The Comprehensive

Playbook for Implementing

Zero Trust Security
The Comprehensive Playbook for Implementing Zero Trust Security 2

Contents
Why Zero Trust? 3 Who this is for
IT and business leaders looking to secure
Zero Trust fundamentals their IT environments using a Zero
Identity 6 Trust framework. This guide presents a
comprehensive explanation of the Microsoft
Endpoints 11 Zero Trust framework, along with specific
steps to take in any or all of the six key areas
of organizational security strategy.
Network 15

Data 22

Applications 27

Infrastructure 32

Making Zero Trust a reality with

help from Microsoft 38
The Comprehensive Playbook for Implementing Zero Trust Security 3

Why Zero Trust?

Proliferating data and devices, growth • Verify explicitly: Always authenticate and
in hybrid work, and increasingly authorize based on all available data
sophisticated attacks reduce the points, including user identity, location,
device health, service or workload, data
effectiveness of perimeter-based IT
classification, and anomalies.
security. IT professionals manage an
enormous variety of technologies. • Use least-privileged access: Limit user access
Businesses commonly use a mix of with just-in-time and just-enough-access (JIT/
cloud and on-premises infrastructure, JEA), risk-based adaptive polices, and data
protection to help secure both data and
platforms, and software. They may have
productivity.
multiple cloud providers and systems.
Employees work on personal devices • Assume breach: Minimize blast radius
and can easily access cloud apps and and segment access. Verify end-to-end
services. Data exists in more places encryption and use analytics to get visibility,
drive threat detection, and improve defenses.
than ever before, which makes it more
valuable, but also more vulnerable. Modern threat protection is a critical
component of all three areas, enabling
In response, many organizations, including organizations to detect attacks and anomalies,
Microsoft, are adopting a Zero Trust security automatically block and flag risky behavior, take
framework. Zero Trust is a proactive, integrated protective actions, and manage the growing
approach to security across all layers of the influx of threat data.
digital estate that explicitly and continuously
How easily an organization can adopt these
verifies every transaction, asserts least privilege,
principles varies depending on its individual
and relies on intelligence, advanced detection,
security challenges, needs, and capabilities. In
and real-time response to threats:
other words, the journey to Zero Trust is unique
to your business.
The Comprehensive Playbook for Implementing Zero Trust Security 4

To help you get there faster, Microsoft has developed a flexible Zero Trust framework to guide adoption.
It provides comprehensive guidance covering the six key risk areas addressed by Zero Trust:

Identity Data
Automate risk detection and Classify, label, and protect data across
remediation and secure access to cloud and on-premises environments
resources with strong authentication to help prevent inappropriate sharing
across the entire digital estate. and reduce insider risks.

Endpoints Applications
Defend the larger attack surface Maintain highly secure employee
created by the growing number and access to cloud and mobile apps, as
diversity of endpoints using a flexible, well as remote access to on-premises
integrated approach to management. enterprise apps.

Network Infrastructure
Reduce perimeter-based security Protect hybrid infrastructure,
vulnerabilities, including the need including on-premises IT and cloud
for VPNs, and improve scalability of environments, with more efficient
security solutions for environments and automated management.
where the cloud is increasingly the
center of IT services.

By adopting a Zero Trust framework in one or its current capabilities and the level of risk
all of these areas, you can effectively modernize represented by a given security area. This guide
your security technology and processes, and makes it easy for you to get a broad overview of
start to maximize protection in the face of Zero Trust, as well as detailed information and
modern threats. However, each organization actionable steps for your areas of focus.
will have different priorities depending on
 Microsoft Zero Trust architecture 5

Identities Endpoints
Human Corporate
Non-human Personal

Strong authentication Device compliance

Request enhancement Risk assessment

Policy Threat
optimization Zero Trust protection
Governance policy Continuous assessment
Compliance Threat intelligence
Evaluation
Security posture assessment Forensics
Productivity optimization Enforcement Response automation

Traffic filtering and segmentation

Network
Public
Private

Classify, label, encrypt Adaptive access Runtime control

Data Apps Infrastructure

Emails and documents SaaS apps IaaS - PaaS - Internal sites
Structured data On-premises apps Containers - Serverless
JIT and version control

Telemetry / analytics / assessment

 6

Zero Trust fundamentals

Identity
Cloud applications and the growth
of hybrid work have redefined
the security perimeter. Corporate
applications and data are also moving
from on-premises to hybrid and cloud
environments. Many organizations
rely on older identity and access
management, built for a world with a
clear line between what’s inside and
what’s outside the network.

These systems make it difficult for

people to access the apps and data
they need and create security gaps
by granting excessive privileges to
trusted users. A Zero Trust framework,
incorporating cloud-based identity
solutions such as multi-factor
authentication and single sign-on (SSO)
across the environment, is better suited
to the modern workplace.
 Zero Trust fundamentals: Identity 7

Identity Controls for a

Zero Trust framework
Implement multi-factor authentication Enable passwordless authentication
Multi-factor authentication helps protect your Passwordless authentication methods
apps by requiring users to confirm their identity provide a simpler and more secure
using a second source of validation, such as a authentication experience across the web and
phone or token, before access is granted. mobile devices. These methods allow users
to authenticate easily and securely without
• Tools such as Microsoft Entra ID enable
requiring a password.
multi-factor authentication for free.
• If you have Microsoft Entra ID, you
• Microsoft Entra ID Multi-Factor
can enable tools like the Microsoft
Authentication (MFA) helps safeguard
Authenticator app so that users can sign
access to data and apps, providing another
into any Microsoft Entra account without
layer of security by using a second form of
using a password. Microsoft Authenticator
authentication. Organizations can enable
uses key-based authentication to enable
multi-factor authentication with Conditional
a user credential that is tied to a device,
Access to make the solution fit their specific
where the device uses a PIN or biometric.
needs.
Windows Hello for Business uses a similar
technology.

