Introduction

Microsoft is strengthening security in SharePoint Online by enforcing Content Security Policies (CSP) starting March 1, 2026. This change will block scripts in custom SPFx solutions if they originate from untrusted locations or rely on inline JavaScript. Any affected solutions may stop functioning until updated. Organizations must review all SPFx solutions, ensure scripts load only from trusted sources, and convert inline scripts into external files. A temporary 90‑day delay option is available via PowerShell for organizations needing more time.

What this means for your organization

Key Impacts

• Scripts from non‑trusted sources will be blocked
  SPFx solutions loading JavaScript from locations not registered as trusted will fail.
• Inline scripts will be blocked entirely
  These must be moved into properly hosted script files.
• Any affected SPFx solution may stop functioning on March 1, 2026
  This includes internal custom tools and third‑party web parts.

Temporary delay option

Admins may postpone CSP enforcement for 90 days using PowerShell (Note: Requires SPO Management Shell version 16.0.26712.12000 (Nov 2025 or later):

Set-SPOTenant -DelayContentSecurityPolicyEnforcement $true

Requires actions (General)

Verify all script locations

• Audit SPFx solutions to ensure scripts load only from trusted script sources.
• Add missing trusted locations via:
  SharePoint Admin Center → Advanced → Script sources

Replace inline scripts

• Move any inline JavaScript into external .js files hosted at trusted locations.

Test SPFx solutions in reporting mode

Until March 1, 2026, CSP is in report‑only mode, which logs violations in browser dev tools.
Look for messages like:

• “Loading the script … violates the following CSP directive…”
• “Executing inline script violates the following CSP directive…”

This helps identify which scripts will break after enforcement.

Product-specific actions

Reach

If you are using Reach and any of its SPFx‑based components in SharePoint Online, you must update all relevant Reach packages to ensure compatibility with Microsoft’s upcoming CSP enforcement.

1. Identify which Reach packages you are using

You can quickly determine which Reach components are installed by checking your SharePoint Tenant App Catalog:

1. Open the SharePoint Admin Center
2. Navigate to More features → Apps → App Catalog
3. Look through the catalog for Reach‑related SPFx packages (usually identifiable by name or publisher)

Make a list of all Reach packages currently deployed.

2. Download the updated Reach packages

Once you know which packages you use, download the latest updated versions using the links below:

• https://docs.hub.livetiles.io/docs/en/hub/reach_news_webpart/
• https://docs.hub.livetiles.io/docs/en/hub/reach_posts_webpart/
• https://docs.hub.livetiles.io/docs/en/hub/reach_events_webpart/
• https://docs.hub.livetiles.io/docs/en/hub/reach_pages_webpart/

3. Upload & deploy updated packages

After downloading the updated packages:

1. Go to your SharePoint Tenant App Catalog
2. Upload the updated .sppkg files
3. Select Deploy when prompted
4. Confirm that the new versions appear as active and are properly distributed to all necessary site collections

4. Validate After Deployment

After updating packages and ensuring Trusted Script Sources are configured:

• Open the relevant SharePoint pages that use the product’s components
• Confirm that all web parts and customizations load and behave correctly
• Use browser developer tools to check for any CSP‑related warnings
• If any related warnings appear, identify the script URLs and add them to Trusted Script Sources
• If any issues remain or if you're in doubt, please don’t hesitate to reach out to our support team for further assistance

LiveTiles Enterprise (former Wizdom)

If your SharePoint environment uses Wizdom and any of its SPFx‑based modules, you must ensure that all relevant Wizdom packages are updated ahead of Microsoft’s CSP enforcement deadline. Updated packages are required to prevent script‑blocking issues that may impact functionality.

If you use Wizdom classic in SharePoint Online, this will not affect you, but you should consider moving to a more modern platform like Omnia and the SharePoint Modern experience.

1. Identify whether you are using Wizdom modern

To check if your tenant uses modern Wizdom modules:

• Navigate to your Wizdom Administration Site
• Go to Admin → Modern experiences
• Review the list of installed modern modules to confirm which components are active, e.g. wizdom-branding, wizdom-quicklinks, module-governance.

If no modern experiences are activated, no Wizdom-specific action is required.

2. Update Wizdom Modern packages

Updated packages can be deployed through the Wizdom Administration Site .

To update:

1. Open the Wizdom Administration Site
2. Go to Admin → Modern experiences
3. Click deploy modern packages immediately, to deploy the modern packages to the tenant app catalog.

This ensures that modern scripts are delivered in a CSP‑compliant manner.

3. Add custom script URLs to trusted script sources manually

If your solution uses custom JavaScript (for example: local enhancements, integrations or module extensions), you must manually add the script URLs to Trusted Script Sources in the SharePoint Admin Center.

Otherwise, these custom scripts will be blocked once CSP enforcement begins.

To add them:

1. Open the SharePoint Admin Center
2. Go to Advanced → Script sources
3. Add the full URLs of any custom scripts used by your application.

This ensures all custom functionality continues to work after CSP enforcement.

