr>\n<tr>\n<th>End Time<\/th>\n<td>11\/25\/2026 08:00:00<\/td>\n<\/tr>\n<tr>\n<th>Message Content<\/th>\n<td>\n<p><b>Introduction<\/b><\/p>\n<p>  <\/p>\n<p>As part of Microsoft\u2019s <a href=\"https:\/\/www.microsoft.com\/trust-center\/security\/secure-future-initiative?msockid=22346ecb805f631739b27a6e81726266\" target=\"_blank\">  Secure Future Initiative<\/a>, we\u2019re updating our <a href=\"http:\/\/aka.ms\/entracontentsecuritypolicy\" target=\"_blank\">  Content Security Policy for the Microsoft Entra ID sign-in experience<\/a>. This change adds an extra layer of protection by allowing only scripts from trusted Microsoft domains to run during authentication, blocking unauthorized or injected external code. This   proactive measure helps safeguard users against threats like <a href=\"https:\/\/www.microsoft.com\/msrc\/blog\/2025\/09\/why-xss-still-matters-msrcs-perspective-on-a-25-year-old-threat\" target=\"_blank\">  cross-site scripting (XSS)<\/a>, further strengthening security for your organization.<\/p>\n<p><b>When this will happen<\/b><\/p>\n<p>  <\/p>\n<p>General Availability (Production\/Worldwide only):<\/p>\n<p>  <\/p>\n<ul>  <\/p>\n<li>Rollout begins mid-October 2026<\/li>\n<p>  <\/p>\n<li>Expected completion by late October 2026<\/li>\n<p>  <\/ul>\n<p>  <\/p>\n<p>Periodic communications will be sent closer to release.<\/p>\n<p><b>How this affects your organization<\/b><\/p>\n<p>  <\/p>\n<p><i>Who is affected:<\/i><\/p>\n<p>  <\/p>\n<ul>  <\/p>\n<li>Organizations using browser-based sign-in experiences on URLs starting with <b>  login.microsoftonline.com<\/b>.<\/li>\n<p>  <\/p>\n<li><b>No impact to Microsoft Entra External ID tenants.<\/b><\/li>\n<p>  <\/ul>\n<p>  <\/p>\n<p><i>What will happen:<\/i><\/p>\n<p>  <\/p>\n<ul>  <\/p>\n<li>A new Content Security Policy header will be added to Microsoft Entra sign-in pages.<\/li>\n<p>  <\/p>\n<li>Scripts will only be allowed from Microsoft trusted CDN domains.<\/li>\n<p>  <\/p>\n<li>Inline script execution will only be allowed from trusted Microsoft sources.<\/li>\n<p>  <\/p>\n<li>Browser extensions or tools that inject code into the sign-in page will stop working, though users can still sign in.<\/li>\n<p>  <\/ul>\n<p><b>What you can do to prepare<\/b><\/p>\n<p>  <\/p>\n<ul>  <\/p>\n<li>If you do not use tools or extensions that inject code into the sign-in experience, no action is required.<\/li>\n<p>  <\/p>\n<li>If you do use such tools, switch to alternatives that don\u2019t inject code.<\/li>\n<p>  <\/p>\n<li>Test your sign-in flows thoroughly before rollout to identify and resolve any issues early. Testing instructions can be found on our  <a href=\"http:\/\/aka.ms\/entracontentsecuritypolicy\" target=\"_blank\">CSP Guide for Microsoft Entra ID<\/a>.