Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides a deployment plan for building Zero Trust security with Microsoft 365. Zero Trust is a security model that assumes breach and verifies each request as though it originated from an uncontrolled network. Regardless of where the request originates or what resource it accesses, the Zero Trust model teaches us to "never trust, always verify."
Use this article together with this poster.
Zero Trust principles and architecture
Zero Trust is a security strategy. It isn't a product or a service, but an approach in designing and implementing the following set of security principles.
| Principle | Description |
|---|---|
| Verify explicitly | Always authenticate and authorize based on all available data points. |
| Use least privilege access | Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. |
| Assume breach | Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses. |
The guidance in this article helps you apply these principles by implementing capabilities with Microsoft 365.
A Zero Trust approach extends throughout the entire digital estate and serves as an integrated security philosophy and end-to-end strategy.
This illustration provides a representation of the primary elements that contribute to Zero Trust.
In the illustration:
- Security policy enforcement is at the center of a Zero Trust architecture. This includes multifactor authentication with Conditional Access that takes into account user account risk, device status, and other criteria and policies that you set.
- Identities, devices, data, apps, network, and other infrastructure components are all configured with appropriate security. Policies that are configured for each of these components are coordinated with your overall Zero Trust strategy. For example, device policies determine the criteria for healthy devices and Conditional Access policies require healthy devices for access to specific apps and data.
- Threat protection and intelligence monitors the environment, surfaces current risks, and takes automated action to remediate attacks.
For more information about Zero Trust, see Microsoft's Zero Trust Guidance Center.
Deploying Zero Trust for Microsoft 365
Microsoft 365 is built intentionally with many security and information protection capabilities to help you build Zero Trust into your environment. Many of the capabilities can be extended to protect access to other SaaS apps your organization uses and the data within these apps.
This illustration represents the work of deploying Zero Trust capabilities. This work is aligned to Zero Trust business scenarios in the Zero Trust adoption framework.
In this illustration the deployment work is categorized into five swim lanes:
- Secure remote and hybrid work — This work builds a foundation of identity and device protection.
- Prevent or reduce business damage from a breach — Threat protection provides real-time monitoring and remediation of security threats. Defender for Cloud Apps provides discovery of SaaS apps, including AI apps, and allows you to extend data protection to these apps.
- Identify and protect sensitive business data — Data protection capabilities provide sophisticated controls targeted at specific types of data to protect your most valuable information.
- Secure AI apps and data — Rapidly protect your organization's use of AI apps and the data these interact with.
- Meet regulatory and compliance requirements — Understand and track your progress toward complying with regulations that affect your organization.
This article assumes you're using cloud identity. If you need guidance for this objective, see Deploy your identity infrastructure for Microsoft 365.
Tip
When you understand the steps and the end-to-end deployment process, you can use the Set up your Microsoft Zero Trust security model advanced deployment guide when signed in to the Microsoft 365 admin center. This guide steps you through applying Zero Trust principles for standard and advanced technology pillars. To step through the guide without signing in, go to the Microsoft 365 Setup portal.
Swim lane 1 — Secure remote and hybrid work
Securing remote and hybrid work involves configuring identity and device access protection. These protections contribute to the Zero Trust principle verify explicitly.
Accomplish the work of securing remote and hybrid work in three phases.
Phase 1 — Implement starting-point identity and device access policies
Microsoft recommends a comprehensive set of identity and device access policies for Zero Trust in this guide — Zero Trust identity and device access configurations.
In phase 1, start by implementing the starting-point tier. These policies don't require enrolling devices into management.
Go to Zero Trust identity and device access protection for detailed prescriptive guidance. This series of articles describes a set of identity and device access prerequisite configurations and a set of Microsoft Entra Conditional Access, Microsoft Intune, and other policies to secure access to Microsoft 365 for enterprise cloud apps and services, other SaaS services, and on-premises applications published with Microsoft Entra application proxy.
| Includes | Prerequisites | Doesn't include |
|---|---|---|
Recommended identity and device access policies for three levels of protection:
Additional recommendations for:
|
Microsoft E3 or E5 Microsoft Entra ID in either of these modes:
|
Device enrollment for policies that require managed devices. See Manage devices with Intune to enroll devices. |
Phase 2 — Enroll devices into management with Intune
Next, enroll your devices into management and begin protecting them with more sophisticated controls.
See Manage devices with Intune for detailed prescriptive guidance on enrolling devices into management.
| Includes | Prerequisites | Doesn't include |
|---|---|---|
Enroll devices with Intune:
Configure policies:
|
Register endpoints with Microsoft Entra ID | Configuring information protection capabilities, including:
For these capabilities, see Swim lane 3 — Identify and protect sensitive business data (later in this article). |
For more information, see Zero Trust for Microsoft Intune.