• Start with a low-risk group and explain

the benefits of eliminating passwords.
Deploy MFA with a passwordless
authentication option until people
are comfortable with it and then start
replacing passwords and dependencies on
passwords in the background.

• Implement single sign-on (SSO). This

removes the need to manage multiple
credentials for the same person and
delivers a better user experience with fewer
sign-in prompts.
 Zero Trust fundamentals: Identity 8

• Microsoft Entra ID provides an SSO • Conditional Access in Microsoft Entra ID

experience to popular software as a service enables you to enforce fine-tuned adaptive
(SaaS) apps, on-premises apps, and custom- access controls, such as requiring multi-factor
built apps that reside on any cloud for any authentication based upon user context,
user type and any identity. device, location, and session risk information.

• When you plan your SSO deployment with • You’ll need a working Microsoft Entra tenant
your apps in Microsoft Entra ID, consider with Microsoft Entra ID Premium or trial
these questions: license enabled. If needed, you can create
one with Conditional Access administrator
• What are the administrative roles required
privileges for free.
for managing the application?
• Does the certificate need to be renewed? • Create a non-administrator user with a
• Who needs to be notified of changes password you know and create a group that
related to the implementation of SSO? the non-administrator user is a member of in
• What licenses are needed to ensure Microsoft Entra ID.
effective management of the application?
• Fine-tune your Conditional Access policies,
• Are shared user accounts used to access
by asking questions about who should access
the application?
your resources, what resources they should
access, and under what conditions. Policies
can be designed to grant access, or to block
Enforce access controls with adaptive,
access. Be sure to ask specific questions about
risk-based policies
what your policy is trying to achieve.
Move beyond simple access/block decisions
and tailor decisions based on risk appetite— • Document the answers to questions for
such as allowing access, blocking, limiting each policy before building them out and
access, or requiring additional proofs like deploy them in phases in the production
multi-factor authentication. environment. First apply a policy to a small
set of users in a test environment and verify if
the policy behaves as expected.
 Zero Trust fundamentals: Identity 9

Block legacy authentication Automate risk detection and remediation

One of the most common attack vectors for Real-time risk assessments can help protect
malicious actors is to use stolen or replayed against identity compromise at the time of
credentials against legacy protocols, such as login and during sessions.
SMTP, that can’t use modern security challenges.
• Azure Identity Protection delivers real-
• Legacy authentication protocols like POP, time continuous detection, automated
SMTP, IMAP, and MAPI can’t enforce MFA, remediation, and connected intelligence
making them preferred entry points for to investigate risky users and sign-ins to
adversaries attacking your organization. address potential vulnerabilities.

• While rolling out legacy authentication • Data from Identity Protection can be
blocking protection, we recommend a exported to other tools for archive and
phased approach, rather than disabling it further investigation and correlation.
for all users all at once. Before you can block The Microsoft Graph-based APIs allow
legacy authentication in your directory, you organizations to collect this data for further
need to first understand if your users have processing, such as with their SIEM solution.
apps that use legacy authentication and how
• Enable Identity Protection to get started.
it affects your overall directory.
Bring in user session data from Microsoft
• The easiest way to block legacy Defender for Cloud Apps to enrich
authentication across your entire organization Microsoft Entra ID with possible risky user
is by configuring a Conditional Access behavior after they were authenticated.
policy that applies specifically to legacy
authentication clients and blocks access.

• Even if your organization isn’t ready to block

legacy authentication across the entire
organization, you should ensure that sign-ins
using legacy authentication aren’t bypassing
policies that require grant controls such
as requiring multifactor authentication or
compliant/hybrid Microsoft Entra ID joined
devices.
 Zero Trust fundamentals: Identity 10

Enrich your Identity and Access • To see your score history, visit the
Management (IAM) solution with more data Microsoft 365 Defender portal and review
The more data you feed your IAM solution, the your overall Microsoft Secure Score. You
more you can improve your security posture with can review changes to your overall secure
granular access decisions and better visibility into score be clicking on View History. Choose
users accessing corporate resources. a specific date to see which controls were
enabled for that day and what points you
• Microsoft Entra ID, Microsoft Defender for earned for each one.
Cloud Apps, and Microsoft Defender for
Endpoint work together to provide enriched
signal processing for better decision making. Learn more about solutions for
• Configure Conditional Access in Microsoft Zero Trust identity
Defender for Endpoint, Microsoft Defender
for Identity, and Microsoft Defender for Multi-factor authentication
Cloud Apps.
Conditional Access

Passwordless authentication
Improve your identity security posture
Conditional Access administrator privileges
The identity secure score in Microsoft Entra ID
helps you assess your identity security posture Microsoft Defender for Cloud Apps
by analyzing how well your environment aligns
with Microsoft best-practice recommendations Microsoft Defender for On-Premises
for security. Identity Security

• The identity secure score is available in all Microsoft Defender for Endpoint
editions of Microsoft Entra ID. Organizations
Microsoft 365 Defender portal
can access their identity secure score from the
Azure portal > Microsoft Entra ID > Security
> Identity Secure Score.

Find out more about securing

Identity with Zero Trust
 11

Zero Trust fundamentals

Endpoints
The modern enterprise has an
incredible diversity of endpoints
accessing data, but not all these
endpoints are managed or even
owned by the organization, leading
to different device configurations and
software patch levels. This creates a
massive attack surface.

An end-to-end Zero Trust framework

can help you improve endpoint security
so you can enable more secure hybrid
work and take advantage of device-
dependent strategies such as IoT and
edge computing.
 Zero Trust fundamentals: Endpoints 12

Endpoint protection involves monitoring and Enroll devices in Mobile Device

protecting endpoints against cyberthreats. Management for internal users
Protected endpoints include desktops, laptops, Once data access is granted, being able to
smartphones, tablet computers, and other control what the user does with your corporate
devices. Organizations need a comprehensive data is critical to mitigating risk.
solution that enables discovery of all endpoints
and even network devices, such as routers. Plus, • Microsoft Endpoint Manager enables
vulnerability management, endpoint protection, endpoint provisioning, configuration,
and endpoint detection and response (EDR). automatic updates, device wipe, and other
remote actions.

