This chapter covers Zero Trust Architecture Principles, a core topic for SC-900 objective 1.1 (Describe the concepts of security, compliance, and identity). Zero Trust is a fundamental mindset shift in cybersecurity that underpins Microsoft's security solutions. Expect approximately 5-10% of exam questions to directly reference Zero Trust principles, especially in context of Microsoft 365, Azure AD, and Microsoft Defender. Mastering these principles is essential for understanding how Microsoft implements security in its products.
Jump to a section
Imagine a highly secure embassy with multiple departments. Instead of a single front gate that checks everyone once, the embassy uses a badge system that requires verification at every single door. You enter the main gate only after presenting your badge to a guard who verifies your identity against a central directory. Once inside, you cannot roam freely. To enter the HR department, you must badge in again; the door checks not only your identity but also whether you have explicit authorization for HR. To access the secure server room, you badge in a third time, and the system also verifies that your device meets security standards (e.g., no jailbreak). Every badge scan is logged and audited. If your badge is stolen, the admin can revoke it instantly, and the thief cannot access any area because each door independently verifies the badge's validity and your specific permissions. This is Zero Trust: never trust, always verify, at every access point, regardless of where you are coming from.
What is Zero Trust and Why Does It Exist?
Zero Trust is a security model that assumes breach and verifies each request as though it originates from an open network. It was developed in response to the inadequacy of the traditional perimeter-based security model, often called "castle-and-moat." In the castle-and-moat model, anything inside the corporate network is implicitly trusted. However, with the rise of cloud computing, mobile workforces, and sophisticated attacks, the perimeter has dissolved. An attacker who breaches the perimeter can move laterally with little resistance. Zero Trust eliminates implicit trust and enforces continuous verification for every access request, regardless of the source (inside or outside the network).
How Zero Trust Works Internally – The Three Foundational Principles
Zero Trust is built on three core principles, as defined by NIST SP 800-207 and adopted by Microsoft:
Verify explicitly: Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
Use least privilege access: Limit user access with Just-In-Time (JIT) and Just-Enough-Access (JEA) (Risk-Based Adaptive Policies), data protection, and analytics to detect and respond to threats in real time.
Assume breach: Segment access by network, user, devices, and application; use encryption to protect data; and use analytics to detect threats and improve defenses.
These principles are implemented through a set of technical components that work together. Microsoft's Zero Trust model is organized into six pillars: Identities, Devices (Endpoints), Applications, Data, Infrastructure, and Network.
Key Components, Values, Defaults, and Timers
Each pillar has specific technical controls:
Identities: Azure AD with Conditional Access policies. Conditional Access evaluates signals (user, device, location, risk) to enforce policies. Default settings include requiring MFA for risky sign-ins (risk level determined by Azure AD Identity Protection). Timers: Session timeout can be set from 1 hour to 24 hours. Sign-in frequency can be set from 1 hour to 365 days. Device compliance check interval: every 24 hours by default for Intune-managed devices.
Devices: Intune and Microsoft Defender for Endpoint enforce device compliance. Device health attestation checks for jailbreak/root, encryption, and patch level. Default compliance policies require BitLocker (Windows) or FileVault (macOS) encryption, minimum OS version, and password complexity.
Applications: Access controlled via Conditional Access, app permissions, and Microsoft Defender for Cloud Apps (CASB). App discovery and session controls (e.g., preventing download of sensitive files) are enforced in real time.
Data: Microsoft Information Protection (MIP) labels and data loss prevention (DLP) policies. Sensitivity labels can be automatically applied based on content inspection. Encryption at rest and in transit using TLS 1.2+.
Infrastructure: Azure Arc, Azure Policy, and Defender for Cloud monitor for misconfigurations and threats. Just-In-Time (JIT) access to VMs requires approval and time-limited access (default 3 hours).
Network: Micro-segmentation using Azure Virtual Network, NSGs, and Azure Firewall. Traffic is encrypted end-to-end. Azure Private Link ensures traffic to PaaS services stays on Microsoft backbone.
Configuration and Verification Commands
While SC-900 does not require deep command-line knowledge, understanding how policies are applied is important. Example: Conditional Access policy creation via PowerShell:
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
$params = @{
displayName = "Block legacy authentication"
state = "enabled"
conditions = @{
clientAppTypes = @("exchangeActiveSync", "other")
applications = @{
includeApplications = @("All")
}
users = @{
includeUsers = @("All")
}
}
grantControls = @{
builtInControls = @("block")
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $paramsTo verify, use:
Get-MgIdentityConditionalAccessPolicy | Select-Object displayName, state, conditionsHow Zero Trust Interacts with Related Technologies
Zero Trust is not a single product but a strategy that integrates with Microsoft's security stack:
Azure AD: Central identity provider. All access decisions start with Azure AD authentication.
