In this module

EI0.7 Zero Trust and Identity

50-70 minutes · Module 0 · Free

Operational Objective

Your CISO has mandated a "Zero Trust architecture." The vendor presentations were full of diagrams and buzzwords but short on implementation detail. You need to understand what Zero Trust actually means when applied to Entra ID — not as an abstract philosophy but as a specific set of conditional access policies, authentication requirements, device controls, and monitoring practices that you can deploy and verify.

Deliverable: A clear understanding of how the three Zero Trust principles — verify explicitly, use least privilege access, and assume breach — translate into specific Entra ID configurations and the modules in this course that implement each one.

⏱ Estimated completion: 15 minutes

Figure EI0.7 — Operational workflow from input through documented output.

Figure — Zero Trust and Identity.

What Zero Trust means in practice

Zero Trust is not a product you buy. It is not a single technology. It is not a compliance checkbox. Zero Trust is an architectural approach to security that replaces implicit trust with explicit verification on every access request. The phrase was coined by Forrester Research in 2010, but the principles are older than the name: never trust, always verify.

In the context of identity security, Zero Trust means that a user being inside the corporate network does not grant them trusted status. A user having successfully authenticated yesterday does not mean they should be trusted today. A user having a legitimate job role does not mean they should have access to every resource that role could theoretically need. Every access request is evaluated independently based on the available signals — who is requesting access, what they are accessing, from which device, from which location, at what risk level — and the minimum access necessary is granted for the minimum time necessary.

This is not theoretical. The Entra ID features covered in this course are the implementation layer for Zero Trust identity. Conditional access policies are the enforcement engine. Identity Protection provides the real-time risk signals. Authentication methods determine the strength of identity verification. PIM enforces just-in-time access for privileged roles. Token protection ensures tokens cannot be separated from the devices that earned them.

Verify explicitly: every signal matters

The first Zero Trust principle is verify explicitly — authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.

In Entra ID, "verify explicitly" means conditional access policies that evaluate multiple signals simultaneously, not just whether the user has a valid credential. A conditional access policy that simply requires MFA for all users is a start, but it is not Zero Trust — it verifies one signal (the user can complete MFA) and ignores everything else.

// KQL: Verify that conditional access policies are evaluating multiple signals
// This query identifies sign-ins where no conditional access policy applied
// — a gap in your Zero Trust enforcement
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0  // Successful sign-ins only
| where ConditionalAccessStatus == "notApplied"
| project TimeGenerated, UserPrincipalName, AppDisplayName, 
    IPAddress, Location, DeviceDetail, RiskLevelDuringSignIn
| order by TimeGenerated desc

Expand for Deeper Context

A Zero Trust conditional access architecture evaluates the full signal set on every sign-in: the user's identity and group membership (who is this person and what is their role), the authentication method strength (did they use a phishing-resistant credential or a password with SMS), the device compliance state (is the device managed, patched, encrypted, and running endpoint protection), the network location (is this a known office network, a known VPN endpoint, or an unknown location), the sign-in risk level (does Identity Protection detect anything anomalous about this authentication attempt), and the user risk level (has this account shown signs of compromise in recent activity).

The policy decisions are proportional to the combined signals. A user authenticating with a FIDO2 key from a compliant device on the corporate network with no risk signals gets immediate access. The same user authenticating with a password from an unmanaged device in a country where the organization has no operations with a medium risk signal gets blocked — or at minimum, required to satisfy additional verification and restricted to browser-only access with no download capability.

EI3 (Conditional Access Architecture) teaches you to design policies that evaluate the full signal set. EI4 (Stopping Real Attacks) teaches you to build the specific policy combinations that stop specific attack techniques. EI8 (Validation and Troubleshooting) teaches you to verify that the policies are actually evaluating the signals correctly.

This query is the simplest Zero Trust verification: find every successful sign-in that was not evaluated by any conditional access policy. Every result represents a gap in your verify-explicitly coverage. EI1 teaches you to read these results and EI8 teaches you to close the gaps.

