In September, I explained why SharePoint admins should not ignore Content Security Policy (CSP) violations and why preparation is important, as Microsoft has already indicated it will enforce CSP later.
Microsoft has now published that CSP enforcement will begin in March 2026, with an optional 90-day delay available via PowerShell.
Content
Timeline
- April 2025 to 28 February 2026: CSP in report-only mode (no blocking, only logging)
- 1 March 2026: CSP enforcement begins (blocking non-compliant scripts)
- Delay enforcement until 1 June 2026 using PowerShell (optional)
How does this affect your organisation?
As described by Mozilla:
Content Security Policy (CSP) is a feature that helps to prevent or minimize the risk of certain types of security threats. It consists of a series of instructions from a website to a browser, which instruct the browser to place restrictions on the things that the code comprising the site is allowed to do.
The primary use case for CSP is to control which resources, in particular JavaScript resources, a document is allowed to load. This is mainly used as a defense against cross-site scripting (XSS) attacks, in which an attacker is able to inject malicious code into the victim’s site.
A CSP can have other purposes as well, including defending against clickjacking and helping to ensure that a site’s pages will be loaded over HTTPS.
When a browser loads a script on a site with CSP enabled, it checks the script’s source against the CSP rules. If the source is allowed, the script loads normally. If the source is not permitted, the browser blocks the script and logs a CSP violation in the browser console (CTRL + Shift + I).
I already published a guide explaining how to track CSP violations in SharePoint Online using Purview Audit Logs and how to export them with PowerShell. You should read and follow my guide from September.
SharePoint PowerShell and how to delay CSP enforcement?
There are now three PowerShell properties related to Content Security Policy in SharePoint.
EnforceContentSecurityPolicyConfiguration
When EnforceContentSecurityPolicyConfiguration is set to True, Content Security Policy violations will be enforced. The default value is currently False, and it will automatically switch to True on 1 March 2026 (or will be ignored).
Set-SPOTenant -EnforceContentSecurityPolicyConfiguration $true
DelayContentSecurityPolicyEnforcement
DelayContentSecurityPolicyEnforcement allows administrators to postpone Content Security Policy enforcement from 1 March to 1 June 2026. The default value is False.
Set-SPOTenant -DelayContentSecurityPolicyEnforcement $true
ResyncContentSecurityPolicyConfigurationEntries
When ResyncContentSecurityPolicyConfigurationEntries is set to True, forces a sync of Content Security Policy sources for SharePoint Framework components in the tenant application catalog. New sources will be added to the configuration, if not already present, based on the cdnBasedPath property under a solution’s .config/write-manifests.json if present. The sync may take up to 24 hours to complete. In multi-geo environments, Content Security Policy configuration is unique to each geo.
New PowerShell commands for SharePoint CSP
Microsoft has also published three new PowerShell commands for SharePoint CSP in the SharePoint Online PowerShell module.
Get-SPOContentSecurityPolicy
Returns all sources in the current Content Security Policy configuration.
Add-SPOContentSecurityPolicy
Adds a source to the Content Security Policy configuration.
Remove-SPOContentSecurityPolicy
Removes a source from the Content Security Policy configuration.