Microsoft 365 Defender: Correlates signals across identities, devices, apps, and data for automated response.
Azure Sentinel: SIEM that ingests logs from all pillars for threat hunting.
Microsoft Endpoint Manager (Intune): Enforces device compliance and configuration.
Microsoft Cloud App Security (MCAS): Provides app discovery, session controls, and cloud app governance.
For example, when a user attempts to access a sensitive SharePoint site, the following happens: 1. Azure AD authenticates the user and checks Conditional Access policies. 2. Policy requires a compliant device and MFA. 3. Intune reports device compliance (checked within last 24 hours). 4. MCAS evaluates the session risk (e.g., unusual download volume). 5. If all pass, access is granted with a session cookie valid for 8 hours (default). 6. All events are logged to Azure AD sign-in logs and Sentinel.
Additional Technical Details
Session Expiration: In Conditional Access, session controls can enforce sign-in frequency (e.g., every 4 hours) and persistent browser session (limited to 24 hours by default).
Device Compliance: Intune compliance policies evaluate devices every 8 hours (default check-in interval). Non-compliant devices can be blocked or allowed with limited access.
Just-In-Time (JIT): In Azure AD P2, Privileged Identity Management (PIM) allows JIT activation for roles. Activation duration defaults to 1 hour, max 8 hours.
Micro-segmentation: In Azure, NSGs can filter traffic at subnet or NIC level. Application Security Groups (ASGs) group VMs logically. For example, only VMs in the "web" ASG can communicate with VMs in the "app" ASG on port 443.
Encryption: All traffic between Microsoft services uses TLS 1.2 or higher. Azure Storage enforces HTTPS by default. Azure Disk Encryption uses BitLocker (Windows) or DM-Crypt (Linux) with Azure Key Vault.
Exam-Relevant Details
The three principles of Zero Trust are: Verify explicitly, Use least privilege access, Assume breach.
Microsoft's Zero Trust model has six pillars: Identities, Devices, Applications, Data, Infrastructure, Network.
The traditional model is called "castle-and-moat" (perimeter-based).
Zero Trust assumes no implicit trust, even inside the network.
Key technologies: Azure AD Conditional Access, Intune, Microsoft Defender, MCAS, Azure Sentinel.
Default values: Sign-in frequency default 90 days (unless configured), device compliance check every 8 hours, JIT activation default 1 hour.
The NIST standard for Zero Trust is NIST SP 800-207.
User requests access to resource
A user attempts to access a corporate resource, such as a SharePoint site or a SaaS application. The request originates from a device (corporate-managed or BYOD) over any network (office, home, public Wi-Fi). The request is intercepted by Azure AD, the identity provider. Azure AD collects initial signals: user identity, device identifier, IP address, location, and time of day. No implicit trust is granted based on network location.
Identity verification and authentication
Azure AD authenticates the user using the configured method (password, FIDO2 security key, Microsoft Authenticator, etc.). If MFA is required by policy, the user must provide a second factor. Azure AD also checks the user's risk level from Identity Protection (e.g., leaked credentials, anonymous IP). If risk is high, access may be blocked or require additional verification. Authentication is the first gate; without successful authentication, no further steps occur.
Device health and compliance check
Azure AD queries Intune (or third-party MDM) for the device's compliance status. The device must be enrolled and report compliance within the last 8 hours (default check-in). Checks include: encryption enabled (BitLocker/FileVault), OS patch level, antivirus active, no jailbreak/root. If the device is non-compliant, the policy may block access, allow limited access (e.g., web-only, no download), or prompt for remediation (e.g., update OS).
Conditional Access policy evaluation
Azure AD evaluates all applicable Conditional Access policies. Conditions include: user/group membership, location (IP range, country), device platform, client app (browser, mobile app, legacy auth), sign-in risk, and application sensitivity. If conditions match, the policy enforces grant controls (require MFA, require compliant device, require approved app) and session controls (sign-in frequency, app enforced restrictions, MCAS session policy). Multiple policies are evaluated and all must be satisfied.
Access granted or denied with session controls
If all checks pass, Azure AD issues an access token (JWT) and a session cookie. The token includes claims (user, device, MFA status, compliance). The resource (e.g., SharePoint) validates the token. Session controls may enforce sign-in frequency (e.g., reauthenticate every 4 hours) or restrict actions (e.g., prevent download of sensitive files via MCAS session policy). All access events are logged to Azure AD sign-in logs and unified audit log.