<\/li>\n<p>  <\/ul>\n<p><b>Learn more:<\/b><\/p>\n<ul>\n<li><a href=\"http:\/\/aka.ms\/entracontentsecuritypolicy\" target=\"_blank\">Content Security Policy Overview for Microsoft Entra ID<\/a>&nbsp;<\/li>\n<li><a href=\"https:\/\/techcommunity.microsoft.com\/blog\/microsoft-entra-blog\/enhance-protection-of-microsoft-entra-id-authentication-by-blocking-external-scr\/4435200\" target=\"_blank\">Microsoft Entra ID Content Security Policy Public Blog Post on Techcommunity<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/trust-center\/security\/secure-future-initiative?msockid=22346ecb805f631739b27a6e81726266\" target=\"_blank\">Microsoft Secure Future Initiative<\/a><\/li>\n<li><a href=\"https:\/\/content-security-policy.com\/nonce\/\" target=\"_blank\">The CSP nonce guide | Content Security Policy (CSP) quick reference guide<\/a><\/li>\n<li><a href=\"https:\/\/content-security-policy.com\/script-src\/\" target=\"_blank\">The CSP script-src directive guide | Content Security Policy (CSP) quick reference guide<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/msrc\/blog\/2025\/09\/why-xss-still-matters-msrcs-perspective-on-a-25-year-old-threat\" target=\"_blank\">Why XSS still matters: MSRC\u2019s perspective on a 25-year-old threat | Microsoft Blog<\/a><b><\/b><\/li>\n<\/ul>\n<p><b>Compliance considerations<\/b><\/p>\n<p>  <\/p>\n<p>No compliance considerations identified; review as appropriate for your organization.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<th>Machine Translation<\/th>\n<td>\n<p><b>\u7d39\u4ecb<\/b><\/p>\n<p>  <\/p>\n<p>Microsoft\u306e <a href=\"https:\/\/www.microsoft.com\/trust-center\/security\/secure-future-initiative?msockid=22346ecb805f631739b27a6e81726266\" target=\"_blank\">  Secure Future Initiative<\/a>\u306e\u4e00\u74b0\u3068\u3057\u3066\u3001 <a href=\"http:\/\/aka.ms\/entracontentsecuritypolicy\" target=\"_blank\">  Microsoft Entra ID\u30b5\u30a4\u30f3\u30a4\u30f3\u4f53\u9a13\u306e\u30b3\u30f3\u30c6\u30f3\u30c4\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30dd\u30ea\u30b7\u30fc<\/a>\u3092\u66f4\u65b0\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u5909\u66f4\u306b\u3088\u308a\u3001\u8a8d\u8a3c\u6642\u306b\u4fe1\u983c\u3067\u304d\u308bMicrosoft\u30c9\u30e1\u30a4\u30f3\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306e\u307f\u304c\u5b9f\u884c\u53ef\u80fd\u3068\u306a\u308a\u3001\u4e0d\u6b63\u307e\u305f\u306f\u6ce8\u5165\u3055\u308c\u305f\u5916\u90e8\u30b3\u30fc\u30c9\u3092\u30d6\u30ed\u30c3\u30af\u3059\u308b\u3068\u3044\u3046\u8ffd\u52a0\u306e\u4fdd\u8b77\u5c64\u304c\u52a0\u308f\u308a\u307e\u3059\u3002\u3053\u306e\u7a4d\u6975\u7684\u306a\u5bfe\u7b56\u306b\u3088\u308a\u3001\u30af\u30ed\u30b9  <a href=\"https:\/\/www.microsoft.com\/msrc\/blog\/2025\/09\/why-xss-still-matters-msrcs-perspective-on-a-25-year-old-threat\" target=\"_blank\">  \u30b5\u30a4\u30c8\u30b9\u30af\u30ea\u30d7\u30c6\u30a3\u30f3\u30b0(XSS)<\/a>\u306a\u3069\u306e\u8105\u5a01\u304b\u3089\u30e6\u30fc\u30b6\u30fc\u3092\u5b88\u308a\u3001\u7d44\u7e54\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u3092\u3055\u3089\u306b\u5f37\u5316\u3057\u307e\u3059\u3002<\/p>\n<p><b>\u305d\u308c\u304c\u3044\u3064\u8d77\u3053\u308b\u306e\u304b<\/b><\/p>\n<p>  <\/p>\n<p>\u4e00\u822c\u516c\u958b(\u751f\u7523\/\u4e16\u754c\u9650\u5b9a):<\/p>\n<p>  <\/p>\n<ul>  <\/p>\n<li>\u5c55\u958b\u306f2026\u5e7410\u6708\u4e2d\u65ec\u304b\u3089\u59cb\u307e\u308a\u307e\u3059<\/li>\n<p>  <\/p>\n<li>2026\u5e7410\u6708\u4e0b\u65ec\u307e\u3067\u306b\u5b8c\u6210\u4e88\u5b9a<\/li>\n<p>  <\/ul>\n<p>  <\/p>\n<p>\u30ea\u30ea\u30fc\u30b9\u524d\u306b\u306f\u5b9a\u671f\u7684\u306b\u9023\u7d61\u304c\u9001\u3089\u308c\u307e\u3059\u3002<\/p>\n<p><b>\u3053\u308c\u304c\u3042\u306a\u305f\u306e\u7d44\u7e54\u306b\u4e0e\u3048\u308b\u5f71\u97ff<\/b><\/p>\n<p>  <\/p>\n<p><i>\u5f71\u97ff\u3092\u53d7\u3051\u308b\u4eba\u7269:<\/i><\/p>\n<p>  <\/p>\n<ul>  <\/p>\n<li>\u7d44\u7e54\u306f <b>login.microsoftonline.com<\/b> \u304b\u3089\u59cb\u307e\u308bURL\u3067\u30d6\u30e9\u30a6\u30b6\u30d9\u30fc\u30b9\u306e\u30b5\u30a4\u30f3\u30a4\u30f3\u4f53\u9a13\u3092\u5229\u7528\u3057\u3066\u3044\u307e\u3059\u3002<\/li>\n<p>  <\/p>\n<li><b>Microsoft Entra\u306e\u5916\u90e8ID\u30c6\u30ca\u30f3\u30c8\u306b\u306f\u5f71\u97ff\u304c\u3042\u308a\u307e\u305b\u3093\u3002<\/b><\/li>\n<p>  <\/ul>\n<p>  <\/p>\n<p><i>\u4eca\u5f8c\u306e\u5c55\u958b:<\/i><\/p>\n<p>  <\/p>\n<ul>  <\/p>\n<li>Microsoft Entra\u306e\u30b5\u30a4\u30f3\u30a4\u30f3\u30da\u30fc\u30b8\u306b\u306f\u65b0\u3057\u3044\u30b3\u30f3\u30c6\u30f3\u30c4\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30dd\u30ea\u30b7\u30fc\u30d8\u30c3\u30c0\u30fc\u304c\u8ffd\u52a0\u3055\u308c\u307e\u3059\u3002<\/li>\n<p>  <\/p>\n<li>\u30b9\u30af\u30ea\u30d7\u30c8\u306fMicrosoft\u306e\u4fe1\u983c\u3055\u308c\u305fCDN\u30c9\u30e1\u30a4\u30f3\u304b\u3089\u306e\u307f\u8a31\u53ef\u3055\u308c\u307e\u3059\u3002<\/li>\n<p>  <\/p>\n<li>\u30a4\u30f3\u30e9\u30a4\u30f3\u30b9\u30af\u30ea\u30d7\u30c8\u306e\u5b9f\u884c\u306f\u3001\u4fe1\u983c\u3067\u304d\u308bMicrosoft\u30bd\u30fc\u30b9\u304b\u3089\u306e\u307f\u8a31\u53ef\u3055\u308c\u307e\u3059\u3002<\/li>\n<p>  <\/p>\n<li>\u30b5\u30a4\u30f3\u30a4\u30f3\u30da\u30fc\u30b8\u306b\u30b3\u30fc\u30c9\u3092\u6ce8\u5165\u3059\u308b\u30d6\u30e9\u30a6\u30b6\u62e1\u5f35\u6a5f\u80fd\u3084\u30c4\u30fc\u30eb\u306f\u52d5\u4f5c\u3057\u306a\u304f\u306a\u308a\u307e\u3059\u304c\u3001\u30e6\u30fc\u30b6\u30fc\u306f\u30b5\u30a4\u30f3\u30a4\u30f3\u306f\u53ef\u80fd\u3067\u3059\u3002<\/li>\n<p>  <\/ul>\n<p><b>\u6e96\u5099\u306e\u305f\u3081\u306b\u3067\u304d\u308b\u3053\u3068<\/b><\/p>\n<p>  <\/p>\n<ul>  <\/p>\n<li>\u30b5\u30a4\u30f3\u30a4\u30f3\u4f53\u9a13\u306b\u30b3\u30fc\u30c9\u3092\u6ce8\u5165\u3059\u308b\u30c4\u30fc\u30eb\u3084\u62e1\u5f35\u6a5f\u80fd\u3092\u4f7f\u308f\u306a\u3051\u308c\u3070\u3001\u4f55\u306e\u30a2\u30af\u30b7\u30e7\u30f3\u3082\u5fc5\u8981\u3042\u308a\u307e\u305b\u3093\u3002<\/li>\n<p>  <\/p>\n<li>\u3082\u3057\u305d\u3046\u3044\u3063\u305f\u30c4\u30fc\u30eb\u3092\u4f7f\u3046\u306a\u3089\u3001\u30b3\u30fc\u30c9\u3092\u6ce8\u5165\u3057\u306a\u3044\u4ee3\u66ff\u30c4\u30fc\u30eb\u306b\u5207\u308a\u66ff\u3048\u3066\u304f\u3060\u3055\u3044\u3002<\/li>\n<p>  <\/p>\n<li>\u5c55\u958b\u524d\u306b\u30b5\u30a4\u30f3\u30a4\u30f3\u30d5\u30ed\u30fc\u3092\u5341\u5206\u306b\u30c6\u30b9\u30c8\u3057\u3001\u554f\u984c\u3092\u65e9\u671f\u306b\u7279\u5b9a\u30fb\u89e3\u6c7a\u3057\u307e\u3057\u3087\u3046\u3002\u30c6\u30b9\u30c8\u624b\u9806\u306f <a href=\"http:\/\/aka.ms\/entracontentsecuritypolicy\" target=\"_blank\">  