4. Validate functionality after updating

After updating packages and ensuring Trusted Script Sources are configured:

• Open the relevant SharePoint pages that use the product’s components
• Confirm that all web parts and customizations load and behave correctly
• Use browser developer tools to check for any CSP‑related warnings
• If any related warnings appear, identify the script URLs and add them to Trusted Script Sources
• If any issues remain or if you're in doubt, please don’t hesitate to reach out to our support team for further assistance

LiveTiles Hub

If your organization uses LiveTiles Hub for Microsoft 365, you must verify that you are deploying the correct package type and updating all required Hub web parts ahead of Microsoft’s CSP enforcement. LiveTiles Hub supports three different package types, and it is critical to install the version that matches your tenant scenario.

All relevant information on LiveTiles Hub can be found here: Installation Guide for Microsoft 365 · LiveTiles Intranet Hub

1. Determine the correct version of LiveTiles Hub

LiveTiles Hub is available in three versions – selecting the correct one is essential:

• LiveTiles.Intranet.Hub.sppkg: Normal version, for tenants using full-trust deployment.
• Livetiles.Intranet.Hub.LandingPage.sppkg: Normal version, for tenants using the LiveTiles Intranet hub landing page.
• LiveTiles.Intranet.Hub.LowTrust.sppkg): Low trust version, for tenants with restricted permissions.
• LiveTiles.Intranet.Hub.APAC.sppkg): Special version for the APAC region.

Before proceeding, confirm which version your tenant must use.

2. Identify which LiveTiles Hub related web part packages you are using

You can quickly determine which LiveTiles Hub components are installed by checking your SharePoint Tenant App Catalog:

1. Open the SharePoint Admin Center
2. Navigate to More features → Apps → App Catalog
3. Look through the catalog for LiveTiles Hub related SPFx packages. You can find a list of available webparts in our knowledge base in the Web Parts section: Installation Guide for Microsoft 365 · LiveTiles Intranet Hub

Make a list of all LiveTiles Hub related packages currently deployed.

3. Upload & deploy the packages to the app  catalog

To install LiveTiles Hub and related web parts manually:

1. Go to your SharePoint Tenant App Catalog
2. Upload the updated .sppkg files
3. Select Deploy when prompted
4. Confirm that the new versions appear as active and are properly distributed to all necessary site collections

4. Validate functionality after updating

After updating packages and ensuring Trusted Script Sources are configured:

• Open the relevant SharePoint pages that use the product’s components
• Confirm that all web parts and customizations load and behave correctly
• Use browser developer tools to check for any CSP‑related warnings
• If any related warnings appear, identify the script URLs and add them to Trusted Script Sources
• If any issues remain or if you're in doubt, please don’t hesitate to reach out to our support team for further assistance

LiveTiles Operation Center

If your organization uses LiveTiles Operation Center, including the Everywhere Widget, you must prepare for Microsoft’s CSP enforcement to ensure that all associated web parts continue to function.

For the Everywhere Widgets, the script URL must be added manually to Trusted Script sources in the SharePoint Admin center.

1. Identify which LiveTiles Operation Center web parts you are using

To identify which components your tenant uses:

1. Check the Site contents of sites using Operation center widgets
2. Review your SharePoint Tenant App Catalog for LiveTiles Operation Center related SPFx packages. You can find a list of available web parts here: https://operations.livetiles.io/intranet/webparts 
3. If the Everywhere Widget is used, verify that widget script URL is known
   • Required later for Trusted Script Sources

If you are unsure, review the browser console on a page where Operation center is active – CSP warnings will list blocked script URLs.

2. Upload and deploy updated packages (Only when required)

After downloading the updated packages:

1. Go to your SharePoint Tenant App Catalog
2. Upload the updated .sppkg files
3. Select Deploy when prompted
4. Confirm that the new versions appear as active and are properly distributed to all necessary site collections

3. Validate After Deployment

After updating packages and ensuring Trusted Script Sources are configured:

• Open the relevant SharePoint pages that use the product’s components
• Confirm that all web parts and customizations load and behave correctly
• Use browser developer tools to check for any CSP‑related warnings
• If any related warnings appear, identify the script URLs and add them to Trusted Script Sources
• If any issues remain or if you're in doubt, please don’t hesitate to reach out to our support team for further assistance

LiveTiles Directory

If your organization is using LiveTiles Directory, please refer to this knowledge base article on installing and adding directory web parts.

https://support.livetilesglobal.com/hc/en-us/articles/360037720611-Installing-and-Adding-the-Directory-web-parts

Page Designer

Please see this article https://support.livetilesglobal.com/hc/en-us/articles/33703958831122-Page-Designer-classic-to-modern
 
 
Please note: Existing classic pages will continue to render and can still be viewed. However, to ensure that pages can continue to be edited and maintained without issues going forward, we highly recommend upgrading to the Modern Page Designer experience.

Option 2: Manually add the source reported in the console to trusted sources in SharePoint admin

Take the CSP source from the browser console, for example here, take the “https://ixppubpweusa01.azureedge.net/livetiles-connect/” as the source
 
Go to Tenant App Catalog → Show the “External Content Domains” and you could see all of the needed sources here
Add it to the Trust script sources. Please noted that the source URL need to have the “/” at the end.

Option 3: Run the script to resync sources, can take up to 24 hours

Resyncronize the trusted sources in SharePoint by running the following as SharePoint Administrator:
Connect-SPOService -Url https://-admin.sharepoint.com Set-SPOTenant -ResyncContentSecurityPolicyConfigurationEntries $true (Get-SPOTenant).ResyncContentSecurityPolicyConfigurationEntries

More information from Microsoft: Support for Content Security Policy (CSP) in SharePoint Online