Use least privilege access: limit the blast radius

The second Zero Trust principle is least privilege — provide just enough access for the user to complete their task, and no more. When combined with just-in-time access, this means privileges exist only when they are actively needed and are automatically removed when the task is complete.

In Entra ID, least privilege manifests in several layers. At the directory role level, PIM (EI6) replaces standing administrator assignments with eligible assignments that require explicit activation. A user who needs Global Administrator access to perform a specific task activates the role through PIM — providing a justification, completing MFA, and receiving the role for a limited duration (typically 1-4 hours). When the activation expires, the role is automatically removed. The user has Global Administrator access for the minimum time necessary, not permanently.

// KQL: Find users with standing (permanent) privileged role assignments
// — violations of the least privilege principle
AuditLogs
| where OperationName == "Add member to role"
| where TargetResources[0].modifiedProperties has "permanent"
| project TimeGenerated, 
    InitiatedBy.user.userPrincipalName,
    TargetResources[0].userPrincipalName,
    TargetResources[0].modifiedProperties
| order by TimeGenerated desc

Expand for Deeper Context

At the application permission level, the principle of least privilege means applications should request only the permissions they actually need. An application that reads user profile information should request User.Read, not User.ReadWrite.All. An application that sends notifications should request Mail.Send for a specific mailbox, not Mail.ReadWrite for all mailboxes. EI9 (Application Registration Security) covers how to audit and remediate excessive application permissions.

At the user access level, entitlement management and access reviews (EI12) ensure that group memberships, application assignments, and resource access remain appropriate over time. Users accumulate permissions as they change roles, join projects, and receive temporary access that is never revoked. Access reviews automate the process of asking managers and resource owners "does this person still need this access?" — and automatically removing access when the answer is no or when nobody responds.

At the conditional access level, session controls (EI3) limit what a user can do within a session. The Conditional Access App Control integration with Defender for Cloud Apps can enforce download restrictions, watermark documents, and monitor session activity — even for users who have legitimate access to the resource.

Assume breach: detect and contain

The third Zero Trust principle is assume breach — minimize blast radius and segment access. Verify end-to-end encryption. Use analytics to get visibility, drive threat detection, and improve defenses.

This principle is the most uncomfortable for organizations to internalize because it requires accepting that the preventive controls will eventually fail. No matter how strong your MFA, how comprehensive your conditional access policies, and how restrictive your consent governance — eventually an attacker will get in. The question is not whether a breach will occur but how quickly you detect it and how much damage the attacker can do before containment.

// KQL: Find accounts flagged as high risk that have not been remediated
// — the assume breach principle requires acting on risk signals
AADRiskyUsers
| where RiskLevel == "high"
| where RiskState == "atRisk"  // Not yet remediated
| project RiskLastUpdatedDateTime, UserPrincipalName, 
    RiskLevel, RiskDetail, RiskState
| order by RiskLastUpdatedDateTime desc

Expand for Deeper Context

In Entra ID, assume breach drives three categories of controls. First, detection: Identity Protection risk signals, Sentinel analytics rules, and Defender XDR alerts that identify compromised accounts in real time (EI5, EI13, EI16). Second, automated response: Defender XDR automatic attack disruption that disables compromised accounts within seconds of detection, and conditional access risk policies that force re-authentication when risk is elevated (EI5, EI16). Third, blast radius reduction: PIM eliminates standing privileges so a compromised admin account does not have active permissions unless the attacker can also activate the role (EI6), and access reviews remove excessive permissions so a compromised standard account has access only to what the user legitimately needs (EI12).

The assume breach mindset also means you design your detection rules to catch the middle and late stages of the kill chain (stages 3-6), not just initial access. If the attacker bypasses your initial access controls, your persistence detection rules should catch the inbox rule creation. If they establish persistence, your privilege escalation detection rules should catch the role modification. If they escalate, your exfiltration detection rules should catch the unusual data access pattern.

The Zero Trust maturity continuum

Zero Trust is not a binary state — you do not wake up one morning with a Zero Trust architecture. It is a maturity continuum where each improvement reduces risk and each module in this course moves you along the path.

