If you are interested  Active Directory security , you've undoubtedly heard of the Zero Trust model. Today's organizations need a new security model that more effectively adapts to the complexity of today's environment, embraces the hybrid workplace, and protects people, devices, applications, and data wherever they are. 

Azure AD is the foundation of your Zero trust strategy

Azure AD provides important features for your zero trust strategy. It provides strong authentication, an integration point to ensure device security, and a user-centric policy framework to ensure low-privilege access. Azure AD Conditional Access capabilities are the decision point for resource access policies based on user identity, environment, device health, and risks that are explicitly checked at the access point. In the following sections, we'll show you how you can implement a zero trust strategy using Azure AD.

Base your identity with Azure AD

Strategy zero trust requires that we perform explicit testing, use least-privileged access principles, and assume violation. Azure Active Directory can act as a policy decision point to enforce access policies based on user, device, target resource, and environment information. To do this, we need to put Azure Active Directory in the path of every access request, connecting every user and every application or resource through this identity management plane. In addition to increased performance and improved user experience through single sign-on (SSO) and consistent policy restrictions, connecting all users and applications signals Azure AD to make the best possible decisions regarding authentication/authorization risk.

  • Connect your users, groups and devices:
    Maintaining a healthy identity pipeline for your employees, as well as the necessary security artifacts (groups for authorization and devices for additional access policy controls), puts you in a better place to leverage the consistent identities and controls your users already use on-premises and in the cloud:
    1. Start by choosing the right authentication option for your organization. While we strongly prefer using an authentication method that primarily uses Azure AD (to give you the best protection against brute force, DDoS, and password spraying), follow our recommendations to make the decision that is right for your organization and your compliance requirements.
    2. Take with you only those documents that you absolutely need. For example, use the move to the cloud as an opportunity to move away from service accounts that only make sense in an on-premises environment; leave local privileged roles behind (more on this in the section on privileged access), etc.
    3. If your enterprise has more than 100,000 users, groups and devices, we recommend that you follow our recommendations to create a high-performance synchronization engine that will keep your lifecycle up to date.
  • Integrate all your applications with Azure AD:
    As mentioned earlier, single sign-on is not only a convenience feature for your users, but also a security feature because it prevents users from leaving copies of their credentials in different applications and helps them avoid the habit of giving up their credentials due to excessive inducements. Make sure you don't have multiple IAM mechanisms in your environment. Not only does this reduce the number of signals Azure AD sees and allow attackers to live in the seams between the two IAM engines, but it can also lead to a poor user experience and your business partners being the first to question your strategy zero trust. Azure AD supports different application authentication methods:
    1. Integrate modern enterprise applications that support OAuth2.0 or SAML.
    2. For Kerberos and forms authentication applications, you can integrate using Azure AD Application Proxy .
    3. If you publish your legacy applications using Networks/Application Delivery Controllers, Azure AD may integrate with most major ones (such as Citrix, Akamai, F5, etc.).
    4. To help migrate your applications from existing/legacy IAM mechanisms, we provide a number of resources , including tools to help you discover and migrate applications from ADFS.
  • Automate application provisioning.
    Once you have your user identities in Azure AD, you can now use Azure AD to distribute those user identities to various cloud applications. This allows for tighter integration of the identity lifecycle across these applications. Use this detailed guide to deploy provisioning to SaaS applications.
  • Organize your journals and reports. As As you build your Azure AD properties with authentication, authorization, and provisioning, it's important to have reliable operational information about what's happening in the directory. Follow this guide to learn how to save and analyze logs from Azure AD either in Azure or using your SIEM of choice.

1. Provide least privilege

Providing the right access, at the right time, to only those who need it is at the core of the Zero Trust philosophy:

  • Plan your deployment
    conditional access. Planning ahead for conditional access policies and having a set of active ones And fallback policies are the basis for enforcing access policies in a zero trust deployment. Take the time to configure reliable IP addresses in your environment. Even if you don't use them in your Conditional Access policy, configure these IP addresses to communicate the privacy risk mentioned above. Check out our deployment guide And recommendations on fault-tolerant conditional access policies.
  • Ensure secure, privileged access with privileged identity management.
    With privileged access, you typically take a different path to meet end users where they are most likely to need and use the data. Typically, you want to control the devices, conditions, and credentials that users use to access privileged operations/roles. Check out our detailed instructions Learn how to take control of your privileged identities and protect them. Keep in mind that in a digitally transformed organization, privileged access is not just administrative access, but also application owner or developer access that can change the way your mission-critical applications run and data is processed. Check out our detailed guide to Using Privileged Identity Management (P2) to protect privileged identities.
  • Limit user consent to apps:
    User consent for applications is a very common way for modern applications to gain access to organizational resources. However, we recommend limit user consent and manage consent requests to prevent unnecessary disclosure of your organization's data to applications. This also means that you need check prior/existing consent within your organization for the presence of excessive or malicious consent.
  • Manage rights (Azure AD Premium P2).
    With centralized application authentication and management from Azure AD, you should streamline the access request, approval, and recertification process to ensure the right people have the right access and that you have a trace of why users in your organization have the access they have. Using rights management, you can create access packages that they can request when joining different teams/projects and assign them access to related resources (apps, SharePoint sites, group memberships). Find out how you can run the package . If deploying rights management is not currently possible for your organization, we recommend that you at least enable self-service paradigms in your organization by deployingself-service group management And self-service access to applications.