Essentials of Zero Trust • You can ensure device and app compliance to
for endpoints control data flow outside trusted mobile apps
and devices through mobile app management
Register devices with your identity provider
(MAM) and mobile device management
To monitor security and risk across multiple (MDM) policies and set up mobile device
endpoints used by any one person, you need management for all internal users.
visibility in all devices and access points that
may be accessing your resources.
Ensure compliance before granting access
• You can register devices with Microsoft Entra Once you have identity for all the endpoints
ID to provide visibility into which devices are accessing corporate resources—and before
accessing your network, as well as the ability access is granted—ensure that they meet the
to use device health and status information minimum security requirements set by your
in access decisions. organization.

• Device identities are a prerequisite for • Microsoft Endpoint Manager can help you
scenarios like device-based Conditional Access set compliance rules to ensure that devices
policies and Mobile Device Management with meet minimum-security requirements
Microsoft Endpoint Manager. before access is granted.

• You can ensure device and app compliance

to control data flow outside trusted mobile
apps and devices through mobile app
management (MAM) and mobile device
management (MDM) policies.
 Zero Trust fundamentals: Endpoints 13

Enable access for unmanaged devices • Mobile Device Management with Intune helps
as needed you secure endpoints for external users or
Enabling your employees to access appropriate otherwise unmanaged devices.
resources from unmanaged devices can be
critical to maintaining productivity. However, it’s Enforce data loss prevention policies
still imperative to protect your data. on your devices
Once data access is granted, controlling what
• Microsoft Intune Mobile Application
the user can do with your data is critical. For
Management lets you publish, push, configure,
example, if a user accesses a document with
secure, monitor, and update mobile apps for
a corporate identity, mechanisms should be
your users, ensuring they have access to the
in place to prevent saving that document in
apps they need to do their work.
an unprotected location or sharing it with a
• To configure access for unmanaged devices, consumer communication or chat app.
Intune app protection encrypts “corporate”
• Intune app protection policies help protect
data before it is shared outside the app. You
data with or without enrolling devices in a
can validate this by attempting to open the
device management solution by restricting
“corporate” file outside of the managed app.
access to company resources and keep data
The file should be encrypted and unable to
within the purview of your IT department.
be opened outside the managed app.
• App protection policies can be configured for
Enroll devices in Mobile Device apps that run on devices that are enrolled in
Management for external users Microsoft Intune or enrolled in a third-party
Enrolling devices from external users (such as mobile device management (MDM) solution
contractors, vendors, partners, etc.) into your (these are typically corporate owned).
MDM solution is a great way to help protect • App protection policies can also be
your data and ensure users have the access they configured for apps that run on devices not
need to do their work. enrolled in any mobile device management
• Microsoft Endpoint Manager provides solution. (These devices are typically
endpoint provisioning, configuration, employee-owned devices that aren’t
automatic updates, device wipe, and other managed or enrolled through Intune or other
remote actions. MDM solutions).
 Zero Trust fundamentals: Endpoints 14

Enable real-time device risk evaluation Learn more about

Once you’ve enrolled devices with your Endpoint Security
identity provider, you can bring that signal into
your access decisions to allow only safe and
Configure and manage device identity
compliant devices access.
in Microsoft Entra ID
• Through integration with Microsoft Entra ID,
Microsoft Endpoint Manager
Microsoft Endpoint Manager enables you
to enforce more granular access decisions Mobile Device Management in Intune
and fine-tune the Conditional Access policies
based on your organization’s risk appetite. Intune app protection policies
For example, you can exclude certain device Conditional Access policies
platforms from accessing specific apps.

Find out more about securing

Endpoints with Zero Trust
 15

Zero Trust fundamentals

Network
We are no longer in an era of clearly
defined network specific to a certain
location. Instead of a contained and
defined network to secure, there is a
vast portfolio of devices and networks,
all linked by the cloud. Securing this
portfolio is challenging for many
enterprises, who often have few
network security perimeters and a flat,
open network, along with minimal
threat protection and unencrypted
internal traffic.
 Zero Trust fundamentals: Network 16

Adopting a Zero Trust security framework Preventing data breaches and other
is the key to overcoming these limitations. network security threats is about hardened
Instead of believing everything behind the network protection. Without proper security
corporate firewall is safe, an end-to-end protocols, your business is at high risk for
Zero Trust framework assumes breaches advanced attacks.
are inevitable. That means you must verify
Zero Trust is a framework that assumes a
each request as if it originates from an
complex network’s security is always at risk
uncontrolled network.
to external and internal threats. A Zero Trust
In the Zero Trust framework, there are three architecture assumes that every connection
key objectives when it comes to securing and endpoint is considered a threat. The
your network: framework protects against these threats,
whether external or internal.
• Be ready to handle attacks before
they happen.

• Minimize the extent of the damage and

how fast it spreads.

