Browse all topics
All guidesGlossary
Microsoft Defender (Security)

Zero trust in Microsoft 365

What zero trust actually means in a Microsoft 365 context — and the concrete controls that get you there.

"Zero trust" is one of the most overused phrases in security. In a Microsoft 365 context it has a specific, useful meaning: every access decision is made at request time based on user, device, app, and risk signals, and no implicit trust is granted by being inside the corporate network.

The three principles

Microsoft frames zero trust as three principles:

  1. Verify explicitly — every access decision uses all available signals (identity, device, location, risk, app, data sensitivity).
  2. Use least privilege — just-in-time, just-enough access; PIM and entitlement management.
  3. Assume breach — minimise blast radius, segment, encrypt, monitor.

These principles are intentionally generic. The interesting question is what they look like as specific controls in Microsoft 365.

Zero trust in practice

Identity

  • MFA enforced everywhere.
  • Conditional Access as the policy decision point for every Microsoft 365 sign-in.
  • Passwordless for as many users as possible (Microsoft Authenticator, Windows Hello, FIDO2).
  • PIM for privileged roles — no standing Global Admins.
  • Identity Protection policies for risky users / sign-ins.

Devices

  • Intune managing every endpoint, with compliance policies feeding Conditional Access.
  • Defender for Endpoint with EDR, ASR rules, tamper protection.
  • App protection policies for personal devices (MAM-WE).

Data

  • Sensitivity labels classifying data at creation, with encryption attached.
  • DLP policies preventing exfiltration through Exchange, Teams, SharePoint, OneDrive, and endpoints.
  • Retention policies preserving and disposing data on a clear schedule.
  • SharePoint Advanced Management restricting high-risk site access.

Apps

  • Defender for Cloud Apps monitoring SaaS posture.
  • Conditional Access App Control for session-level controls on SaaS.
  • App consent policies limiting which third-party apps users can grant Graph permissions to.

Network

  • Network protection in Defender for Endpoint blocking malicious destinations.
  • Defender for Cloud Apps identifying shadow IT via firewall/proxy logs.
  • Microsoft Entra Private Access and Internet Access (Microsoft's SSE / SASE offerings) replacing legacy VPN and adding identity-aware network controls.

What zero trust replaces

Zero trust replaces the network-as-trust-boundary model: where being on the corporate VPN gave broad access to internal apps. In a zero-trust model, every app is published through Entra ID with Conditional Access — including legacy on-premises web apps via Entra Application Proxy or Entra Private Access.

Where to start

If you're at the beginning: get to the Tier 1 baseline in the Microsoft 365 security baselines guide. That's already 80% of practical zero trust for most organisations. The rest is iterative refinement, not a separate project.