Zero Trust is a security model that assumes breach and verifies every access request, regardless of origin. This chapter covers the core principles of Zero Trust as implemented in Microsoft 365, including verify explicitly, least-privilege access, and assume breach. For the MS-900 exam, approximately 10-15% of questions in the Security domain (Objective 3.3) test your understanding of Zero Trust principles, their application to Microsoft 365 services, and how they differ from traditional perimeter-based security. Mastering this topic is essential for passing the exam.
Jump to a section
Imagine a high-security embassy with a traditional perimeter: a single guarded gate. Everyone inside the gate is trusted implicitly—until a bomb goes off. Zero Trust redesigns the embassy: remove the single gate; instead, every door has its own badge reader that checks identity, clearance, and context before allowing entry. A visitor enters the lobby and receives a temporary badge with a photo, a time-bound QR code, and a list of allowed rooms. To enter the records room, they must tap the badge, which sends a request to the central security server. The server verifies: Is this badge active? Is the person authorized for this room at this hour? Is there any alert about this badge being stolen? If all checks pass, the door unlocks for 30 seconds. If the visitor tries to enter the server room, the request is denied even though they are already inside the building. The security server logs every access attempt and flags anomalies—like a badge used in two rooms simultaneously. This mirrors Zero Trust in Microsoft 365: no implicit trust, continuous verification, least-privilege access, and assumption of breach. Every request—whether for email, SharePoint, or Teams—is treated as if it originates from an open network, with identity, device health, location, and data sensitivity evaluated in real time.
What Is Zero Trust and Why Does It Exist?
Zero Trust is a security framework that eliminates implicit trust from any user, device, or network. Traditional security relied on a strong perimeter—like a castle wall—trusting everything inside. However, modern threats like phishing, compromised credentials, insider threats, and cloud adoption render this model obsolete. Zero Trust was pioneered by John Kindervag at Forrester Research in 2010 and has since been adopted by Microsoft as a core security philosophy.
In Microsoft 365, Zero Trust is not a product but a set of principles that guide how security features are designed and configured. The three guiding principles are: - Verify explicitly: Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies. - Use least-privilege access: Limit user access with Just-In-Time (JIT) and Just-Enough-Access (JEA), risk-based adaptive policies, and data protection. - Assume breach: Minimize blast radius for breaches, segment access by network, user, devices, and application. Use encryption end-to-end, analytics to detect threats, and automate response.
These principles apply to all Microsoft 365 workloads: Exchange Online, SharePoint Online, Teams, OneDrive, and more.
How Zero Trust Works Internally in Microsoft 365
Microsoft 365 implements Zero Trust through a layered architecture:
Identity Layer: Azure Active Directory (Azure AD) is the control plane. Every access request is authenticated and authorized using Azure AD conditional access policies. The request includes signals like:
- User identity and group membership - Device compliance (Intune managed, compliant, or domain-joined) - Location (IP address, country, trusted network) - Application sensitivity (e.g., accessing Admin portal vs. public SharePoint site) - Real-time risk from Azure AD Identity Protection (user risk, sign-in risk)
Device Layer: Microsoft Intune manages device compliance. Devices must meet policies (e.g., encryption, password, OS version) to be considered compliant. Non-compliant devices may be blocked or get limited access.
Network Layer: Conditional access policies can require that traffic comes from specific locations or block anonymous IPs. Microsoft 365 endpoints are accessed over encrypted TLS 1.2+ connections.
Data Layer: Microsoft Information Protection (MIP) labels and protects data at rest and in transit. Data Loss Prevention (DLP) policies prevent sensitive data from leaving the organization.
Application Layer: Cloud App Security (now part of Microsoft 365 Defender) provides visibility into app usage, discovers Shadow IT, and enforces session policies.
Key Components and Defaults
Zero Trust in Microsoft 365 relies on several key components:
Conditional Access: The primary policy engine. Policies are evaluated at every sign-in. Defaults include:
- Require MFA for all users (recommended baseline) - Block legacy authentication (e.g., POP3, IMAP, SMTP) because they don't support MFA - Require compliant or hybrid Azure AD joined devices for sensitive apps - Session risk policies: force password change when high user risk is detected
Identity Protection: Uses machine learning to detect compromised identities. Signals include leaked credentials, impossible travel, atypical locations, and anonymous IP addresses. Risk levels: Low, Medium, High.
Privileged Identity Management (PIM): Implements just-in-time access. Users request elevation to privileged roles for a limited time (e.g., 1 hour). Requires approval and justification. Activations are audited.
Microsoft 365 Defender: Correlates signals across identity, endpoint, email, and apps. Provides automated investigation and response.