• Increase the difficulty of compromising

your cloud footprint.
 Zero Trust fundamentals: Network 17

Essentials of Zero Trust

for networks
Use a cloud workload protection solution Assign app identity
Having a comprehensive view across all Assigning an app identity is critical to securing
your cloud workloads is critical to keeping communication between different services.
your resources safe in a highly distributed
• Azure supports managed identity from
environment.
Microsoft Entra ID, making it easy access
• Azure Security Center is a unified other Microsoft Entra ID-protected resources
infrastructure security management system such as Azure Key Vault used to store secrets
that strengthens the security posture of your and credentials.
data centers and provides advanced threat
• Managed identities provide an identity for
protection across your hybrid workloads.
applications to use when connecting to
• With the Azure Security Center, you can resources that support Microsoft Entra ID
identify and track vulnerabilities, harden authentication. Applications may use the
resources and services with the Azure Security managed identity to obtain Microsoft Entra
Benchmark, and detect and resolve threats to ID tokens. For example, an application may
resources, workloads, and services. use a managed identity to access resources
like Azure Key Vault, where developers can
• The central feature that enables you to
store credentials in a secure manner, or to
achieve those goals is secure score. Azure
access storage accounts.
Security Center continually assesses your
resources, subscriptions, and organization • You can use managed identities to
for security issues. It then aggregates all authenticate to any resource that supports
the findings into a single score so that you Microsoft Entra ID authentication including
can tell, at a glance, your current security your own applications. You don’t need to
situation: the higher the score, the lower the manage credentials. Credentials are not even
identified risk level. accessible to you and managed identities can
be used without any
additional cost.
 Zero Trust fundamentals: Network 18

Segment user and resource access • Multiple Virtual Networks with peering:
Segmenting access for each workload helps This pattern is an extension of the
prevent network-based breaches. previous pattern where you have multiple
virtual networks with potential peering
• Microsoft Azure offers many ways to connections. You might opt for this pattern
segment workloads to manage user and to group applications into separate virtual
resource access. Within Azure, you can networks or if you need presence in
isolate resources at the subscription level with multiple Azure regions.
Virtual networks (VNets), VNet peering rules,
Network Security Groups (NSGs), Application • Multiple Virtual Networks in a hub-and-
Security Groups (ASGs), and Azure Firewalls. spoke model: This pattern is a more
You can create an Azure Virtual Network advanced virtual network organization
to help your Azure resources communicate where you choose a virtual network
together securely. in a given region as the hub for all the
other virtual networks in that region. The
• Choose the right network segmentation connectivity between the hub virtual
approach for your organization. Common network and its spokes of other virtual
patterns include: networks is achieved by using Azure virtual
network peering. All traffic passes through
• Single Virtual Network: In this pattern, all
the hub virtual network, and it can act as a
the components of your workload or, in
gateway to other hubs in different regions.
some cases, your entire IT footprint is put
inside a single virtual network. This pattern
is possible if you’re operating solely in a
single region since a virtual network can’t
span multiple regions.
 Zero Trust fundamentals: Network 19

Implement threat detection tools Deploy a Security Information and

Preventing, detecting, investigating, and Event Management solution
responding to advanced threats across your As the value of digital information continues to
hybrid infrastructure will help improve your increase, so do the number and sophistication
security posture. of attacks. Security Information and Event
Management (SIEM) solutions provide a central
• Microsoft Defender for Endpoint Advanced
way to mitigate threats across the entire estate.
Threat Protection is an enterprise endpoint
security platform designed to help enterprise • Microsoft Sentinel is a cloud-native SIEM and
networks prevent, detect, investigate, and security orchestration automated response
respond to advanced threats. (SOAR) solution that will allow your Security
Operations Center (SOC) to work from a
• Defender for Endpoint uses a combination
single pane of glass to monitor security
of technology including endpoint behavioral
events across your enterprise.
sensors, cloud security analytics, and threat
intelligence. • Microsoft Sentinel aggregates data from all
sources, including users, applications, servers,
• Built-in threat and vulnerability management
and devices running on-premises or in any
uses a risk-based approach to the discovery,
cloud, letting you reason over millions of
prioritization, and remediation of endpoint
records in a few seconds. It includes built-in
vulnerabilities and misconfigurations.
connectors for easy onboarding of popular
security solutions. Collect data from any
source with support for open standard
formats like CEF and Syslog.

• Microsoft Sentinel integrates with many

enterprise tools, including best-of-breed
security products, homegrown tools, and
other systems like ServiceNow. It provides an
extensible architecture to support custom
collectors through REST API and advanced
queries. It enables you to bring your own
insights, tailored detections, machine learning
models, and threat intelligence.
 Zero Trust fundamentals: Network 20

Implement behavioral analytics Set up automated investigations

When you create new infrastructure, you Security operations teams face challenges
need to ensure that you also establish rules in addressing the multitude of alerts that
for monitoring and raising alerts. This is key arise from the never-ending flow of threats.
for identifying when a resource is displaying Implementing a solution with automated
unexpected behavior. investigation and remediation (AIR) capabilities
can help your security operations team address
• Microsoft Defender for Identity enables threats more efficiently and effectively.
signal collection to identify, detect, and
investigate advanced threats, compromised • Microsoft Defender for Endpoint Advanced
identity, and malicious insider actions Threat Protection includes automated
directed at your organization. investigation and remediation capabilities,
which can significantly reduce alert volume,
• Microsoft Defender for Identity helps allowing security operations to focus on
eliminate on-premises vulnerabilities to more sophisticated threats and other high-
prevent attacks before they happen, helps value initiatives.
security operations teams use their time
effectively by understanding the greatest • The technology in automated investigation
threats, and prioritize information to focus uses various inspection algorithms and is
on actual threats, not false signals. based on processes that are used by security
analysts. AIR capabilities are designed to
examine alerts and take immediate action to
resolve breaches. AIR capabilities significantly
reduce alert volume, allowing security
operations to focus on more sophisticated
threats and other high-value initiatives.

