check before: 2026-01-26
Product:
Microsoft 365 admin center, Power Apps, Power Platform, SharePoint
Platform:
Online, World tenant
Status:
Change type:
Admin impact
Links:
Details:
Starting on January 26, 2026, we will introduce strict Content Security Policy (CSP) enforcement for Power Apps code apps (preview). CSP is a security feature that protects apps from malicious content by restricting which external sources an app can access.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-01-17
updated:
2026-01-17
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
CSP Enforcement Impact
Power Apps code apps will block requests to external assets by default, potentially breaking functionality for users relying on those assets.
- roles: Power Apps Developer, End User
- references: https://aka.ms/13661Link1, https://aka.ms/13661Link2
User Experience Degradation
Users may experience degraded functionality or errors in apps that depend on external resources, leading to frustration and decreased productivity.
- roles: End User, Business Analyst
- references: https://aka.ms/13661Link3, https://aka.ms/13661Link4
Increased Support Requests
The change may lead to an increase in support requests as users encounter issues with app functionality, straining IT support resources.
- roles: IT Support, Power Apps Developer
- references: https://aka.ms/13661Link1, https://aka.ms/13661Link2
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Enhanced Security Posture
Implementing strict Content Security Policy (CSP) will enhance the security of Power Apps by preventing unauthorized access to external assets, thereby reducing the risk of data breaches and malicious attacks.
- next-steps: Assess current app dependencies on external assets and configure CSP settings accordingly. Regularly review and update the allowlist as necessary.
- roles: IT Security Manager, Power Apps Developer, Compliance Officer
- references: https://docs.microsoft.com/en-us/power-platform/admin/content-security-policy, https://aka.ms/13661Link1
Improved User Experience
By proactively configuring CSP and allowlisting necessary external sources, users will experience fewer disruptions and smoother functionality in their Power Apps, leading to increased productivity.
- next-steps: Conduct user testing to identify essential external assets, and configure the CSP settings to ensure they are allowlisted before the enforcement date.
- roles: Business Analyst, Power Apps Developer, End Users
- references: https://docs.microsoft.com/en-us/power-platform/admin/content-security-policy, https://aka.ms/13661Link2
Operational Efficiency in IT Management
Utilizing the reporting feature of CSP can provide insights into which external assets are frequently accessed, allowing for better resource management and future planning of app functionalities.
- next-steps: Enable the reporting setting in CSP to gather data on policy violations and access patterns, then analyze this data to inform future app development and security policies.
- roles: IT Operations Manager, Data Analyst, Power Apps Developer
- references: https://docs.microsoft.com/en-us/power-platform/admin/content-security-policy, https://aka.ms/13661Link3
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
Starting January 26, 2026, Microsoft will introduce a new security feature called Content Security Policy (CSP) for Power Apps code apps. Think of CSP as a security guard for your app, ensuring that it only interacts with trusted sources. This means that after January 30, 2026, if your app tries to access content from outside the Power Apps environment, those requests will be blocked unless you have specifically allowed them.
Imagine your app is like a restaurant, and CSP is the bouncer at the door. The bouncer's job is to make sure only approved suppliers (external sources) can deliver ingredients (content) to your restaurant. If a supplier isn't on the approved list, the bouncer won't let them in, ensuring that only safe and trusted ingredients are used.
To prepare for this change, you can use the Power Platform admin center to manage which external sources your app can access. If your app is crucial for your business, it's a good idea to temporarily turn off the strict enforcement of CSP and enable a reporting feature. This will help you identify which external sources your app is trying to access, so you can add them to your approved list before the enforcement date.
Once you've identified and approved the necessary sources, you can turn the strict enforcement back on. If your app doesn't need to access external content or isn't critical to your business, you can leave the CSP enforcement on and use the reporting feature to monitor any potential issues.
For more detailed guidance, you can refer to Microsoft's resources or contact their support for assistance.
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