2. Provide Azure AD with a rich set of credentials and controls

  • Deploy Azure Multi-Factor Authentication (MFA) (P1):
    this is a core element of reducing the risk of a user's session. As users emerge on new devices and from new locations, being able to answer an MFA challenge is one of the most direct ways your users can teach us that these are familiar devices/locations as they move around the world ( without analysis by administrators). separate signals). Check it out deployment guide .
  • Enable hybrid Azure AD join or Azure AD join:
    if you manage a user's laptop/computer, move this information to Azure AD and use it to make better decisions. For example, you can allow enhanced client data access (clients that have offline copies on the computer) if you know the user is logging in from a computer that is managed by your organization. If you don't, you'll likely choose to block access from full-featured clients, which could lead to your users bypassing your security or using shadow IT. Check out our resources for hybrid Azure AD join or joining Azure AD .
  • Turn on Microsoft Intune to manage your users' mobile devices (EMS).
    The same can be said for users' mobile devices such as laptops. The more you know about them (patch level, jailbreak, root, etc.), the more you can trust or distrust them and justify why you block/allow access. Check out our Intune device enrollment guide, to get started.
  • Start deploying passwordless credentials.
    Now that Azure AD supports FIDO 2.0 and passwordless phone sign-in, you can change the credentials that your users (especially sensitive/privileged users) use on a daily basis. These credentials are strong authentication factors that can also reduce risk. In our guide Deploying Passwordless Authentication teaches you how to implement passwordless credentials in your organization.

3. Always assume there has been a violation.

Provide Azure AD with a wide range of credentials and controls that it can use to verify the user.

  • Deploy Azure AD password protection.
    While you enable other methods to explicitly verify users, you must not forget about weak passwords, password spraying, and replay attacks. Read this blog to learn why classic strong password policies fail to cope with the most common password attacks. Then follow this guide to first enable Azure AD password protection for users in the cloud, and then and locally .
  • Block legacy authentications.
    One of the most common attack vectors for attackers is the use of stolen/reproduced credentials against legacy protocols such as SMTP, which cannot cope with modern security challenges. We recommend you block legacy authentication in your organization.
  • Enable privacy protection (Azure AD Premium 2).
    Enable privacy protection for your users will give you a more granular signal about session/user risk. You will be able to investigate the risk and confirm the compromise or reject the signal, which will help the engine better understand what the risk looks like in your environment.
  • Enable restricted session for use in access decisions .
    To illustrate, consider the controls in Exchange Online and SharePoint Online (P1): when a user is low risk but they log in from an unknown device, you can allow them access to critical resources, but don't let them do things that leave your organization in an inappropriate condition. You can now configure Exchange Online and SharePoint Online to offer the user a limited session that allows them to read emails or view files, but not download them or save them to an untrusted device. Check out our guides on how to enable restricted access in SharePoint Online And Exchange Online .
  • Enable Conditional Access integration with Microsoft Cloud App Security (MCAS) (E5).
    By using post-authentication signals and MCAS application proxy requests, you can monitor sessions going to SaaS applications and enforce restrictions. Check out our MCAS and Conditional Access Integration Guide and find out how it is possible extend even to local applications .
  • Enable Microsoft Cloud App Security (MCAS) integration with Identity Protection (E5):
    Microsoft Cloud App Security is a UEBA product that tracks user behavior V SaaS and modern applications. This gives Azure AD a signal and information about what happened to the user after they were authenticated and received a token. If a user's pattern starts to look suspicious (the user starts downloading gigabytes of data from OneDrive or starts sending spam emails in Exchange Online), then an alert can be sent to Azure AD notifying that the user appears to be compromised or exposed to high security risks. risk. and upon the next access request from this user; Azure AD can take the correct action to verify the user or block the user. Simply enabling MCAS monitoring will enrich the identity protection signal. Check out our integration guideto start.
  • Integrate Azure Advanced Threat Protection (ATP) with Microsoft Cloud App Security.
    After successfully deploying and configuring Azure ATP enable integration with Microsoft Cloud App Security to include the local signal in the risk signal that we know about the user. This allows Azure AD to know that a user is engaging in risky behavior when accessing local, stale resources (such as file shares), which can then be counted toward the user's overall risk to block further access in the cloud. You will be able to see combined priority assessment for each user at risk to get a holistic view of which ones your SOC should focus on.
  • Enable Microsoft Defender ATP (E5):
    Microsoft Defender ATP allows you to confirm whether Windows computers are healthy or compromised, and use this to reduce runtime risk. While joining a domain gives you a sense of control, Defender ATP allows you to respond to a malware attack in near real-time by detecting patterns when multiple user devices end up on untrusted sites and respond by increasing the risk to your devices/users at runtime . Check out our guide to setting up conditional access in Defender ATP .


We hope the guides above will help you deploy the identity elements that are key to a successful Zero Trust strategy. These three best practices provide a solid foundation for implementing the Zero Trust model. However, please note that they are not a checklist for “achieving” zero trust. Indeed, implementing any security model is not a matter of adopting several best practices or deploying a single software solution; rather, it requires establishing a layered security framework that includes a wide range of technologies, processes, and policies, and continually assessing and improving it as your IT environment, your business requirements, and the threat landscape evolve. Remember that the Zero Trust model, like Active Directory security, is a journey, not a destination.

en_GBEnglish (UK)