1 March came and went. Here's what actually broke, what held up fine, and what everyone who was "planning to deal with it later" is dealing with right now.
Microsoft's SharePoint Online Content Security Policy enforcement went live on 1 March 2026. For teams that had prepared, audited their violations, refactored inline scripts, registered trusted sources: it was a non-event. For those who hadn't, it was a rough Monday morning. This post captures what we've seen in the aftermath: what broke, what didn't, and what the experience teaches us about managing security changes in a modern SharePoint environment.
What Actually Broke
Commonly Affected
Inline Scripts in Content Editor Web Parts
Classic content editor web parts with embedded JavaScript were one of the most common failure points. Many organisations had years-old scripts sitting in these parts that nobody had touched, and nobody realised were inline until they stopped working.
Commonly Affected
Third-Party Integrations Using Dynamic Injection
Analytics tools, chatbots, CRM connectors, and similar third-party solutions that inject scripts dynamically at runtime without pre-registration were blocked. Some vendors had updated their SharePoint integrations ahead of enforcement; others hadn't.
Partially Affected
Custom SPFx Web Parts with Dynamic Loading
Web parts using SPComponentLoader.loadScript() to pull in external libraries at runtime worked fine if those sources were pre-registered in Trusted Script Sources, and broke if they weren't. The split outcome here caught some teams off guard who assumed their SPFx solutions were automatically safe.
Unaffected
Standard SPFx Bundles via cdnBasePath or externals
Solutions deployed through proper SPFx packaging, bundles referenced via cdnBasePath or external libraries declared in config.json , were automatically added to Trusted Script Sources on installation and were entirely unaffected by enforcement.
Unaffected
Classic SharePoint Pages
CSP enforcement only applies to modern SharePoint pages. Organisations still running classic team sites or publishing sites were not affected, though the long-term trajectory of classic SharePoint remains what it is.
Still running classic SharePoint? CSP is one of many reasons the clock is ticking. Our Support Manager Barend Olivier walks through exactly what's at stake and how to move forward in our on-demand webinar, Migration & Modernization: From Legacy to Modern.
The Common Thread in Failures
Looking across the common failure patterns, there's a single theme: legacy script patterns that nobody had revisited in years. The solutions that broke were rarely recently built, they were older integrations, older web parts, scripts embedded when SharePoint was configured years ago and then forgotten.
CSP enforcement didn't create new problems; it surfaced old ones. That's actually the point. The report-only window from late 2025 through 28 February was designed exactly for this: a chance to audit before enforcement hit. Teams that used that window had nothing to worry about on 1 March. Teams that didn't are doing triage now.
The Fix Is Usually Simpler Than It Sounds
- Inline scripts: Extract into a .js file , host it somewhere trusted, update the reference. An afternoon of work in most cases.
- Untrusted external sources: Add the domain to Trusted Script Sources in SharePoint Admin Center. A few minutes per source.
- Third-party vendor tools: Contact the vendor. Most major vendors had CSP-compliant updates available before enforcement, it's usually a version upgrade.
What This Tells Us About Security Governance
CSP enforcement is a useful lens on a broader question: how well do organisations actually know what JavaScript is running in their SharePoint environment? For many, the honest answer before 1 March was "not very well." Scripts accumulate over years of SharePoint growth, solutions built by people who've left, integrations set up for projects long since finished, vendor tools added during evaluations that never quite got removed.
CSP enforcement forced an audit that should have been happening on an ongoing basis. The silver lining: teams that went through the remediation process now have a much cleaner, better-documented picture of their SharePoint script landscape than they did before.
If You're Still Cleaning Up
Check your Purview audit log, work through violations methodically, and use ?csp=enforce on individual pages to verify fixes. If you're on the 90-day delay, enforcement hits 1 June 2026. Use the time you have.