Microsoft is rolling out strict Content Security Policy (CSP) enforcement starting Jan 2026.
- After Jan 30, 2026, Power Apps will block external scripts, images, and API calls by default.
- If you want your app to use them, you must add those external sources to the allowlist.
If your app is business-critical, go to Power Platform Admin Center:
- ✅Temporarily turn OFF CSP enforcement.
- ✅Turn ON reporting mode.
- ✅Test your app and see which external sources get flagged.
- ✅Add required sources to the allowlist
- ✅Turn CSP enforcement back on
This is the safest way to understand exactly what your app depends on before enforcement becomes mandatory.
If your app doesn’t rely on external assets keep enforcement on, but I’d still suggest enabling reporting to proactively spot issues.
Microsoft has shared detailed guidance here: https://learn.microsoft.com/en-us/power-apps/developer/code-apps/how-to/content-security-policy