The traditional network perimeter — a firewall that keeps the bad guys out while trusting everything inside — was already crumbling before widespread remote work. Now it's genuinely obsolete. Zero-trust replaces implicit trust based on network location with continuous, explicit verification of every user, device, and request regardless of where it originates.
Microsoft's implementation, centred on Entra ID (formerly Azure AD), Intune, and Defender for Endpoint, provides a mature, integrated path to zero-trust for organisations already in the M365 ecosystem.
The Three Pillars of Zero-Trust
- Verify explicitly — authenticate and authorise every request using all available signals: identity, device compliance, location, risk score, service being accessed.
- Use least-privilege access — grant only the permissions needed for the task, for the minimum time required. Just-in-time and just-enough-access.
- Assume breach — design as if the environment is already compromised. Minimise blast radius, segment access, detect lateral movement.
Identity: The New Control Plane
In a zero-trust model, identity replaces the network as the primary security boundary. Entra ID handles this through:
- Conditional Access policies — rules that evaluate signals at sign-in time and determine whether to grant access, block, or require step-up authentication. Key conditions include: user/group, device platform, device compliance state, location (named network vs anonymous proxy), sign-in risk (ML-based, from Entra ID Protection), and the application being accessed.
- Phishing-resistant MFA — FIDO2 security keys (YubiKey, Feitian) or Windows Hello for Business provide authentication that cannot be intercepted by an adversary-in-the-middle attack, unlike TOTP and SMS codes.
- Privileged Identity Management (PIM) — admin roles are not permanently assigned. Eligible users must activate them on-demand, with MFA, justification, and an approval workflow. The activation window is time-limited (typically 1–4 hours).
Device Compliance: The Trust Signal
Intune compliance policies define what "compliant" means for each device platform. A compliant device might require:
- Minimum OS version (e.g., Windows 11 22H2+)
- BitLocker encryption enabled
- Defender real-time protection on and signature up to date
- Firewall enabled on all profiles
- No jailbreak or root (for iOS/Android)
- Defender for Endpoint risk score below Medium
The device compliance state is exposed as a signal in Conditional Access. You can create a policy that requires a compliant device to access Exchange Online, SharePoint, or any registered application — blocking access from personal or unmanaged devices regardless of whether credentials are valid.
Application Access: Beyond VPN
Traditional VPN grants broad network access. Zero-trust replaces this with application-specific access through Entra Private Access (part of the Global Secure Access product family) or with Entra Application Proxy for internal web applications. Users authenticate to Entra ID and receive access to specific applications — not the underlying network segment. An attacker who compromises a user's session cannot pivot to other network resources.
Endpoint Detection: Assume Breach
Microsoft Defender for Endpoint (MDE) provides the device-side component of zero-trust. Key capabilities:
- Attack surface reduction (ASR) rules — block Office applications from spawning child processes, block credential theft from LSASS, prevent executables running from email attachments
- Tamper protection — prevents local admin accounts or malware from disabling Defender
- Device risk score — fed into Conditional Access; a device exhibiting suspicious behaviour gets its risk score elevated and CA blocks further access automatically
- Automated investigation and remediation — MDE auto-isolates devices showing lateral movement indicators and remediates confirmed threats without analyst intervention
Implementation Sequence
- Enable Entra ID Protection and configure user/sign-in risk policies
- Enrol all devices in Intune; define compliance policies per platform
- Deploy Defender for Endpoint and connect it to Intune (for device risk signals)
- Create Conditional Access policies (start in Report-only mode, analyse impact, then enforce)
- Enable PIM for all privileged roles; remove permanent Global Admin assignments
- Migrate remote access from VPN to Entra Private Access for internal apps
- Enable Continuous Access Evaluation (CAE) — revokes tokens in near-real-time when risk changes
"Zero-trust is not a product you buy — it's an architecture you build. Entra ID and Intune give you the building blocks; the configuration defines whether you're actually zero-trust."
Sripadatech designs and implements zero-trust architectures for SMBs and mid-market organisations. Contact us to assess your current posture and map a path to zero-trust.