Skip to main content
🦉
Message CenterMicrosoft 365 Updates
HomePermissionsTenant FinderPortfolio
🦉
M365 Message Centerby Cengiz YILMAZ

Track the latest updates, features, and announcements for Microsoft 365 services. Comprehensive archive of service updates and important changes.

Quick Links

HomePermissionsTenant FinderPortfolio

Connect

© 2026 M365 Message Center. Created with ❤️ by Cengiz YILMAZ

Data sourced from Microsoft 365 Message Center • Not affiliated with Microsoft

  1. Home
  2. /
  3. MC1218747

Power Apps – Content Security Policy enforcement for Power Apps code apps

Informational

Message ID

MC1218747
View in Admin Center

Services

Power Apps

Details

Starting on January 26, 2026, we will introduce strict Content Security Policy (CSP) enforcement for Power Apps code apps (preview). CSP is a security feature that protects apps from malicious content by restricting which external sources an app can access.

How does this affect me?
After January 30, 2026, Power Apps code apps that call assets outside of Power Apps domains will have those requests blocked by default. The code app will play, but these assets called from an external source will not load.

Please visit How to: Configure Content Security Policy (preview) - Power Apps for more information about the default CSP configuration.

What action do I need to take?
To enable your code app to call assets from external sources, you will need to allowlist any required external sources using the CSP configuration settings in the Power Platform admin center.

To prepare for this change, we recommend you configure CSP by using Power Platform admin center and follow the steps below. We recommend taking these steps if you are unsure about what your CSP configuration should be, and your code app is business critical:
  1. Temporarily toggle off the Enforce content security policy setting.
  2. Toggle on the Enable reporting setting.
  3. Test which sources need to be added to your allowlist after the enforcement date of January 30, 2026.
  4. Add the required sources to your allowlist.
  5. Toggle on the Enforce content security policy setting.
If your app does not need to call external assets or is not business critical, leave CSP enforcement enabled and enable reporting mode to monitor policy violations and proactively configure CSP.

Please contact Microsoft Support if you need further assistance.

Timeline

📅
Published
Jan 17, 2026
Message published to Message Center
✏️
Updated
Jan 17, 2026
Message content updated
🏁
End Date
Feb 17, 2026
Message timeline ends

Tags

#Admin impact

Category

📖Stay Informed

Related Messages

Similar updates

MC1215683

Power Apps – Deprecation of Preview Copilot Controls in Canvas Apps

Jan 8, 2026
MC987008

Dynamics 365, Power Platform, and Role-based Copilot offerings – 2025 release wave 1 plans available now

Jan 23, 2025
MC734269

Power Platform - Information about preventing errors and stub user records during data import workflows

Mar 12, 2024
MC1189695

Power Apps – Upcoming changes to license consumption experience

Nov 25, 2025
MC1189623

Power Apps – Add AI record summary to model-driven apps

Nov 24, 2025