Microsoft defines several components in Zero Trust model that deserve our security focus.

Each of these parts are foundational to security approach and are sources of signals and a security control plane:

1. Identities. Today, identities are not just people but devices and services as well. 
2. Endpoints. Continuous monitoring of device health and security is crucial, from personal and IoT devices to servers and desktops.
3. Applications. Cloud or on-premises applications and APIs need access controls, usage analytics, monitoring and secure configuration.
4. Data. Securing data is fundamental. We need to ensure data is secure when in motion or at rest, on devices or when it leaves infrastructure and applications.
5. Infrastructure. On-premises or cloud infrastructure deserves proper security too. Restricting and controlling access using Just-in-Time and Just-Enough Administration (JIT, JEA), monitoring for anomalous behaviour, or using automation to shorten response time to risky behaviour.
6. Networks. Segmenting networks using subnets, multiple networks, user-defined routes, end-to-end encryption, monitoring and analytics.

What is more important, Zero Trust approach includes automated security policy enforcement to ensure compliant behaviour throughout entire organisation

Picture 1 Zero Trust Security Components. 

Source: Microsoft (https://docs.microsoft.com) 

 Picture 2 Zero Trust Security Policy Enforcement 

Source: Microsoft (https://docs.microsoft.com) 

So, which Microsoft products should we use to establish Zero Trust strategy? Well, different organisations will have different approaches to implementing zero trust methodology to security simply because no organisation is the same, does not use the same products and does not have the same infrastructure architecture. But the principles are still the same. Let us take a look at one approach.

Zero Trust approach should start with protecting identities, where each access request is equally treated and verified using strong identity authentication. Microsoft Entra ID (former Azure Active Directory, or Azure AD) is an identity and secure access management solution (IAM) that supports Multi-factor Authentication (MFA), where adding a second factor in authentication process can reduce lost or leaked passwords problems. To make authentication even stronger, we can use Passwordless authentication using mobile authenticator app or FIDO2 token for even better protection.

Picture 3 Azure AD Conditional Access

Microsoft Entra ID not only enables strong authentication, but it provides Conditional Access to analyse signals, or conditions of users, devices, locations and automate and enforce resource access policies across entire organisation.

Picture 4 Azure AD Conditional Access Policy “wizard”

User access control is based on evaluations of several factors, such as user risk, sign-in risk, type of devices and platforms used, locations from where access is requested or device condition. After evaluating all signals, Microsoft Entra Conditional Access can grant access, allow access on specific conditions or block access to requested resources.

In case a legitimate user is requesting access to corporate resources, but the request originates from a compromised device or user sign-in risk signalises impossible travel activity – a multi-factor authentication challenge can be requested, or a user access can be denied.

The Microsoft Entra Conditional Access is perhaps the most direct and picturesque example of “do not trust anyone”, “verify explicitly” or Zero Trust approach to security.

Just-in-Time and Just-Enough Administration (JIT, JEA) are not reserved solely for infrastructure Zero Trust approach but in protecting Identities as well.

 Picture 5 ASC Just-in-time VM Access

Microsoft Defender for Cloud is a unified infrastructure security management system that provides security posture insight and actionable advice across Azure, on-premises, and 3rd party cloud workloads. Microsoft Defender for Cloud’s Cloud Workload Protection (CWP) enables intelligent workload protection across hybrid workloads and offers just-in-time virtual machine access. Customisable options include port, protocol, source IP addresses or CIDR blocks and maximum request time allowed to access a virtual machine.

Microsoft Entra Privileged Identity Management in contrast, controls JIT and JEA settings for Microsoft Entra identities. It enables security administrators to limit users’ access to privileged roles, discovers users with privileged roles assignments and to perform privileged access reviews. Microsoft Entra PIM provides just-in-time privileged access to Microsoft Entra ID and Azure resources, enforces MFA to activate a role, use justification to follow and understand user activations, provides audit history and more.

To protect endpoints and devices, to detect and remediate advanced attacks on endpoints, Microsoft Defender for Endpoint supports Microsoft Windows operating systems from Windows 7 to Windows Server 2019, Android, MacOS and Linux.

Many organisations struggle with Shadow IT, with unknown and unsanctioned cloud applications. To discover applications used in corporate networks and to fight “the invisible and unknown enemy” – that is, attempt to control access to 3rd party applications or “shadow” cloud applications - IT departments need a cloud app security broker (CASB). Fortunately, Microsoft Defender for Cloud Apps is a CASB solution that tightly integrates with other products in Microsoft portfolio. Its risk catalogue contains more than 16,000 applications that are assessed over 80 risk factors that help IT departments and security professionals make right decisions when assessing applications risk.

Products and features mentioned here are just a tip of the iceberg in a massive, possible Zero Trust security scenarios. You might be using some or all products cited and, of course, you might use some others too, like Microsoft Intune, Microsoft Defender for Identity, Microsoft Defender for Office 365, Data Loss Prevention (DLP) policies, BitLocker, Azure Policy, Microsoft Sentinel, Azure Blueprints, ARM templates, Azure DDoS Protection, Azure Web Application Firewall, Azure Firewall, Network Security groups and Application Security Groups.

No matter what you use, ensure you follow three basic Zero Trust principles:

1. Assume breach,

2. verify explicitly and

3. use least privileged access.