This chapter covers the Microsoft Zero Trust Assessment Tool, a critical component of the Zero Trust security model. For the SC-900 exam, this topic appears in Domain 1 (Describe the concepts of security, compliance, and identity) under Objective 1.1 (Describe Zero Trust concepts). Approximately 10-15% of exam questions touch Zero Trust principles, and the assessment tool is a key mechanism for implementing them. By the end of this chapter, you will understand what the tool does, how it works, how to interpret its results, and exactly what the exam expects you to know.
Jump to a section
Imagine you are a homeowner who wants to ensure your house is secure against intruders. You hire a security auditor who walks through every room, checks each door and window, examines the locks, tests the alarm system, and reviews your habits like leaving spare keys under the mat. The auditor doesn't assume anything is safe just because you've never had a break-in. Instead, they verify each access point, identify weak locks, and check if you have a habit of leaving windows open. After the audit, you receive a report listing vulnerabilities (e.g., a back door lock that can be picked, a sliding door without a security bar) and prioritized recommendations (e.g., install deadbolts, add motion sensors, create a checklist for locking up at night). Similarly, the Microsoft Zero Trust Assessment Tool scans your Microsoft 365 tenant's configuration and policies against Zero Trust principles—verify explicitly, least privilege, assume breach. It checks identity protections like MFA enforcement, device compliance policies, network segmentation, and data protection rules. Instead of assuming your tenant is secure because you've never had an incident, the tool proactively identifies gaps and gives a prioritized action plan. Just as the auditor's report helps you close vulnerabilities before a real break-in, the assessment helps you harden your tenant against real threats.
What Is the Microsoft Zero Trust Assessment Tool?
The Microsoft Zero Trust Assessment Tool is a free, browser-based tool that evaluates your Microsoft 365 tenant's configuration and policies against the three guiding principles of Zero Trust: verify explicitly, least privilege access, and assume breach. It provides a readiness score and a prioritized list of recommendations to improve your security posture. The tool is part of Microsoft's broader Zero Trust adoption framework and is designed to help organizations at any stage of their Zero Trust journey.
Why It Exists
Traditional security models rely on a network perimeter—trust everything inside the corporate network, distrust everything outside. This perimeter-based approach fails with cloud adoption, remote work, and mobile devices. Zero Trust assumes no implicit trust based on location or network. The assessment tool operationalizes this by checking specific configurations against best practices derived from Microsoft's experience and industry standards (e.g., NIST SP 800-207). It bridges the gap between high-level Zero Trust principles and concrete technical controls.
How It Works Internally
The tool is a web application hosted at https://learn.microsoft.com/en-us/security/zero-trust/zero-trust-assessment-tool. It uses Microsoft Graph API to read configuration settings from your tenant—it never writes or changes anything. When you run an assessment, you sign in as a Global Administrator (or equivalent) and grant consent for the tool to read data. The tool then performs checks across six pillars: - Identity (Azure AD / Entra ID) - Devices (Intune / Endpoint Manager) - Data (Microsoft Purview Information Protection) - Infrastructure (Azure, on-premises, hybrid) - Network (Azure networking, segmentation) - Applications (app registration, permissions)
Each pillar contains multiple control checks (over 50 total). For each check, the tool queries your tenant's configuration and compares it to a baseline. For example, for the identity pillar, it checks if MFA is enabled for all users, if Conditional Access policies block legacy authentication, and if privileged roles require approval. The tool assigns a score per control: Completed, Planned, Not Started, or Not Applicable. An overall readiness percentage is calculated based on completed controls.
Key Components, Values, Defaults, and Timers
Assessment Scope: By default, the tool assesses all users and devices in the tenant. You can narrow scope by selecting specific users (e.g., pilot group).
Scoring: Each control is weighted equally. The overall score is (completed controls / total applicable controls) × 100.
Recommendations: Each recommendation includes a priority (High, Medium, Low), estimated effort (e.g., 1-2 hours), and links to documentation.
Refresh Interval: The assessment is a point-in-time snapshot. If you change configurations, you must re-run the assessment to see updated scores. There is no continuous monitoring.