Scenario 1: Remote Workforce Access to SaaS Applications
A global company with 10,000 employees uses Microsoft 365 and Salesforce. They implement Zero Trust with Azure AD Conditional Access. Policy: All external access (non-corporate IP) requires MFA and a compliant device. Intune compliance policy requires Windows 10 21H2+, BitLocker, Defender AV active. Non-compliant devices are blocked from accessing email and SharePoint. Result: A contractor using an unmanaged MacBook cannot access corporate email from home; they must use a managed device or request temporary access via a JIT policy. Common misconfiguration: Setting sign-in frequency too low (e.g., 1 hour) causes user frustration; recommended default is 24 hours for low-risk apps. Performance consideration: Token issuance adds ~500ms latency; use persistent browser sessions for productivity apps.
Scenario 2: Micro-segmentation in Azure IaaS
A financial services firm hosts a three-tier application (web, app, database) in Azure VMs. They implement micro-segmentation using NSGs and ASGs. The web tier (ASG: Web) can communicate only with the app tier (ASG: App) on port 443. The app tier can communicate with the database tier (ASG: DB) on port 1433. No direct inbound access to app or DB tiers from the internet. Azure Firewall logs all traffic. Problem: A misconfigured NSG rule accidentally opened port 3389 (RDP) to the internet on the database VM. An attacker scanned and brute-forced credentials. Zero Trust would have required JIT access for RDP (Azure AD PIM) and MFA. The fix: Remove the offending rule and enable JIT VM access with approval workflow.
Scenario 3: Data Protection with Sensitivity Labels
A law firm uses Microsoft Information Protection to classify documents. Zero Trust principle: Assume breach – data must be protected even if exfiltrated. Sensitivity labels (e.g., "Highly Confidential") are automatically applied based on content (e.g., contains passport numbers). Labels enforce encryption and restrict access to specific users. When a user tries to share a labeled document externally, DLP policy blocks the share and alerts the security team. Common issue: Users override labels manually, causing inconsistent protection. Solution: Use auto-labeling and mandatory labeling policies. Scale: Over 500,000 documents labeled daily with no performance impact.
What SC-900 Tests on Zero Trust
SC-900 objective 1.1 includes: "Describe Zero Trust principles and architecture." You need to know:
The three core principles (Verify explicitly, Use least privilege access, Assume breach).
The six pillars (Identities, Devices, Applications, Data, Infrastructure, Network).
How Zero Trust differs from traditional perimeter security (castle-and-moat).
That Zero Trust is a strategy, not a product.
That it requires continuous verification and assumes breach.
Common Wrong Answers and Why Candidates Choose Them
"Zero Trust means no passwords" – Wrong. Zero Trust does not eliminate passwords; it adds additional verification (MFA, device checks). The term "passwordless" is a separate concept.
"Zero Trust only applies to cloud" – Wrong. Zero Trust applies to on-premises, cloud, and hybrid environments. Microsoft's model covers all.
"Zero Trust is a product you can buy" – Wrong. Zero Trust is an architecture; Microsoft offers tools (Azure AD, Intune, etc.) to implement it.
"Zero Trust trusts internal traffic implicitly" – Wrong. Zero Trust trusts nothing; every request is verified.
Specific Numbers, Values, and Terms on the Exam
NIST SP 800-207 is the standard defining Zero Trust.
The three principles are: verify explicitly, least privilege, assume breach.
Six pillars: identities, devices, applications, data, infrastructure, network.
Default sign-in frequency: 90 days (unless configured).
Device compliance check interval: 8 hours (Intune).
JIT access default activation: 1 hour.
MFA is a key control for identities.
Edge Cases and Exceptions
Zero Trust does not require that all traffic be encrypted in all cases (though recommended).
Legacy authentication (e.g., POP3, SMTP) does not support MFA; it should be blocked.
Guest users (B2B) are subject to the same policies as internal users.
Device compliance can be bypassed for break-glass accounts (emergency access).
How to Eliminate Wrong Answers
If an answer says "implicit trust" for internal or trusted networks, it's wrong.
If an answer says "single verification at login," it's wrong (continuous verification).
If an answer says "product" or "firewall," it's wrong (architecture/strategy).
If an answer describes perimeter-only security, it's wrong.
Zero Trust is based on three principles: verify explicitly, use least privilege access, assume breach.
Microsoft's Zero Trust model has six pillars: Identities, Devices, Applications, Data, Infrastructure, Network.