Phase 3 — Add Zero Trust identity and device access protection: Enterprise policies
With devices enrolled into management, you can now implement the full set of recommended Zero Trust identity and device access policies, requiring compliant devices.
Return to Common identity and device access policies and add the policies in the Enterprise tier.
Read more about how to secure remote and hybrid work in the Zero Trust adoption framework — Secure remote and hybrid work.
Swim lane 2 — Prevent or reduce business damage from a breach
Microsoft Defender XDR is an extended detection and response (XDR) solution that automatically collects, correlates, and analyzes signal, threat, and alert data from across your Microsoft 365 environment, including endpoint, email, applications, and identities. Additionally, Microsoft Defender for Cloud Apps helps organizations identify and manage access to SaaS apps, including GenAI apps.
Prevent or reduce business damage from a breach by piloting and deploying Microsoft Defender XDR.
Go to Pilot and deploy Microsoft Defender XDR for a methodical guide to piloting and deploying Microsoft Defender XDR components.
| Includes | Prerequisites | Doesn't include |
|---|---|---|
| Set up the evaluation and pilot environment for all components: Protect against threats Investigate and respond to threats |
See the guidance to read about the architecture requirements for each component of Microsoft Defender XDR. | Microsoft Entra ID Protection isn't included in this solution guide. It's included in Swim lane 1 — Secure remote and hybrid work. |
Read more about how to prevent or reduce business damage from a breach in the Zero Trust adoption framework — Prevent or reduce business damage from a breach.
Swim lane 3 — Identify and protect sensitive business data
Implement Microsoft Purview Information Protection to help you discover, classify, and protect sensitive information wherever it lives or travels.
Microsoft Purview Information Protection capabilities are included with Microsoft Purview and give you the tools to know your data, protect your data, and prevent data loss. You can begin this work anytime.
Microsoft Purview Information Protection provides a framework, process, and capabilities you can use to accomplish your specific business objectives.
For more information on how to plan and deploy information protection, see Deploy a Microsoft Purview Information Protection solution.
Read more about how to identify and protect sensitive business data in the Zero Trust adoption framework — Identify and protect sensitive business data.
Swim lane 4 — Secure AI apps and data
Microsoft 365 includes capabilities to help organizations rapidly secure AI apps and the data these use.
Start by using Purview Data Security Posture Management (DSPM) for AI. This tool focuses on how AI is used in your organization, especially your sensitive data that interacts with AI tools. DSPM for AI provides deeper insights for Microsoft Copilots and third-party SaaS applications like ChatGPT Enterprise and Google Gemini.
The following diagram shows one of the aggregated views into the impact of AI use on your data—Sensitive interactions per generative AI app.
Use DSPM for AI to:
- Gain visibility into AI usage, including sensitive data.
- Review data assessments to learn about gaps in oversharing that can be mitigated with SharePoint oversharing controls.
- Find gaps in your policy coverage for sensitivity labels and data loss prevention (DLP) policies.
Defender for Cloud Apps is another powerful tool to discover and govern SaaS GenAI apps and usage. Defender for Cloud Apps includes more than a thousand generative AI-related apps in the catalog, providing visibility into how generative AI apps are used in your organization and helping you manage them securely.
In addition to these tools, Microsoft 365 provides a comprehensive set of capabilities for securing and governing AI. See Discover, protect, and govern AI apps and data to learn how to get started with these capabilities.
The following table lists the Microsoft 365 capabilities with links to more information in the Security for AI library.
Swim lane 5 — Meet regulatory and compliance requirements
Regardless of the complexity of your organization’s IT environment or the size of your organization, new regulatory requirements that might affect your business are continually adding up. A Zero Trust approach often exceeds some types of requirements imposed by compliance regulations, for example, those controlling access to personal data. Organizations that have implemented a Zero Trust approach may find that they already meet some new conditions or can easily build upon their Zero Trust architecture to be compliant.
Microsoft 365 includes capabilities to assist with regulatory compliance, including:
- Compliance Manager
- Content explorer
- Retention policies, sensitivity labels, and DLP policies
- Communication compliance
- Data lifecycle management
- Priva Privacy Risk Management
Use the following resources to meet regulatory and compliance requirements.
| Resource | More information |
|---|---|
| Zero Trust adoption framework — Meet regulatory and compliance requirements | Describes a methodical approach your organization can follow, including defining strategy, planning, adopting, and governing. |
| Govern AI apps and data for regulatory compliance | Addresses regulatory compliance for the emerging AI-related regulations, including specific capabilities that help. |
| Manage data privacy and data protection with Microsoft Priva and Microsoft Purview | Assess risks and take appropriate action to protect personal data in your organization's environment using Microsoft Priva and Microsoft Purview. |
Next steps
Learn more about Zero Trust by visiting the Zero Trust guidance center.