Data Retention: Microsoft does not store assessment results beyond the session. You can export results as a CSV or PDF.
Configuration and Verification
To run the assessment: 1. Navigate to https://learn.microsoft.com/en-us/security/zero-trust/zero-trust-assessment-tool 2. Click Assess your security posture. 3. Sign in with a Global Administrator account. 4. Review the permissions requested (read-only access to Microsoft Graph). 5. The tool runs checks automatically—no manual input required. 6. After completion (typically 1-5 minutes), review the dashboard and drill into each pillar.
To verify results, you can use Microsoft Graph PowerShell or the Azure AD portal to cross-check specific settings. For example, to check MFA status:
Get-MgUser -All | Select-Object DisplayName, UserPrincipalName, StrongAuthenticationRequirementsBut the assessment tool does this automatically, so you don't need to script it.
How It Interacts with Related Technologies
Microsoft Secure Score: The Zero Trust Assessment Tool is complementary to Secure Score. Secure Score measures overall security posture across Microsoft 365, including non-Zero Trust controls (e.g., software updates, anti-malware). The assessment tool is laser-focused on Zero Trust pillars. Both provide recommendations, but the assessment tool's are specifically aligned to Zero Trust principles.
Microsoft 365 Defender: The assessment tool may recommend enabling Defender for Office 365 or Defender for Identity as part of the 'assume breach' pillar. These products provide continuous monitoring and threat detection.
Conditional Access: A core recommendation is to implement Conditional Access policies. The tool checks if you have policies that require MFA, block legacy auth, and enforce device compliance.
Microsoft Purview: For data protection, the tool checks if sensitivity labels are published and if auto-classification is enabled.
Detailed Pillar Breakdown
#### Identity Pillar Controls (Examples) - MFA for all users: Check if MFA is enabled for every user. If any user does not have MFA, the control is 'Not Started'. - Block legacy authentication: Check if a Conditional Access policy blocks legacy auth protocols (POP, IMAP, SMTP). - Privileged role approval: Check if Azure AD Privileged Identity Management (PIM) requires approval for activation of Global Admin roles. - Risk-based Conditional Access: Check if a policy uses user risk or sign-in risk to block or require MFA.
#### Devices Pillar Controls (Examples) - Device compliance policies: Check if Intune has compliance policies that require device encryption, password, and jailbreak detection. - Windows Hello for Business: Check if Windows Hello is enabled for all Windows devices. - Mobile device management: Check if devices are enrolled in Intune or Basic Mobility and Security.
#### Data Pillar Controls (Examples) - Sensitivity labels published: Check if labels like 'Confidential' are published to users. - Auto-classification rules: Check if there are rules that automatically apply labels to emails or documents containing sensitive info. - Data loss prevention (DLP) policies: Check if DLP policies are in place to prevent sharing of sensitive data.
#### Infrastructure Pillar Controls (Examples) - Azure subscription security: Check if Azure Security Center is enabled, if Azure Policy enforces resource tagging, etc. - Hybrid identity: Check if Azure AD Connect is configured with password hash sync or pass-through authentication. - Privileged access workstations (PAWs): Check if PAWs are used for admin tasks.
#### Network Pillar Controls (Examples) - Network segmentation: Check if Azure virtual networks are segmented and if NSGs are used. - VPN or Always On VPN: Check if remote access uses VPN with MFA. - Web content filtering: Check if Microsoft Defender for Cloud Apps is used to block risky apps.
#### Applications Pillar Controls (Examples) - App permissions review: Check if app registrations are reviewed periodically. - OAuth consent policies: Check if users are allowed to consent to apps without admin approval. - App protection policies: Check if Intune app protection policies are defined for mobile apps.
Step-by-Step Walkthrough
Access the Tool – Navigate to the URL and sign in with Global Admin.
Grant Permissions – Accept read-only Graph permissions.
Run Assessment – The tool scans all pillars (1-5 minutes).
Review Dashboard – See overall score and breakdown by pillar.
