What is Zero Trust?

Zero Trust is a security strategy. It is not a product or a service, but an approach in designing and implementing the following set of security principles:

  • Verify explicitly
  • Use least privilege access
  • Assume breach

Guiding principles of Zero Trust

Verify explicitly Use least privilege access Assume breach
Always authenticate and authorize based on all available data points. Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

This is the core of Zero Trust. Instead of believing everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originated from an uncontrolled network. Regardless of where the request originates or what resource it accesses, the Zero Trust model teaches us to "never trust, always verify."

It is designed to adapt to the complexities of the modern environment that embraces the mobile workforce, protects people, devices, applications, and data wherever they are located.

A Zero Trust approach should extend throughout the entire digital estate and serve as an integrated security philosophy and end-to-end strategy. This is done by implementing Zero Trust controls and technologies across six foundational elements. Each of these is a source of signal, a control plane for enforcement, and a critical resource to be defended.

Diagram of elements of visibility, automation, and orchestration in Zero Trust.

Different organizational requirements, existing technology implementations, and security stages all affect how a Zero Trust security model implementation is planned. Using our experience in helping customers to secure their organizations, as well as in implementing our own Zero Trust model, we've developed the following guidance to assess your readiness and to help you build a plan to get to Zero Trust.

You can organize your approach to Zero Trust around these key technology pillars:


Fingerprint icon.

Secure identity with Zero Trust

Identities—whether they represent people, services, or IoT devices—define the Zero Trust control plane. When an identity attempts to access a resource, verify that identity with strong authentication, and ensure access is compliant and typical for that identity. Follow least privilege access principles.

Endpoint devices icon.

Secure endpoints with Zero Trust

Once an identity has been granted access to a resource, data can flow to a variety of different endpoints—from IoT devices to smartphones, BYOD to partner-managed devices, and on-premises workloads to cloud-hosted servers. This diversity creates a massive attack surface area. Monitor and enforce device health and compliance for secure access.

Application window icon.

Secure applications with Zero Trust

Applications and APIs provide the interface by which data is consumed. They may be legacy on-premises, lifted-and-shifted to cloud workloads, or modern SaaS applications. Apply controls and technologies to discover shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, monitor for abnormal behavior, control user actions, and validate secure configuration options.

Ones and zeroes icon.

Secure data with Zero Trust

Ultimately, security teams are protecting data. Where possible, data should remain safe even if it leaves the devices, apps, infrastructure, and networks the organization controls. Classify, label, and encrypt data, and restrict access based on those attributes.

Data storage disks icon.

Secure infrastructure with Zero Trust

Infrastructure—whether on-premises servers, cloud-based VMs, containers, or micro-services—represents a critical threat vector. Assess for version, configuration, and JIT access to harden defense. Use telemetry to detect attacks and anomalies, and automatically block and flag risky behavior and take protective actions.

Network diagram icon.

Secure networks with Zero Trust

All data is ultimately accessed over network infrastructure. Networking controls can provide critical controls to enhance visibility and help prevent attackers from moving laterally across the network. Segment networks (and do deeper in-network micro-segmentation) and deploy real-time threat protection, end-to-end encryption, monitoring, and analytics.

Gear icon.

Visibility, automation, and orchestration with Zero Trust

In our Zero Trust guides, we define the approach to implement an end-to-end Zero Trust methodology across identities, endpoints and devices, data, apps, infrastructure, and network. These activities increase your visibility, which gives you better data for making trust decisions. With each of these individual areas generating their own relevant alerts, we need an integrated capability to manage the resulting influx of data to better defend against threats and validate trust in a transaction.

With Zero Trust, we move away from a trust-by-default perspective to a trust-by-exception one. An integrated capability to automatically manage those exceptions and alerts is important so you can more easily find and detect threats, respond to them, and prevent or block undesired events across your organization.

Zero Trust and the US Executive Order 14028 on Cybersecurity

US executive order 14028, Improving the Nation's Cyber Security, directs federal agencies on advancing security measures that drastically reduce the risk of successful cyberattacks against the federal government's digital infrastructure. On January 26, 2022, the Office of Management and Budget (OMB) released the federal Zero Trust strategy in memorandum 22-09, in support of EO 14028.