Configuration and Verification Commands
While MS-900 does not require deep PowerShell knowledge, understanding how policies are configured helps. Use the Azure AD admin center (https://aad.portal.azure.com) to manage conditional access. For example, to create a policy requiring MFA for all users:
Navigate to Azure AD > Security > Conditional Access > New policy
Name: "Require MFA for all users"
Assignments: Users > All users
Cloud apps: All cloud apps
Conditions: (optional) exclude specific locations
Access controls: Grant > Require multi-factor authentication
Enable policy > Create
Verification: Use the "What If" tool in Conditional Access to simulate sign-ins. Alternatively, check sign-in logs: Azure AD > Monitoring > Sign-ins. Look for "MFA requirement" in the details.
Interaction with Related Technologies
Zero Trust interacts with:
Microsoft 365 Defender: Consumes signals from Conditional Access and Identity Protection to provide unified threat protection.
Microsoft Sentinel: SIEM that ingests Azure AD logs for advanced analytics.
Azure AD Application Proxy: Provides secure remote access to on-premises apps without a VPN, enforcing conditional access policies.
Microsoft Endpoint Manager: Enforces device compliance policies that Conditional Access uses.
Exam-Relevant Details
The three principles of Zero Trust are: Verify explicitly, Use least-privilege access, Assume breach.
Legacy authentication (POP3, IMAP, SMTP, etc.) is a common attack vector because it doesn't support MFA. Microsoft recommends blocking it via Conditional Access.
Conditional Access is the policy engine for Zero Trust in Microsoft 365.
Identity Protection provides risk-based Conditional Access (e.g., require MFA if sign-in risk is medium or higher).
Privileged Identity Management (PIM) provides just-in-time privileged access, which aligns with least-privilege access.
Zero Trust is NOT a product; it is a security model.
The blast radius concept: if a breach occurs, limit damage by segmenting access.
Microsegmentation is a network-level Zero Trust concept, but in Microsoft 365, it's applied via app-level access policies.
Common Exam Traps
Trap: Choosing "Require MFA for all users" as the only Zero Trust policy. Reality: Zero Trust includes multiple layers beyond MFA, like device compliance and risk assessment.
Trap: Thinking Zero Trust replaces all other security measures. Reality: Zero Trust complements existing security like firewalls and antivirus.
Trap: Confusing "Conditional Access" with "Identity Protection". Identity Protection provides risk signals; Conditional Access enforces policies based on those signals.
Trap: Assuming Zero Trust means no trust at all. Reality: It means verify every request, not no trust.
User requests access to resource
A user attempts to access a Microsoft 365 resource, such as Exchange Online mailbox or SharePoint site. The request originates from a client (Outlook, browser, Teams app) and includes the user's credentials and device signals. This triggers an authentication request to Azure AD.
Azure AD authenticates user identity
Azure AD validates the user's credentials (password, MFA token, or passwordless method). If the user is not known, access is denied. If valid, Azure AD generates a primary refresh token (PRT) for the device. The PRT is a JSON Web Token (JWT) that contains claims about the user and device.
Conditional Access policy evaluation
Azure AD evaluates all Conditional Access policies that apply to the user, device, application, and location. For each policy, the conditions (e.g., user group, location, device compliance, sign-in risk) are checked. If multiple policies apply, all must be satisfied. If a policy requires MFA, the user is prompted to provide an additional factor.
Device compliance check (if required)
If a policy requires a compliant device, Azure AD queries Microsoft Intune for the device's compliance status. Intune checks the device's health: encryption enabled, OS version up-to-date, no jailbreak/root, and other configured policies. The result is a boolean (compliant or not). Non-compliant devices may be blocked or redirected to enrollment.
Risk assessment by Identity Protection
Azure AD Identity Protection evaluates real-time risk signals: impossible travel (e.g., sign-in from New York then Tokyo in 5 minutes), anonymous IP address, leaked credentials, and atypical behavior. Risk levels are low, medium, or high. If risk is high, Conditional Access can force password change or block access.
Access granted with token and session
If all policies are satisfied, Azure AD issues an access token (JWT) to the client. The token includes claims that the resource (e.g., Exchange) can use to enforce data protection policies (e.g., MIP labels). The session is established, but continuous access evaluation (CAE) ensures that if a condition changes (e.g., device becomes non-compliant), the session can be terminated in near real-time.
Enterprise Scenario 1: Remote Workforce Access
A global company with 10,000 employees suddenly shifts to remote work. Traditional VPN is overloaded and provides too broad access. The company deploys Zero Trust using Microsoft 365 Conditional Access:
Problem: Employees need secure access to email, Teams, and SharePoint from home, but the company must protect against compromised home devices and phishing.