The starting point for most organizations is implicit trust: passwords with optional MFA, no conditional access, standing admin assignments, unrestricted application consent, no sign-in log monitoring. Every access request from every user is trusted after a single authentication event. At this level, any of the seven attack techniques described in EI0.5 will succeed. This is where the majority of small and mid-size organizations sit today — and it is the level at which the breaches in EI0.8 occurred.

Expand for Deeper Context

The first level of Zero Trust maturity is basic verification: MFA for all users, conditional access policies that require MFA and block legacy authentication. This stops the most common attacks (password spray, credential stuffing via legacy protocols) but does not address AiTM, token theft, or consent phishing. The investment is minimal — MFA and conditional access are included in the P1 license that comes with E3 and Business Premium — and the security improvement is dramatic. Most organizations can reach this level in two to four weeks. Modules EI2-EI4 cover the implementation.

The second level is signal-aware access: Identity Protection risk-based policies, device compliance requirements, network-aware policies. Access decisions now consider context, not just credentials — a sign-in from an unusual location triggers additional verification, a sign-in from a non-compliant device is restricted to browser-only access, and a user flagged as risky must re-authenticate with a stronger method. This stops most opportunistic attacks but does not address targeted attacks by sophisticated adversaries who can operate from expected locations or compromise managed devices. Modules EI3 and EI5 cover the signal-aware layer.

The third level is comprehensive control: phishing-resistant authentication for all privileged and high-risk users, token protection binding tokens to devices, PIM for all privileged directory roles (not just Global Admin), consent governance blocking all user consent, workload identity security with managed identities and conditional access for service principals, and active detection engineering with KQL-based analytics rules running in Sentinel. This is the full implementation of the controls taught in this course. An organization at this level has closed the gaps that enabled all three case study breaches.

The fourth level is continuous verification: every access request is evaluated in real time with all available signals, access is granted for the minimum time necessary, every anomaly triggers automated investigation, and the architecture is resilient to the compromise of any single control. Automatic attack disruption contains compromised accounts within seconds. Continuous access evaluation revokes tokens mid-session when risk changes. Access reviews continuously prune excessive permissions. The security architecture is tested regularly through tabletop exercises and the break-glass accounts are verified quarterly. This is the aspirational end state that EI17 (the capstone architecture) designs toward.

Try it yourself

Try It — Assess Your Zero Trust Maturity

Exercise: For your environment (production or developer tenant), answer these questions to estimate your current Zero Trust maturity level:

1. Is MFA required for all users on all applications? (Basic verification) 2. Do your conditional access policies evaluate device compliance and network location? (Signal-aware access) 3. Is legacy authentication blocked? (Basic verification) 4. Is Identity Protection enabled with risk-based policies? (Signal-aware access) 5. Are privileged roles managed through PIM with just-in-time activation? (Comprehensive control) 6. Is user consent for applications blocked with admin consent workflow? (Comprehensive control) 7. Are sign-in logs routed to a SIEM with active detection rules? (Comprehensive control) 8. Is phishing-resistant authentication deployed for privileged and high-risk users? (Comprehensive control)

Count your "yes" answers: 0-2 = implicit trust, 3-4 = basic verification, 5-6 = signal-aware access, 7-8 = comprehensive control. This tells you where you are and which modules to prioritize.

⚠ Compliance Myth: "Zero Trust means we do not trust any users"

The myth: Zero Trust means treating every user as a potential attacker. Our employees will feel surveilled and mistrusted.

The reality: Zero Trust does not mean distrust — it means verified trust. Users who authenticate with strong credentials from compliant devices in expected locations experience seamless access. The additional verification only triggers when something is unusual — a new location, a new device, an elevated risk signal. Done well, Zero Trust is invisible to users in their normal workflow and only introduces friction when the context genuinely warrants it. The goal is to protect users from having their accounts exploited, not to obstruct their work. EI3 covers how to design conditional access policies that balance security enforcement with user productivity.