Drill into Recommendations – Click each control to see details and remediation steps.
Export Results – Download CSV or PDF for reporting.
Implement Changes – Follow recommendations (e.g., enable MFA, create Conditional Access policy).
Re-assess – After changes, run assessment again to measure improvement.
Access the Assessment Tool
Open a web browser and go to https://learn.microsoft.com/en-us/security/zero-trust/zero-trust-assessment-tool. Click the 'Assess your security posture' button. You will be prompted to sign in with a work or school account that has Global Administrator privileges in Azure AD. This is required because the tool needs to read tenant-wide configuration via Microsoft Graph API. Without this role, the tool will not load tenant data and will show an error. The tool uses OAuth 2.0 to request read-only permissions—it never modifies anything.
Grant Read Permissions
After signing in, a consent dialog appears listing the permissions the tool needs. These include reading user profiles, device configurations, Conditional Access policies, Intune settings, and Azure subscriptions. The tool does not request write permissions. You must click 'Accept' to proceed. If you deny, the assessment cannot run. This consent is stored as an enterprise application in your tenant under the name 'Microsoft Zero Trust Assessment Tool'.
Run the Assessment Scan
Once consent is granted, the tool automatically begins scanning your tenant. It queries Microsoft Graph for each control in the six pillars. For example, to check MFA, it calls the Graph API to list users and their authentication methods. The scan typically completes in 1-5 minutes, depending on tenant size. You can watch a progress bar. If the scan times out (rare), you can retry. The tool does not store intermediate results—everything is computed in memory during the session.
Review the Readiness Dashboard
After the scan, a dashboard displays your overall Zero Trust readiness percentage and a breakdown by pillar (Identity, Devices, Data, Infrastructure, Network, Applications). Each pillar shows a progress bar and the number of controls completed vs. total. You can click any pillar to see individual controls. For each control, you see a status: Completed (green), Planned (yellow), Not Started (red), or Not Applicable (gray). Not Applicable means the control doesn't apply to your tenant (e.g., device controls if no devices are managed).
Drill into Recommendations
Click any 'Not Started' or 'Planned' control to see detailed recommendations. Each recommendation includes: a description of the control, why it matters, the current configuration (if readable), the desired state, and step-by-step guidance with links to Microsoft Learn articles. For example, for 'Enable MFA for all users', the recommendation will list users without MFA and provide a link to the MFA setup page. You can mark controls as 'Planned' or 'Completed' manually (for tracking), but this does not affect the actual configuration.
Export and Implement Changes
To share results with your team, use the 'Export' button to download a CSV or PDF report. The report includes the overall score, pillar breakdown, and all control statuses with recommendations. Then, implement changes in your tenant based on priority (High first). For example, create a Conditional Access policy requiring MFA for all users. After making changes, re-run the assessment to verify the new score. The tool is not real-time—you must re-scan to see updates.
Enterprise Scenario 1: Mid-Size Company Migrating to Cloud
A company with 500 employees is moving from on-premises Exchange and Active Directory to Microsoft 365. The IT team wants to adopt Zero Trust principles but doesn't know where to start. They run the Zero Trust Assessment Tool and discover that MFA is only enabled for 30% of users, legacy authentication is still allowed, and no Conditional Access policies exist. The tool's recommendations give them a prioritized roadmap: first, enable MFA for all users (high priority, 2 hours), then block legacy authentication (medium, 1 hour), then implement device compliance policies via Intune (high, 4 hours). The team uses the exported report to get buy-in from management. Over three months, they implement all high-priority recommendations and see their score rise from 15% to 70%. This scenario is common—the tool provides an actionable baseline.
Enterprise Scenario 2: Large Enterprise with Hybrid Infrastructure
A multinational corporation with 20,000 users and a hybrid Azure AD environment (Azure AD Connect) uses the tool to assess their Zero Trust posture. They find that their network segmentation in Azure is weak—many VMs are in the same virtual network without NSGs. The tool recommends implementing micro-segmentation and just-in-time access to VMs. However, the tool also flags that their Privileged Identity Management (PIM) is not configured for role activation approval. The security team uses these findings to justify a project to deploy PIM and Azure Bastion. They also discover that their data sensitivity labels are not auto-classified, leading to potential data leaks. The tool helps them prioritize across multiple departments. One challenge: because the tool is read-only, it cannot enforce changes; the team must coordinate with Azure and Intune admins.