• All remediation actions, whether pending or

completed, are tracked in the Action center.
The Action center is where pending actions
are approved (or rejected) and completed
actions can be undone if needed.
 Zero Trust fundamentals: Network 21

Govern access to privileged resources Learn more about solutions

Personnel should use administrative access for a Zero Trust network
sparingly. When users require administrative
functions, they should receive temporary
Azure Security Center
administrative access, based on the principle
of just-in-time network access. Managed identities

• Privileged Identity Management (PIM) in Azure Virtual Network

Microsoft Entra ID enables you to discover,
restrict, and monitor access rights for Microsoft Defender for Endpoint
privileged identity. PIM can help ensure Advanced Threat Protection
your admin accounts stay secure by limiting
Microsoft Sentinel
access to critical operations using just-in-
time, time-bound, and role-based access Microsoft Defender for Identity
control.
Automated investigations
• Privileged Identity Management provides
Privileged Identity Management (PIM)
time-based and approval-based role
activation to mitigate the risks of excessive,
unnecessary, or misused access permissions
on resources.
Find out more about securing
• With PIM, organizations can give users
Networks with Zero Trust
just-in-time privileged access to Azure
and Microsoft Entra ID resources and can
oversee what those users are doing with
their privileged access.
 22

Zero Trust fundamentals

Data
With more people working outside the
office and the growth in cloud apps
and analytics, organizations need new
tools for protecting data as it travels
beyond perimeters of control. Zero
Trust enables you to protect data at
rest and in flight even when it leaves
the endpoints, apps, infrastructure,
and network that make up your
organization’s own IT infrastructure.
 Zero Trust fundamentals: Data 23

To ensure protection and restrict data Essentials of Zero Trust for data
access to authorized users, data should be
Define a classification taxonomy
inventoried, classified, labeled, and, where
appropriate, encrypted. This requires you Defining the right label taxonomy and
to know what data you have, protect it protection policies is the most critical step in any
from unauthorized access and loss, and data protection strategy, so start with creating a
continuously monitor sensitive information for labeling strategy that reflects your organization’s
policy violations and risky behavior. sensitivity requirements for information.

According to the 2021 Cost of a Data Breach • You can evaluate and then tag content in your
report, organizations that have not deployed organization in order to control where it goes,
a Zero Trust program faced data breach costs protect it no matter where it is and to ensure
averaging $5.04 million. Those that were Zero that it is preserved and deleted according
Trust “mature” saw those costs decrease by to your organization’s needs. You do this
$1.76 million. Even those firms in the “early through the application of sensitivity labels,
stage” of deployment had $660,000 less of a retention labels, and sensitive information
burden. In short, Zero Trust can mitigate the type classification.
impact of a breach. • Data classification will scan your sensitive
content and labeled content before you
create any policies. This is called zero change
management. This lets you see the impact
that all the retention and sensitivity labels are
having in your environment and empower
you to start assessing your protection and
governance policy needs.

• Sensitivity labels from the Microsoft

Information Protection solution let you
classify and protect your organization’s data,
while making sure that user productivity and
their ability to collaborate isn’t hindered.
 Zero Trust fundamentals: Data 24

Govern access decisions based on sensitivity Implement a robust data classification

The more sensitive the data, the greater and labeling strategy
the protection control and enforcement Enterprises have vast amounts of data that
needed. Similarly, the controls should also be can be challenging to label and classify. Using
commensurate with the nature of the risks machine learning for smarter, automated
associated with how and from where the data is classification can help reduce the burden
accessed. Some sensitive data needs protection on end users and lead to a more consistent
by policies that enforce encryption to ensure labeling experience.
only authorized users can access the data.
• Microsoft 365 provides three ways to
• Microsoft Information Protection offers a classify content, including manually,
flexible set of protection controls based on automated pattern matching, and Trainable
data sensitivity and risk. classifiers. Trainable classifiers are well-
suited to content that isn’t easily identified
• You can configure and manage policies
by manual or automated pattern matching
and view analytics across your on-premises
methods. You can use it to identify items
environment, Microsoft 365 apps and
for application of Office sensitivity labels,
services, third-party cloud services, and
Communications compliance policies, and
devices—all from a single console. You can
retention label policies.
also accurately identify sensitive information
across your enterprise with comprehensive • For on-premises file repositories and sites
classification capabilities, including machine based on SharePoint 2013 or later, Azure
learning, and consistently extend protection Information Protection (AIP) scanner can
and governance to popular third-party apps help discover, classify, label, and protect
and services with SDK and connectors. sensitive information. The AIP scanner can
inspect any files that Windows can index.
• Azure Purview provides a unified data
If you’ve configured sensitivity labels to
governance service that builds on Microsoft
apply automatic classification, the scanner
Information Protection. You can create
can label discovered files to apply that
a holistic, up-to-date map of your data
classification, and optionally apply or
landscape with automated data discovery,
remove protection.
sensitive data classification, and end-to-end
data lineage. This helps data consumers find • Configure the scanner to use enforce
valuable, trustworthy data. mode and automatically classify, label, and
protect files with sensitive data.
 Zero Trust fundamentals: Data 25

Govern access decisions based on policy Enforce access and usage rights to data
Move beyond simple access/block decisions and shared outside company boundaries
tailor access decisions for your data based on To properly mitigate risk without negatively
risk appetite—such as allowing access, blocking, impacting productivity, you need to control and
limiting access, or requiring additional proofs secure email, documents, and sensitive data you
like multi-factor authentication. share outside your company.

• Conditional Access in Microsoft Entra ID • Azure Information Protection helps secure

enables you to enforce fine-tuned adaptive email, documents, and sensitive data inside
access controls, such as requiring multi-factor and outside your company walls. From
authentication, based upon user context, easy classification to embedded labels and
device, location, and session risk information permissions, always enhance data protection
to control what a specific user can access, and with Azure Information Protection, no matter
how and when they have access. where it’s stored or who it’s shared with.

• Control Access enforces controls to specific • Deployment guides will help you understand
apps or actions, secures remote access to how to each solution features complement
on-premises web apps, and restricts access each, best practices based on the CxE teams
to approved, modern authentication-capable experience with customer roadblocks,
client apps. considerations to take and research before
starting your deployment, and offer resources
• Microsoft Defender for Cloud Apps lets
links to additional readings and topics to gain
you apply Azure Information Protection
a deeper understanding and an appendix for
classification labels automatically, with or
additional information on licensing.
without protection, to files as a file policy
governance action. You can also investigate • App Discovery policies make it easier to
files by filtering for the applied classification keep track of the significant discovered
label within the Defender for Cloud Apps applications in your organization to help you
portal. Using classifications enables greater manage these applications efficiently. Create
visibility and control of your sensitive data in policies to receive alerts when detecting new
the cloud. apps that are identified as either risky, non-
compliant, trending, or high-volume.
 Zero Trust fundamentals: Data 26

Implement data loss prevention policies Learn more about solutions

To comply with business standards and for Zero Trust data security
industry regulations, organizations must
protect sensitive information and prevent its
Data classification
inadvertent disclosure. Sensitive information can
include financial data or personally identifiable Sensitivity labels
information such as credit card numbers, social
Microsoft Information Protection
security numbers, or health records.