Zero Trust for Microsoft 365

Microsoft 365 is built intentionally with many security and information protection capabilities to help you build Zero Trust into your environment. Many of the capabilities can be extended to protect access to other SaaS apps your organization uses and the data within these apps.

See these key resources to get started:

Zero Trust for Microsoft Azure

These articles help you apply the principles of Zero Trust to your workloads and services in Microsoft Azure based on a multi-disciplinary approach to applying the Zero Trust principles.

  • Zero Trust Overview: This video provides information about:

    • Zero Trust definition
    • Zero Trust principles
    • Zero Trust core concepts
    • Rapid modernization plan (RaMP) quick wins
  • Zero Trust - The Open Group: This video provides a perspective on Zero Trust from a standards organization.

Next steps

Use additional Zero Trust content based on a documentation set or your role in your organization.

Documentation set

Follow this table for the best Zero Trust documentation sets for your needs.

Documentation set Helps you... Roles
Adoption framework for phase and step guidance for key business solutions and outcomes Apply Zero Trust protections from the C-suite to the IT implementation. Security architects, IT teams, and project managers
Concepts and deployment objectives for general deployment guidance for technology areas Apply Zero Trust protections aligned with technology areas. IT teams and security staff
Zero Trust for small businesses Apply Zero Trust principles to small business customers. Customers and partners working with Microsoft 365 for business
Zero Trust Rapid Modernization Plan (RaMP) for project management guidance and checklists for easy wins Quickly implement key layers of Zero Trust protection. Security architects and IT implementers
Zero Trust deployment plan with Microsoft 365 for stepped and detailed design and deployment guidance Apply Zero Trust protections to your Microsoft 365 tenant. IT teams and security staff
Zero Trust for Copilot for Microsoft 365 for stepped and detailed design and deployment guidance Apply Zero Trust protections to Copilot for Microsoft 365. IT teams and security staff
Zero Trust for Azure services for stepped and detailed design and deployment guidance Apply Zero Trust protections to Azure workloads and services. IT teams and security staff
Partner integration with Zero Trust for design guidance for technology areas and specializations Apply Zero Trust protections to partner Microsoft cloud solutions. Partner developers, IT teams, and security staff
Develop using Zero Trust principles for application development design guidance and best practices Apply Zero Trust protections to your application. Application developers

Your role

Follow this table for the best documentation sets for your role in your organization.

Role Documentation set Helps you...
Security architect

IT project manager

IT implementer
Adoption framework for phase and step guidance for key business solutions and outcomes Apply Zero Trust protections from the C-suite to the IT implementation.
Member of an IT or security team Concepts and deployment objectives for general deployment guidance for technology areas Apply Zero Trust protections aligned with technology areas.
Customer or partner for Microsoft 365 for business Zero Trust for small businesses Apply Zero Trust principles to small business customers.
Security architect

IT implementer
Zero Trust Rapid Modernization Plan (RaMP) for project management guidance and checklists for easy wins Quickly implement key layers of Zero Trust protection.
Member of an IT or security team for Microsoft 365 Zero Trust deployment plan with Microsoft 365 for stepped and detailed design and deployment guidance for Microsoft 365 Apply Zero Trust protections to your Microsoft 365 tenant.
Member of an IT or security team for Microsoft Copilots Zero Trust for Copilot for Microsoft 365 for stepped and detailed design and deployment guidance Apply Zero Trust protections to Copilot for Microsoft 365.
Member of an IT or security team for Azure services Zero Trust for Azure services for stepped and detailed design and deployment guidance Apply Zero Trust protections to Azure workloads and services.
Partner developer or member of an IT or security team Partner integration with Zero Trust for design guidance for technology areas and specializations Apply Zero Trust protections to partner Microsoft cloud solutions.
Application developer Develop using Zero Trust principles for application development design guidance and best practices Apply Zero Trust protections to your application.