Configuration: Create Conditional Access policies that:
Require MFA for all cloud apps.
Require compliant device (Intune-managed) for sensitive data access.
Block legacy authentication protocols.
Use sign-in risk policy: if risk is medium or high, require password change.
Scale: Policies apply to all users. Performance is handled by Azure AD's global infrastructure. No additional hardware needed.
Misconfiguration: If legacy authentication is not blocked, attackers can brute-force passwords via POP3/IMAP without MFA. Common mistake: excluding service accounts from MFA policies—these accounts become vulnerable.
Enterprise Scenario 2: Third-Party Partner Access
A manufacturing company needs to give external partners access to a specific SharePoint site for document collaboration.
Problem: Partners use their own devices and identities (not Azure AD). Traditional approach would create guest accounts with broad access.
Configuration: Use Azure AD B2B collaboration for guest users. Apply Conditional Access policies:
Require MFA for guests.
Limit access to only the specific SharePoint site via app-specific policies.
Use session controls to prevent download of sensitive documents.
Scale: Up to thousands of guest users. B2B integration supports any email identity.
What goes wrong: If guest user access is not reviewed regularly, dormant accounts can be compromised. Use access reviews to automatically remove inactive guests.
Enterprise Scenario 3: Privileged Access Management
A financial institution has 50 IT admins with global admin rights. A breach of one admin account could be catastrophic.
Problem: Standing admin rights are a security risk. Admins may accidentally or maliciously cause damage.
Configuration: Implement Privileged Identity Management (PIM):
Remove permanent admin roles; require activation for a limited time (e.g., 1 hour).
Require approval from a manager for activation.
Enforce MFA on activation.
Audit all activations and actions via Azure AD logs.
Scale: PIM can manage roles in Azure AD, Azure, and Microsoft 365. For large teams, set up approval workflows.
Misconfiguration: If approval is not enforced, admins can self-activate without oversight. Also, if activation duration is too long (e.g., 8 hours), the risk of misuse increases.
Exam Objective Coverage
This section maps to MS-900 Objective 3.3: Describe Zero Trust security principles. The exam expects you to:
Identify the three core principles: Verify explicitly, Use least-privilege access, Assume breach.
Understand how each principle applies to Microsoft 365 (e.g., Conditional Access for verify explicitly, PIM for least privilege, Defender for assume breach).
Recognize that Zero Trust is a model, not a product.
Know that legacy authentication is a key vulnerability that Zero Trust addresses.
Differentiate Zero Trust from traditional perimeter-based security.
Common Wrong Answers and Why Candidates Choose Them
1. Wrong answer: "Zero Trust means you trust no one, even after verification." - Why chosen: The name "Zero Trust" is misleading. Candidates think it means no trust at all. Reality: It means verify every request, but after verification, trust is granted for that session. 2. Wrong answer: "Zero Trust is implemented by a single Microsoft product like Microsoft 365 Defender." - Why chosen: Candidates see "Defender" and think it's the Zero Trust solution. Reality: Zero Trust is a model implemented across multiple products (Azure AD, Intune, Defender, etc.). 3. Wrong answer: "Zero Trust only applies to cloud services." - Why chosen: The exam focuses on Microsoft 365 cloud. Reality: Zero Trust applies to on-premises, hybrid, and cloud. 4. Wrong answer: "Conditional Access is the only Zero Trust component." - Why chosen: Conditional Access is heavily emphasized. Reality: Zero Trust includes identity, device, network, data, and application layers.
Specific Numbers and Terms That Appear on the Exam
Three principles: Verify explicitly, Use least-privilege access, Assume breach.
Legacy authentication: Protocols that do not support MFA (POP3, IMAP, SMTP, etc.).
Conditional Access: The policy engine for Zero Trust in Microsoft 365.
Identity Protection: Provides risk-based Conditional Access.
PIM: Just-in-time privileged access.
Assume breach: Minimize blast radius, segment access.
Edge Cases and Exceptions
Service accounts: Often excluded from MFA policies, but they should have strong passwords and be monitored.
Emergency access accounts: Break-glass accounts that bypass Conditional Access. Must be monitored and limited.
Hybrid identity: Zero Trust still applies; Azure AD Connect syncs identities, but Conditional Access policies still enforce MFA and device compliance.
How to Eliminate Wrong Answers
If an answer suggests that Zero Trust is a single product, it's wrong.
If an answer says "trust no one," it's misleading—correct answer is "verify every request."
If an answer lists only one component (e.g., only MFA), it's incomplete—Zero Trust includes multiple layers.
If an answer mentions "perimeter" as still primary, it's wrong—Zero Trust removes implicit trust from the perimeter.