• Use a range of data loss prevention policies Automated pattern matching

(DLP) in Microsoft 365 to identify, monitor, Trainable classifiers
and automatically protect sensitive items
across services such as Teams, SharePoint, and Azure Information Protection (AIP) scanner
OneDrive, Office apps such as Word, Excel,
Labeling deployment guidance
and PowerPoint, Windows 10 endpoints,
third-party cloud apps, on-premises file Conditional Access in Microsoft Entra ID
shares.
Integrate Azure Information Protection
• You can tune your rules by adjusting the
instance count and match accuracy to make Protection and Compliance Deployment
it harder or easier for content to match the Acceleration Guides
rules. Each sensitive information type used
DLP policies
in a rule has both an instance count and
match accuracy.

Find out more about securing

Data with Zero Trust
 27

Zero Trust fundamentals

Applications
To get the full benefit of cloud apps
and services, organizations must
simultaneously simplify access
and maintain control. A Zero Trust
framework helps you do both.

Using a Zero Trust framework, your organization

can help ensure that apps, and the data they
contain, are protected by:

• Applying controls and technologies to

discover Shadow IT.

• Ensuring appropriate in-app permissions.

• Limiting access based on real-time analytics.

• Monitoring for abnormal behavior.

• Controlling user actions.

• Validating secure configuration options.

 Zero Trust fundamentals: Applications 28

With applications now consumed from the Enforce policy-based session controls
cloud and mobile devices, the application attack Stopping breaches and leaks in real time
surface has expanded considerably. Therefore, before employees intentionally or inadvertently
implementing Zero Trust for applications put data and organizations at risk is key to
requires modern threat detection capabilities mitigating risk after access is granted. It’s also
that cover applications across various devices critical for businesses to enable employees to
and locations, including the cloud. securely use their own devices.

• Microsoft Defender for Cloud Apps integrates

Essentials of Zero Trust with Microsoft Entra Conditional Access
application security so you can configure apps to work with
Enforce policy-based access control for Conditional Access App Control. Microsoft
your applications Defender for Cloud Apps allows you to
selectively enforce access and session
Move beyond simple access/block decisions
controls on your organization’s apps based
and tailor decisions based on risk appetite—
on any condition, such as preventing data
such as allowing access, blocking, limiting
exfiltration, protecting on download,
access, or requiring additional proofs like multi-
preventing uploads, blocking malware,
factor authentication.
and more.
• Conditional Access in Microsoft Entra ID
• Microsoft Defender for Cloud Apps session
enables you to enforce fine-tuned adaptive
policies enable real-time session-level
access controls, such as requiring multi-factor
monitoring, affording you granular visibility
authentication, based upon user context,
into cloud apps and the ability to take
device, location, and session risk information.
different actions depending on the policy
• With Conditional Access, organizations you set for a user session. Instead of allowing
can restrict access to approved (modern or blocking access completely, with session
authentication-capable) client apps with control you can allow access while monitoring
Intune app protection policies. For older the session and/or limit specific session
client apps that may not support app activities using the reverse proxy capabilities
protection policies, administrators can of Conditional Access App Control.
restrict access to approved client apps.
 Zero Trust fundamentals: Applications 29

Connect your business applications to your Provide remote access to on-premises

cloud application security broker (CASB) applications through an app proxy
Visibility across apps and platforms is critical Providing users with secure remote access to
for performing governance actions, such as internal apps running on an on-premises server
quarantining files or suspending users, as well is critical to maintaining productivity today.
as mitigating any flagged risk.
• Microsoft Entra application proxy provides
• Apps connected to Microsoft Defender secure remote access to on-premises web
for Cloud Apps get instant, out-of-the-box apps without a VPN or dual-homed servers
protection with built-in anomaly detection. and firewall rules. It enables users to access
Microsoft Defender for Cloud Apps uses web apps through SSO while enabling IT to
entity and user behavioral analytics (UEBA) configure Conditional Access policies for
and machine learning to detect unusual fine-tuned access control.
behavior and identify threats.
• The Microsoft Entra application proxy feature
• Once an app is connected using one or more can be implemented by IT professionals
of these methods, you get instant out-of- who want to publish on-premises web
the-box protection with our built-in anomaly applications externally. Remote users who
detection engine. Additionally, you gain need access to internal apps can then access
deep visibility into the app’s user and device them in a secure manner.
activities, control over data shared by the
• Microsoft Entra ID keeps track of users
app, and can build detection policies with
who need to access web apps published
governance to mitigate any risky activities or
on-premises and in the cloud. It provides a
sensitive-data sharing by the app.
central management point for those apps.
• Defender for Cloud Apps supports multiple While not required, it’s recommended you
instances of the same connected app. also enable Microsoft Entra Conditional
For example, if you have more than one Access. By defining conditions for how users
instance of Salesforce (one for sales, one for authenticate and gain access, you further
marketing) you can connect both to Defender ensure the right people have access to
for Cloud Apps. You can manage the different applications.
instances from the same console to create
granular policies and deeper investigation.
This support applies only to API-connected
apps, not to Cloud Discovered apps or Proxy
connected apps.
 Zero Trust fundamentals: Applications 30

Discover and manage shadow IT • Cloud Discovery analyzes traffic logs

in your network collected by Defender for Endpoint and
The total number of apps accessed by assesses identified apps against the cloud
employees in the average enterprise exceeds app catalog to provide compliance and
1,500, with fewer than 15 percent managed by security information. By configuring Cloud
IT. As remote work becomes a reality, it’s no Discovery, you gain visibility into cloud use,
longer enough to apply access policies only to Shadow IT, and continuous monitoring of the
your network appliances. unsanctioned apps being used by your users.