Zero Trust is a security architecture, not a product.
The traditional model is called 'castle-and-moat' (perimeter-based).
Key Microsoft tools for Zero Trust: Azure AD, Intune, Microsoft Defender, MCAS, Azure Sentinel.
Default device compliance check interval in Intune is 8 hours.
Default sign-in frequency in Conditional Access is 90 days unless configured.
Just-In-Time (JIT) access default activation duration is 1 hour.
NIST SP 800-207 is the standard reference for Zero Trust architecture.
Legacy authentication (e.g., POP3, SMTP) should be blocked because it doesn't support MFA.
These come up on the exam all the time. Here's how to tell them apart.
Castle-and-Moat (Traditional)
Implicitly trusts users and devices inside the corporate network.
Relies on a strong perimeter firewall and VPN.
Once inside, lateral movement is possible.
Assumes the network is safe.
Focuses on preventing breach at the perimeter.
Zero Trust
Never trusts any user or device implicitly, regardless of location.
Requires continuous verification for every access request.
Micro-segmentation limits lateral movement.
Assumes breach is inevitable and designs accordingly.
Focuses on protecting data and resources regardless of location.
Mistake
Zero Trust means you never trust any user or device.
Correct
Zero Trust does not mean 'never trust' – it means 'never implicitly trust.' Trust is established and continuously verified based on multiple signals. Once verified, trust is granted for a session but must be re-verified periodically.
Mistake
Zero Trust is a single product or firewall.
Correct
Zero Trust is a security architecture, not a product. Microsoft offers a set of tools (Azure AD, Intune, Defender, etc.) that together enable a Zero Trust strategy. There is no single 'Zero Trust appliance.'
Mistake
Zero Trust only applies to cloud environments.
Correct
Zero Trust applies to on-premises, cloud, and hybrid environments. Microsoft's Zero Trust model covers on-premises infrastructure through tools like Azure Arc and Defender for Cloud.
Mistake
Implementing Zero Trust means you no longer need firewalls or VPNs.
Correct
Firewalls and VPNs still play a role, but they are not the sole security layer. Zero Trust adds additional controls like micro-segmentation and identity-based access. VPNs are often replaced with Zero Trust Network Access (ZTNA), but firewalls remain for network segmentation.
Mistake
Zero Trust is only about identity and access management (IAM).
Correct
While identity is a central pillar, Zero Trust also covers devices, applications, data, infrastructure, and network. It is a holistic approach, not just IAM.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The three core principles are: (1) Verify explicitly – always authenticate and authorize based on all available data points; (2) Use least privilege access – limit access with Just-In-Time and Just-Enough-Access; (3) Assume breach – segment access, encrypt data, and use analytics to detect threats. These principles guide the implementation of Zero Trust architecture.
Microsoft's Zero Trust model organizes security into six pillars: Identities, Devices (Endpoints), Applications, Data, Infrastructure, and Network. Each pillar has specific controls and technologies. For example, Identities uses Azure AD and Conditional Access, Devices uses Intune and Defender for Endpoint, and Data uses Microsoft Information Protection and DLP.
Traditional perimeter security (castle-and-moat) trusts everything inside the corporate network implicitly. Zero Trust assumes no implicit trust; it verifies every access request, regardless of origin. Zero Trust also uses micro-segmentation to limit lateral movement and assumes that a breach may have already occurred, so it focuses on protecting data and responding to threats in real time.
No, Zero Trust is a security architecture, not a single product. Microsoft offers a set of technologies that help you implement a Zero Trust strategy, including Azure AD, Microsoft Intune, Microsoft Defender for Cloud Apps, and Microsoft Sentinel. You need to integrate these tools to achieve Zero Trust.
Conditional Access is a key component in the Identities pillar. It evaluates signals such as user identity, device compliance, location, and risk level to enforce policies like requiring MFA, blocking access, or limiting session functionality. It ensures that access decisions are based on real-time conditions, aligning with the 'verify explicitly' principle.
Assume breach means designing your security architecture as if an attacker is already inside your network. In practice, this involves micro-segmentation (to limit lateral movement), encrypting data at rest and in transit (so stolen data is unusable), continuous monitoring and analytics to detect threats quickly, and using Just-In-Time access to minimize the blast radius of compromised credentials.
NIST Special Publication 800-207, 'Zero Trust Architecture,' is the standard that defines the principles and components of Zero Trust. It describes the logical components of a Zero Trust architecture, including the Policy Decision Point (PDP) and Policy Enforcement Point (PEP), and provides guidance for deployment.
You've just covered Zero Trust Architecture Principles — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?