Zero Trust has three core principles: Verify explicitly, Use least-privilege access, Assume breach.
Conditional Access is the policy engine that enforces Zero Trust in Microsoft 365.
Legacy authentication (POP3, IMAP, SMTP) must be blocked because it does not support MFA.
Privileged Identity Management (PIM) provides just-in-time privileged access, aligning with least-privilege access.
Identity Protection provides risk signals (low, medium, high) for Conditional Access policies.
Zero Trust is a model, not a product; it is implemented across multiple Microsoft 365 features.
Assume breach means minimizing blast radius and segmenting access to limit damage.
These come up on the exam all the time. Here's how to tell them apart.
Traditional Perimeter Security
Trusts everything inside the corporate network.
Assumes the perimeter is impenetrable.
Once inside, users have broad access.
Focuses on firewall and VPN.
Difficult to adapt to cloud and mobile.
Zero Trust Security
Trusts no user or device by default.
Assumes breach is inevitable.
Granular access based on identity, device, and context.
Focuses on identity, device health, and data protection.
Designed for cloud, mobile, and remote work.
Mistake
Zero Trust means you trust no one ever.
Correct
Zero Trust means never trust implicitly; always verify before granting access. Once verified, trust is granted for that session, but continuously reassessed.
Mistake
Zero Trust is a Microsoft product you can buy.
Correct
Zero Trust is a security model, not a product. Microsoft 365 implements it through features like Conditional Access, Intune, Identity Protection, and Defender.
Mistake
MFA alone implements Zero Trust.
Correct
MFA is one component of 'verify explicitly,' but Zero Trust also requires least-privilege access and assume breach, which involve device compliance, risk assessment, and data protection.
Mistake
Zero Trust only applies to cloud environments.
Correct
Zero Trust applies to on-premises, hybrid, and cloud. Microsoft supports Zero Trust for on-premises via Azure AD Application Proxy and other hybrid capabilities.
Mistake
Legacy authentication is safe if behind a firewall.
Correct
Legacy protocols like POP3/IMAP do not support MFA and can be exploited even from inside the network. Zero Trust requires blocking them.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The three core principles are: Verify explicitly, Use least-privilege access, and Assume breach. 'Verify explicitly' means always authenticate and authorize based on all available signals. 'Use least-privilege access' means giving users only the access they need, just-in-time. 'Assume breach' means designing systems to minimize the impact of a breach by segmenting access and using encryption. These principles guide Microsoft 365 security features like Conditional Access, PIM, and Defender.
Conditional Access is the policy engine that enforces 'verify explicitly.' It evaluates signals like user identity, device compliance, location, and risk level before granting access. For example, a policy might require MFA for all users, require compliant devices for sensitive apps, or block access from untrusted locations. It also supports session controls to limit what users can do after access is granted. Conditional Access is a key component of Microsoft's Zero Trust implementation.
Legacy authentication refers to older protocols like POP3, IMAP, SMTP, and basic authentication that do not support modern security features like MFA. Attackers exploit these protocols because they can use stolen credentials without needing a second factor. Microsoft recommends blocking legacy authentication via Conditional Access to reduce risk. This is a common exam point: legacy authentication is a vulnerability that Zero Trust addresses by requiring MFA and modern authentication.
Traditional security relies on a strong perimeter (firewall, VPN) and trusts everything inside the network. Zero Trust assumes the perimeter is breached and verifies every access request regardless of origin. Traditional security grants broad access once inside; Zero Trust uses least-privilege access and continuous verification. Traditional security struggles with cloud and mobile; Zero Trust is designed for them. The exam tests this distinction.
PIM aligns with 'use least-privilege access' by providing just-in-time and just-enough-access. Instead of permanent admin roles, users must activate privileges for a limited time, often requiring approval. This reduces the blast radius if an admin account is compromised. PIM also enforces MFA during activation and provides audit logs. It's a key Zero Trust feature for privileged identities.
No, Zero Trust complements existing security measures. Firewalls and antivirus are still important for network and endpoint protection. Zero Trust adds layers of identity verification, device compliance, and data protection. In Microsoft 365, Zero Trust works alongside Microsoft 365 Defender, which includes antivirus, anti-phishing, and endpoint detection. The exam expects you to understand that Zero Trust is an overarching model, not a replacement.
The exam focuses on the three principles (Verify explicitly, Use least-privilege access, Assume breach). You should know that legacy authentication includes POP3, IMAP, SMTP. Conditional Access is the policy engine. Identity Protection risk levels are low, medium, high. PIM provides just-in-time access. No specific numeric thresholds are tested, but understanding the concepts is critical.
You've just covered Zero Trust Security Principles in Microsoft 365 — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?