• Microsoft Defender for Cloud Apps can • App Discovery policies make it easier to
help you discover which apps are being keep track of the significant discovered
used, explore the risk of these apps, applications in your organization to help you
configure policies to identify new risky apps manage these applications efficiently. Create
being used, and unsanction these apps to policies to receive alerts when detecting new
block them natively using your proxy or apps that are identified as either risky, non-
firewall appliance. compliant, trending, or high-volume.

• Integrating Defender for Cloud Apps with • Defender for Cloud Apps provides you with
Microsoft Defender for Endpoint gives the ability to investigate and monitor the
you the ability to use Cloud Discovery app permissions your users granted. You can
beyond your corporate network or secure use this information to identify a potentially
web gateways. With the combined user suspicious app and, if you determine that it is
and device information, you can identify risky, you can ban access to it.
risky users or devices, see what apps they
are using, and investigate further in the
Defender for Endpoint portal.
 Zero Trust fundamentals: Applications 31

Minimize virtual machine access Learn more Zero Trust

Limit user access with just-In-time and just- security for Applications
enough-access (JIT/JEA), risk-based adaptive
polices, and data protection to protect both Conditional Access in Microsoft Entra ID
data and productivity.
Configuring Conditional Access
• Lock down inbound traffic to your Azure
Virtual Machines with Azure Security Center’s Microsoft Defender for Cloud Apps
JIT virtual machine (VM) access feature
Apps connected to Microsoft
to reduce your exposure to attacks while
Defender for Cloud Apps
providing easy access when you need to
connect to a VM. Microsoft Entra application proxy

• With JIT, you can lock down the inbound Defender for Cloud Apps Best Practices
traffic to your VMs, reducing exposure to
attacks while providing easy access to connect
to VMs when needed. When you enable
just-in-time VM access, you can select the
Find out more about securing
ports on the VM where inbound traffic will be
Applications with Zero Trust
blocked. Defender for Cloud ensures “deny all
inbound traffic” rules exist for your selected
ports in the network security group (NSG)
and Azure Firewall rules. These rules restrict
access to your Azure VMs’ management ports
and defend them from attack.
 32

Zero Trust fundamentals

Infrastructure
IT infrastructure includes a diverse
range of technologies, including
hardware, virtual machines, software,
microservices, networking, and more.

Many organizations struggle to protect this

environment because they manually manage
permissions across environments and lack
effective configuration management of virtual
machines and servers. Implementing an end-
to-end Zero Trust framework makes it easier for
you to:

• Ensure software and services are up to date.

• Manage configurations.

• Prevent, detect, and mitigate attacks.

• Identify and block risky behavior.

Because networks are subject to continuous

and increasingly sophisticated attacks, it is
especially important to protect your network
infrastructure with security solutions that
intelligently recognize known and unknown
threats and adapt to prevent them in real time.
 Zero Trust fundamentals: Infrastructure 33

Essentials of Zero Trust

infrastructure
Use a cloud workload protection solution Assign app identity
Having a comprehensive view across all your Assigning an app identity is critical to securing
cloud workloads is critical to keeping your communication between different services.
resources safe in a highly
• Azure supports managed identity from
distributed environment.
Microsoft Entra ID, making it easy access
• Azure Security Center is a unified other Microsoft Entra ID-protected
infrastructure security management system resources such as Azure Key Vault used to
that strengthens the security posture of your store secrets and credentials.
data centers and provides advanced threat
• Managed identities provide an identity for
protection across your hybrid workloads.
applications to use when connecting to
• With the Azure Security Center, you can resources that support Microsoft Entra ID
identify and track vulnerabilities, harden authentication. Applications may use the
resources and services with the Azure Security managed identity to obtain Microsoft Entra
Benchmark, and detect and resolve threats to ID tokens. For example, an application may
resources, workloads, and services. use a managed identity to access resources
like Azure Key Vault, where developers can
• The central feature that enables you to
store credentials in a secure manner, or to
achieve those goals is Secure Score. Azure
access storage accounts.
Security Center continually assesses your
resources, subscriptions, and organization • You can use managed identities to
for security issues. It then aggregates all authenticate to any resource that supports
the findings into a single score so that you Microsoft Entra ID authentication including
can tell, at a glance, your current security your own applications. You don’t need
situation: the higher the score, the lower the to manage credentials. Credentials are
identified risk level. not even accessible to you and managed
identities can be used without any
additional cost.
 Zero Trust fundamentals: Infrastructure 34

Segment user and resource access • Multiple Virtual Networks in a hub-and-

Segmenting access for each workload helps spoke model: This pattern is a more
prevent network-based breaches. advanced virtual network organization
where you choose a virtual network
• Microsoft Azure offers many ways to segment in a given region as the hub for all the
workloads to manage user and resource other virtual networks in that region. The
access. Within Azure, you can isolate resources connectivity between the hub virtual
at the subscription level with Virtual networks network and its spokes of other virtual
(VNets), VNet peering rules, Network Security networks is achieved by using Azure virtual
Groups (NSGs), Application Security Groups network peering. All traffic passes through
(ASGs), and Azure Firewalls. You can create the hub virtual network, and it can act as a
an Azure Virtual Network to help your Azure gateway to other hubs in different regions.
resources communicate together securely.