Common Misconfigurations and Pitfalls
Running the tool without Global Admin: The tool will show an error or incomplete data. Always ensure the account has Global Admin or at least Security Administrator and Global Reader.
Not re-running after changes: Some teams implement recommendations but don't re-assess, so they don't see the score improvement. The tool does not auto-update.
Ignoring 'Not Applicable' controls: These may become applicable as you add services (e.g., start using Intune). Regularly re-run the tool.
Over-reliance on the tool: The tool checks configuration, not behavior. For example, it can't verify that users actually use MFA consistently or that DLP policies are effective. Combine with monitoring tools like Microsoft 365 Defender.
What SC-900 Tests on This Topic
SC-900 Objective 1.1: 'Describe Zero Trust concepts' includes understanding the Microsoft Zero Trust Assessment Tool as a method to evaluate an organization's Zero Trust posture. The exam does not require memorizing every control or the exact URL. Instead, you must know:
The tool's purpose (assess readiness against Zero Trust principles)
The three principles it evaluates (verify explicitly, least privilege, assume breach)
The six pillars it covers (Identity, Devices, Data, Infrastructure, Network, Applications)
That it is read-only and provides recommendations
How it differs from Microsoft Secure Score (Secure Score is broader; the assessment is Zero Trust-specific)
Common Wrong Answers and Why Candidates Choose Them
'The tool automatically enforces policies' – Wrong. The tool is read-only; it only recommends. Candidates associate 'assessment' with 'enforcement' because many security tools enforce policies. But the Zero Trust Assessment Tool is purely diagnostic.
'The tool is part of Microsoft 365 Defender' – Wrong. It is a standalone web tool, not integrated into Defender. Candidates confuse it with Secure Score, which is inside Defender.
'The tool requires a paid license' – Wrong. It is free. Candidates assume advanced security tools require E5 licenses.
'The tool monitors continuously' – Wrong. It is a point-in-time scan. Candidates think 'assessment' implies ongoing monitoring.
Specific Numbers, Values, and Terms That Appear on the Exam
The three Zero Trust principles: verify explicitly, least privilege access, assume breach.
The six pillars: Identity, Devices, Data, Infrastructure, Network, Applications.
The tool is free and read-only.
It is accessed via Microsoft Learn (not Azure portal or Microsoft 365 admin center).
The output is a readiness score and prioritized recommendations.
Edge Cases and Exceptions
The tool can be run on a pilot group of users to test changes before tenant-wide rollout.
If you have no devices managed by Intune, the Devices pillar may show many controls as 'Not Applicable'—the exam might test that this is expected, not a failure.
The tool does not cover every security control—only those most relevant to Zero Trust. For example, it does not check antivirus settings (that's Secure Score).
How to Eliminate Wrong Answers
If a question asks about the tool's capability, look for keywords: 'read-only', 'recommendation', 'assessment', 'score'. Eliminate any answer that says 'enforces', 'blocks', 'automatically remediates', or 'monitors in real-time'. If the question asks about pillars, remember the six listed above—any answer mentioning something outside these (e.g., 'Compliance') is likely wrong.
The Zero Trust Assessment Tool evaluates your tenant against three principles: verify explicitly, least privilege access, and assume breach.
It covers six pillars: Identity, Devices, Data, Infrastructure, Network, and Applications.
The tool is free, read-only, and requires Global Administrator privileges to run.
It provides a readiness percentage and prioritized recommendations, but does not enforce any changes.
It is a point-in-time assessment; you must re-run to see updated scores after making changes.
Do not confuse it with Microsoft Secure Score—Secure Score is broader and includes non-Zero Trust controls.