Microsoft Entra ID\u306eCSP\u30ac\u30a4\u30c9<\/a>\u3067\u3054\u89a7\u3044\u305f\u3060\u3051\u307e\u3059\u3002<\/li>\n<p>  <\/ul>\n<p><b>\u8a73\u7d30\u60c5\u5831\uff1a<\/b><\/p>\n<ul>\n<li>Microsoft Entra ID&nbsp;<a href=\"http:\/\/aka.ms\/entracontentsecuritypolicy\" target=\"_blank\">\u306e\u30b3\u30f3\u30c6\u30f3\u30c4\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30dd\u30ea\u30b7\u30fc\u6982\u8981<\/a><\/li>\n<li><a href=\"https:\/\/techcommunity.microsoft.com\/blog\/microsoft-entra-blog\/enhance-protection-of-microsoft-entra-id-authentication-by-blocking-external-scr\/4435200\" target=\"_blank\">Microsoft Entra ID\u30b3\u30f3\u30c6\u30f3\u30c4\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30dd\u30ea\u30b7\u30fc Techcommunity\u306b\u95a2\u3059\u308b\u516c\u958b\u30d6\u30ed\u30b0\u6295\u7a3f<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/trust-center\/security\/secure-future-initiative?msockid=22346ecb805f631739b27a6e81726266\" target=\"_blank\">Microsoft Secure Future Initiative<\/a><\/li>\n<li><a href=\"https:\/\/content-security-policy.com\/nonce\/\" target=\"_blank\">CSP\u306e\u30ce\u30f3\u30b9\u30ac\u30a4\u30c9|\u30b3\u30f3\u30c6\u30f3\u30c4\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30dd\u30ea\u30b7\u30fc(CSP)\u30af\u30a4\u30c3\u30af\u30ea\u30d5\u30a1\u30ec\u30f3\u30b9\u30ac\u30a4\u30c9<\/a><\/li>\n<li><a href=\"https:\/\/content-security-policy.com\/script-src\/\" target=\"_blank\">CSP\u30b9\u30af\u30ea\u30d7\u30c8-src\u6307\u4ee4\u30ac\u30a4\u30c9 |\u30b3\u30f3\u30c6\u30f3\u30c4\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30dd\u30ea\u30b7\u30fc(CSP)\u30af\u30a4\u30c3\u30af\u30ea\u30d5\u30a1\u30ec\u30f3\u30b9\u30ac\u30a4\u30c9<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/msrc\/blog\/2025\/09\/why-xss-still-matters-msrcs-perspective-on-a-25-year-old-threat\" target=\"_blank\">XSS\u304c\u4eca\u306a\u304a\u91cd\u8981\u306a\u7406\u7531:25\u5e74\u524d\u306e\u8105\u5a01\u306b\u5bfe\u3059\u308bMSRC\u306e\u898b\u89e3 |\u30de\u30a4\u30af\u30ed\u30bd\u30d5\u30c8\u30d6\u30ed\u30b0<\/a><b><\/b><\/li>\n<\/ul>\n<p><b>\u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u306e\u8003\u616e\u4e8b\u9805<\/b><\/p>\n<p>  <\/p>\n<p>\u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u4e0a\u306e\u8003\u616e\u4e8b\u9805\u306f\u7279\u5b9a\u3055\u308c\u307e\u305b\u3093\u3067\u3057\u305f\u3002\u3042\u306a\u305f\u306e\u7d44\u7e54\u306b\u9069\u3057\u305f\u30ec\u30d3\u30e5\u30fc\u3092\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>MC1191924 | Microsoft Entra ID: Enhance protection of the authentication experience by blocking external scrip [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14111","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/14111","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=14111"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/14111\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=14111"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=14111"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=14111"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}