• Choose the right network segmentation Implement threat detection tools

approach for your organization. Common Preventing, detecting, investigating, and
patterns include: responding to advanced threats across your
hybrid infrastructure will help improve your
• Single Virtual Network: In this pattern, all
security posture.
the components of your workload or, in
some cases, your entire IT footprint is put • Microsoft Defender for Endpoint Advanced
inside a single virtual network. This pattern Threat Protection is an enterprise endpoint
is possible if you’re operating solely in a security platform designed to help enterprise
single region since a virtual network can’t networks prevent, detect, investigate, and
span multiple regions. respond to advanced threats.

• Multiple Virtual Networks with peering: • Defender for Endpoint uses a combination
This pattern is an extension of the of technology including endpoint behavioral
previous pattern where you have multiple sensors, cloud security analytics, and threat
virtual networks with potential peering intelligence.
connections. You might opt for this pattern
to group applications into separate virtual • Built-in threat and vulnerability management
networks or if you need presence in uses a risk-based approach to the discovery,
multiple Azure regions. prioritization, and remediation of endpoint
vulnerabilities and misconfigurations.
 Zero Trust fundamentals: Infrastructure 35

Deploy a Security Information and Event Implement behavioral analytics

Management solution When you create new infrastructure, you
As the value of digital information continues to need to ensure that you also establish rules
increase, so do the number and sophistication for monitoring and raising alerts. This is key
of attacks. Security information event for identifying when a resource is displaying
management (SIEM) solutions provide a central unexpected behavior.
way to mitigate threats across the entire estate.
• Microsoft Defender for Identity enables
• Microsoft Sentinel is a cloud-native SIEM and signal collection to identify, detect, and
security orchestration automated response investigate advanced threats, compromised
(SOAR) solution that will allow your Security identity, and malicious insider actions
Operations Center (SOC) to work from a directed at your organization.
single pane of glass to monitor security
• Microsoft Defender for Identity helps
events across your enterprise.
eliminate on-premises vulnerabilities to
• Microsoft Sentinel aggregates data from all prevent attacks before they happen, helps
sources, including users, applications, servers, security operations teams use their time
and devices running on-premises or in any effectively by understanding the greatest
cloud, letting you reason over millions of threats, and prioritize information to focus
records in a few seconds. It includes built-in on actual threats, not false signals.
connectors for easy onboarding of popular
security solutions. Collect data from any
source with support for open standard
formats like CEF and Syslog.

• Microsoft Sentinel integrates with many

enterprise tools, including best-of-breed
security products, homegrown tools, and
other systems like ServiceNow. It provides an
extensible architecture to support custom
collectors through REST API and advanced
queries. It enables you to bring your own
insights, tailored detections, machine learning
models, and threat intelligence.
 Zero Trust fundamentals: Infrastructure 36

Set up automated investigations • The technology in automated investigation

Security operations teams face challenges uses various inspection algorithms and is
in addressing the multitude of alerts that based on processes that are used by security
arise from the never-ending flow of threats. analysts. AIR capabilities are designed to
Implementing a solution with automated examine alerts and take immediate action to
investigation and remediation (AIR) capabilities resolve breaches. AIR capabilities significantly
can help your security operations team address reduce alert volume, allowing security
threats more efficiently and effectively. operations to focus on more sophisticated
threats and other high-value initiatives.
• Microsoft Defender for Endpoint Advanced
Threat Protection includes automated • All remediation actions, whether pending or
investigation and remediation capabilities, completed, are tracked in the Action center.
which can significantly reduce alert volume, The Action center is where pending actions
allowing security operations to focus on are approved (or rejected) and completed
more sophisticated threats and other high- actions can be undone if needed.
value initiatives.
 Zero Trust fundamentals: Infrastructure 37

Govern access to privileged resources Learn more about solutions for

Personnel should use administrative access Zero Trust infrastructure
sparingly. When users require administrative
functions, they should receive temporary
Azure Security Center
administrative access, based on the principle of
just-in-time network access. Managed identities

• Privileged Identity Management (PIM) in Microsoft Defender for Endpoint

Microsoft Entra ID enables you to discover, Advanced Threat Protection
restrict, and monitor access rights for
privileged identity. PIM can help ensure your Microsoft Sentinel
admin accounts stay secure by limiting access
Microsoft Defender for Identity
to critical operations using just-in-time, time-
bound, and role-based access control. Automated investigations

• Privileged Identity Management provides Privileged Identity Management (PIM)

time-based and approval-based role
activation to mitigate the risks of excessive,
unnecessary, or misused access permissions
on resources. Find out more about securing
• With PIM, organizations can give users Infrastructure with Zero Trust
just-in-time privileged access to Azure
and Microsoft Entra ID resources and can
oversee what those users are doing with their
privileged access.
The Comprehensive Playbook for Implementing Zero Trust Security 38

Making Zero
Most importantly, Microsoft recognizes that
Zero Trust is a journey, not a destination.
Because it has implications for every aspect

Trust a reality of IT security, it can seem overwhelming at

first. A phased approach targeting high-

with help from impact, low-effort areas first can lead to rapid
improvements and clarify which steps to take

Microsoft
next. You can build a larger strategy as you
go. The important thing is to get started.

Successfully implementing Zero Trust can

Microsoft advocates for Zero Trust
help improve security in a world where work
in part because the framework has
relies on devices, apps, and data outside
increased security and efficiency perimeter-based controls. It helps reduce the
throughout the company’s own risk of data breaches and keep your business
environment. Based on that experience, operating 24/7.
Microsoft builds Zero Trust capabilities
that integrate with and expand on its Discover how Microsoft technology
technology solutions, such as granular and guidance can help you implement
access controls, network isolation by the Zero Trust framework.
design, and AI-based detection of
Learn more >
suspicious access attempts. In addition,
Microsoft security features and services
are designed to work together, helping
IT teams simplify the adoption and
ongoing management of their security
technology stack.

©2023 Microsoft Corporation. All rights reserved. This document is provided “as-is.” Information and views
expressed in this document, including URL and other Internet website references, may change without notice. You
bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in
any Microsoft product. You may copy and use this document for your internal, reference purposes.