The tool is accessed via Microsoft Learn, not the Azure portal or Microsoft 365 admin center.
Common exam wrong answers: saying the tool enforces policies, requires a paid license, or provides continuous monitoring.
These come up on the exam all the time. Here's how to tell them apart.
Zero Trust Assessment Tool
Focused exclusively on Zero Trust principles (verify explicitly, least privilege, assume breach)
Covers 6 pillars: Identity, Devices, Data, Infrastructure, Network, Applications
Read-only; provides recommendations but no enforcement
Accessed via a dedicated Microsoft Learn page
Free for all Microsoft 365 tenants
Microsoft Secure Score
Broader scope covering all Microsoft 365 security controls (including non-Zero Trust)
Organized by product areas (e.g., Azure AD, Microsoft Defender, Intune)
Includes improvement actions that can be tracked and some can be automated via partner solutions
Accessed within Microsoft 365 Defender portal or Azure portal
Free for all Microsoft 365 tenants (basic scores); premium actions require certain licenses
Mistake
The Zero Trust Assessment Tool is a paid feature requiring an E5 license.
Correct
The tool is completely free and available to any Microsoft 365 tenant. No license beyond a basic subscription (e.g., Business Basic) is required. It does not require Azure AD Premium P1/P2 or any Microsoft 365 E5 add-on.
Mistake
The tool automatically remediates security gaps once you run it.
Correct
The tool is read-only. It never changes any configuration. It only reads tenant settings and provides recommendations. You must manually implement changes (e.g., enable MFA, create policies) in the appropriate admin centers.
Mistake
The tool provides continuous monitoring and alerts when configurations drift.
Correct
The tool performs a point-in-time assessment each time you run it. It does not monitor continuously or send alerts. To detect drift, you must re-run the assessment periodically (e.g., monthly).
Mistake
The tool covers all security controls in Microsoft 365.
Correct
The tool focuses specifically on controls aligned with Zero Trust principles across six pillars. It does not cover general security hygiene like software update policies, anti-malware, or phishing simulations. For a broader view, use Microsoft Secure Score.
Mistake
You must be a Global Administrator to view the tool's results.
Correct
To run the assessment, you need Global Administrator (or equivalent) because the tool reads tenant-wide data. However, after the assessment is exported, anyone can view the report. The tool itself does not store results, so sharing the exported file is the only way to share findings.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
It is a free, browser-based tool that assesses your Microsoft 365 tenant's configuration against Zero Trust principles. It provides a readiness score and prioritized recommendations across six pillars: Identity, Devices, Data, Infrastructure, Network, and Applications. The tool is read-only and does not make any changes to your tenant.
Go to https://learn.microsoft.com/en-us/security/zero-trust/zero-trust-assessment-tool and click 'Assess your security posture'. Sign in with a Global Administrator account and grant the requested read permissions. The tool will scan your tenant and display results in 1-5 minutes. You can export the report as CSV or PDF.
No, the tool is completely free and available to any Microsoft 365 tenant. You do not need Azure AD Premium, Microsoft 365 E5, or any paid license. However, implementing some recommendations (e.g., Conditional Access policies) may require specific licenses like Azure AD Premium P1.
The Zero Trust Assessment Tool is narrowly focused on Zero Trust principles across six pillars. Microsoft Secure Score is broader, covering all security controls in Microsoft 365 (including non-Zero Trust ones like software update policies). Both provide scores and recommendations, but the assessment tool is specifically aligned with the Zero Trust framework.
Yes, when you run the assessment, you can select a specific group of users (e.g., a pilot group) to scope the assessment. This is useful for testing changes before rolling out tenant-wide. By default, the tool assesses all users and devices.
No, Microsoft does not store assessment results. The data is processed in memory during your session and discarded when you close the browser tab. To keep a record, you must export the report as CSV or PDF.
The Devices pillar will show many controls as 'Not Applicable' because those controls require Intune-managed devices. This is expected and does not negatively impact your overall score—the tool only counts applicable controls. You can still work on other pillars.
You've just covered Microsoft Zero Trust Assessment Tool — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?