Building Zero Trust networks with Microsoft 365
The Microsoft Offensive Security Research team published some guidance on Building Zero Trust networks with Microsoft 365. In it, they describe how Zero Trust networks eliminate the concept of trust based on network location within a perimeter. Instead, Zero Trust architectures leverage device and user trust claims to gate access to organizational data and resources.
That can be achieved well in Azure using Azure AD conditional access. Combining conditional access with Azure AD Identity Protection make dynamic access control decisions based on user, device, location, and session risk for every resource request. They combine attested runtime signals about the security state of a Windows device and the trustworthiness of the user session and identity to arrive at the strongest possible security posture. It looks something like this:
To accomplish the Zero Trust model, Microsoft integrates several components and capabilities in Microsoft 365: Windows Defender Advanced Threat Protection, Azure Active Directory, Windows Defender System Guard, and Microsoft Intune. It's a powerful combination.
Anyways, by leveraging device and user trust claims to gate access to organizational resources, conditional access provides comprehensive but flexible policies that secure corporate data while ensuring user productivity. It will be interesting to watch Microsoft continue to innovate to protect the modern workplace, where user productivity continues to expand beyond the perimeters of the corporate network. Combining the intelligent cloud (Azure) with the intelligent edge (Windows) unlocks amazing possibilities. You should checkout their research on this.