Microsoft enforces Content Security Policy (CSP) in SharePoint Online.
What does that mean to SharePoint Admins? Should we be concerned? What do we need to undertake? Before? After?
Generally, in web development – the policy (Content Security Policy – CSP) is needed to minimize the risk of security threats by controlling which resources, in particular JavaScript resources, a page/site is allowed to load.
In SharePoint web development is done via SPFx, so the CSP policy affect SPFx solutions. In a nutshell, from now on, for the SPFx solutions to work properly, admins should whitelist external domains. Admins can maintain allowed domains list via GUI in SharePoint admin center or via PowerShell:
# List current sources
Get-SPOContentSecurityPolicy
# Remove a source
Remove-SPOContentSecurityPolicy -Source "https://cdn.host.com/source/"
# Add a source
Add-SPOContentSecurityPolicy -Source "https://cdn.host.com/source/"The CSP policy was enforced on March 1, 2026, but as per Microsoft, if clients need more time to review and update existing SPFx solutions, we can delay the enforcement by 90 days, until June 1, 2026, via
Set-SPOTenant -DelayContentSecurityPolicyEnforcement $true
# IMPORTANT: List the applied setting again as mandatory step to correctly persist the setting (will be fixed)
(Get-SPOTenant).DelayContentSecurityPolicyEnforcementAdmins can view the Content Security Policy Violations via Purview.
So there are cmdlets:
- Add-SPOContentSecurityPolicy
- Remove-SPOContentSecurityPolicy
- Set-SPOTenant
And for the Set-SPOTenant cmdlet there are options related to CSP:
- DelayContentSecurityPolicyEnforcement
- EnforceContentSecurityPolicyConfiguration
- ResyncContentSecurityPolicyConfigurationEntries
- ContentSecurityPolicyEnforcement
So the question I ask for myself is what exactly each command does and how are the options correlated to each other and affect SPFx solutions.
Content Security Policy (CSP) in SharePoint: My Findings
ContentSecurityPolicyEnforcement
It seems like using Set-SPOTenant with a ContentSecurityPolicyEnforcement parameter change nothing. I.e. “Set-SPOTenant -ContentSecurityPolicyEnforcement:$false” does not disable policy and vise versa
“Set-SPOTenant -ContentSecurityPolicyEnforcement:$true” does not enforce the CSP policy.
My guess it’s because this article is written in April 2026. Microsoft started Content Security Policy (CSP) enforcement since March 1, 2026. So probably before March 1, 2026 we could use ContentSecurityPolicyEnforcement to enable the policy, but since March 2026 the policy is enforced anyway and parameter ContentSecurityPolicyEnforcement is not needed (and probably will go away in the next versions of the Microsoft.Online.SharePoint.PowerShell Module).
DelayContentSecurityPolicyEnforcement
DelayContentSecurityPolicyEnforcement parameter effectively switches the policy on and off. It takes a few minutes for Microsoft to propagate the change across so you can start seeing the policy enforced or not. But this is true only during 90 days – in Mar, Apr and May 2026. Since June 1, 2026 the Content Security Policy (CSP) will be enforced in SharePoint Online.
References
- Content Security Policy (CSP) – MDN
- Support for Content Security Policy (CSP) in SharePoint Online (Microsoft)
- Set-SPOTenant cmdlet (SPO Management Shell, Microsoft)
- Preparing for SharePoint Online CSP Enforcement (Nello D’Andrea, MVP)