📋 Investigation Artifact — Zero Trust Identity Implementation Checklist

Use this checklist to track your progression through the Zero Trust maturity continuum:

Zero Trust Identity Implementation Tracker — [Organization Name]

Verify Explicitly (EI2, EI3, EI4, EI5, EI8):

- MFA required for all users on all applications: [ ]

- Phishing-resistant MFA deployed for admins and high-risk users: [ ]

- Conditional access evaluates device compliance: [ ]

- Conditional access evaluates network location: [ ]

- Identity Protection risk-based policies active: [ ]

- Legacy authentication blocked: [ ]

- Report-only policies reviewed and promoted to enforcing: [ ]

Least Privilege Access (EI6, EI9, EI12):

- PIM enabled for all privileged directory roles: [ ]

- Standing Global Admin assignments eliminated: [ ]

- Application permissions reviewed and reduced to minimum: [ ]

- User consent blocked, admin consent workflow active: [ ]

- Access reviews configured for privileged roles: [ ]

- Access reviews configured for sensitive group memberships: [ ]

Assume Breach (EI5, EI13, EI14, EI16):

- Sign-in logs routed to Sentinel or SIEM: [ ]

- Identity detection rules deployed and active: [ ]

- Automatic attack disruption configured in Defender XDR: [ ]

- Risky user review process defined and followed: [ ]

- Break-glass accounts tested and monitored: [ ]

- Identity incident response procedure documented: [ ]

Compliance mapping: This checklist supports NIST CSF 2.0 PR.AA (Identity Management, Authentication, and Access Control), SOC 2 CC6.1-6.3, ISO 27001 A.9 (Access Control), and CISA Zero Trust Maturity Model.

Decision point

You are reviewing NE's Entra ID security posture. You find 4 accounts with Global Administrator role, but NE's policy says maximum 2. The extra 2 were added during the AiTM incident for emergency response and never removed. Do you remove them?

Remove them — but through the proper process, not unilaterally. Notify the account owners that their emergency GA assignment is being revoked, confirm they have their standard role assignments restored, and document the removal with the rationale ('emergency assignment during INC-NE-2026-0227-001, no longer required'). Then add a PIR action item: 'Implement PIM time-limited role assignments for future incident response — emergency GA assignments auto-expire after 8 hours rather than persisting indefinitely.' The stale emergency assignment is a governance failure, not a technical failure — the fix is procedural.

NE's Entra ID security audit reveals: 4 Global Administrators (policy says 2), 23 users with Global Reader from a completed project, a break-glass account with no monitoring rule, and 3 guest accounts with no expiry date. Which finding is the highest priority?

The 4 Global Administrators — 2 extra GAs doubles the attack surface.

The break-glass account with no monitoring rule. The 4 GAs and stale Global Readers are governance issues that should be remediated — but they are existing conditions, not active threats. The unmonitored break-glass account is a critical detection gap: if the break-glass account is compromised or misused, the SOC has no alert. A break-glass account is excluded from CA policies by design — it is the most powerful and least restricted account in the tenant. Without monitoring, its compromise or misuse is invisible. Deploy the monitoring rule (any sign-in to the break-glass account = Severity 1 alert) before addressing the other findings.

The 23 stale Global Readers — this is the largest number of affected accounts.

The 3 guest accounts — external accounts without expiry are the highest risk.

You've mapped the identity threat landscape and learned to read sign-in logs.

EI0 established that every cloud attack starts with identity. EI1 took you through the signal that matters most — interactive, non-interactive, service principal, and managed identity sign-ins. Now you engineer the defences.

17 engineering modules — authentication methods, conditional access architecture, Identity Protection, PIM, token protection, application governance, and detection rules
The Defense Design Method — the six-step framework applied to every identity control you'll build
EI18 Capstone — Identity Security Architecture Design — design complete identity architectures for three realistic organisations (SMB, mid-market, regulated enterprise)
Identity Security Toolkit lab pack — deployable conditional access policies, PIM configurations, and Identity Protection risk rules
Cross-domain detection (EI16) — email-to-identity correlation and the full phishing-to-inbox-rule attack chain

Unlock the full course with Premium See Full Syllabus

← Previous Next →