Events
Microsoft 365 Community Conference
May 6, 2 PM - May 9, 12 AM
Skill up for the era of AI at the ultimate community-led Microsoft 365 event, May 6-8 in Las Vegas.
Learn moreThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This article provides a deployment plan for building Zero Trust security with Microsoft 365. Zero Trust is a new security model that assumes breach and verifies each request as though it originated from an uncontrolled network. Regardless of where the request originates or what resource it accesses, the Zero Trust model teaches us to "never trust, always verify."
Use this article together with this poster.
A Zero Trust approach extends throughout the entire digital estate and serves as an integrated security philosophy and end-to-end strategy.
This illustration provides a representation of the primary elements that contribute to Zero Trust.
In the illustration:
For more information about Zero Trust, see Microsoft's Zero Trust Guidance Center.
Microsoft 365 is built intentionally with many security and information protection capabilities to help you build Zero Trust into your environment. Many of the capabilities can be extended to protect access to other SaaS apps your organization uses and the data within these apps.
This illustration represents the work of deploying Zero Trust capabilities. This work is broken into units of work that can be configured together, starting from the bottom and working to the top to ensure that prerequisite work is complete.
In this illustration:
This article assumes you are using cloud identity. If you need guidance for this objective, see Deploy your identity infrastructure for Microsoft 365.
Tip
When you understand the steps and the end-to-end deployment process, you can use the Set up your Microsoft Zero Trust security model advanced deployment guide when signed in to the Microsoft 365 admin center. This guide steps you through applying Zero Trust principles for standard and advanced technology pillars. To step through the guide without signing in, go to the Microsoft 365 Setup portal.
The first step is to build your Zero Trust foundation by configuring identity and device access protection.
Go to Zero Trust identity and device access protection for detailed prescriptive guidance. This series of articles describes a set of identity and device access prerequisite configurations and a set of Microsoft Entra Conditional Access, Microsoft Intune, and other policies to secure access to Microsoft 365 for enterprise cloud apps and services, other SaaS services, and on-premises applications published with Microsoft Entra application proxy.
Includes | Prerequisites | Doesn't include |
---|---|---|
Recommended identity and device access policies for three levels of protection:
Additional recommendations for:
|
Microsoft E3 or E5 Microsoft Entra ID in either of these modes:
|
Device enrollment for policies that require managed devices. See Step 2. Manage endpoints with Intune to enroll devices |
Start by implementing the starting-point tier. These policies don't require enrolling devices into management.
Next, enroll your devices into management and begin protecting them with more sophisticated controls.
See Manage devices with Intune for detailed prescriptive guidance.
Includes | Prerequisites | Doesn't include |
---|---|---|
Enroll devices with Intune:
Configure policies:
|
Register endpoints with Microsoft Entra ID | Configuring information protection capabilities, including:
For these capabilities, see Step 5. Protect and govern sensitive data (later in this article). |
For more information, see Zero Trust for Microsoft Intune.
With devices enrolled into management, you can now implement the full set of recommended Zero Trust identity and device access policies, requiring compliant devices.
Return to Common identity and device access policies and add the policies in the Enterprise tier.
Microsoft Defender XDR is an extended detection and response (XDR) solution that automatically collects, correlates, and analyzes signal, threat, and alert data from across your Microsoft 365 environment, including endpoint, email, applications, and identities.
Go to Evaluate and pilot Microsoft Defender XDR for a methodical guide to piloting and deploying Microsoft Defender XDR components.
Includes | Prerequisites | Doesn't include |
---|---|---|
Set up the evaluation and pilot environment for all components:
Protect against threats Investigate and respond to threats |
See the guidance to read about the architecture requirements for each component of Microsoft Defender XDR. | Microsoft Entra ID Protection isn't included in this solution guide. It's included in Step 1. Configure Zero Trust identity and device access protection. |
For more information, see these additional Zero Trust articles:
Implement Microsoft Purview Information Protection to help you discover, classify, and protect sensitive information wherever it lives or travels.
Microsoft Purview Information Protection capabilities are included with Microsoft Purview and give you the tools to know your data, protect your data, and prevent data loss.
While this work is represented at the top of the deployment stack illustrated earlier in this article, you can begin this work anytime.
Microsoft Purview Information Protection provides a framework, process, and capabilities you can use to accomplish your specific business objectives.
For more information on how to plan and deploy information protection, see Deploy a Microsoft Purview Information Protection solution.
If you're deploying information protection for data privacy regulations, this solution guide provides a recommended framework for the entire process: Deploy information protection for data privacy regulations with Microsoft 365.
Events
Microsoft 365 Community Conference
May 6, 2 PM - May 9, 12 AM
Skill up for the era of AI at the ultimate community-led Microsoft 365 event, May 6-8 in Las Vegas.
Learn moreTraining
Learning path
Establish the guiding principles and core components of Zero Trust - Training
Zero Trust is not a product or tool, but an essential security strategy that seeks to continuously verify every transaction, asserts least privilege access, and assumes that every transaction could be a possible attack. Through the modules in this learning path, you'll gain an understanding of Zero Trust and how it applies to identity, endpoints, applications, networks, infrastructure, and data.
Certification
Microsoft Certified: Information Protection and Compliance Administrator Associate - Certifications
Demonstrate the fundamentals of data security, lifecycle management, information security, and compliance to protect a Microsoft 365 deployment.
Documentation
Zero Trust identity and device access configurations - Microsoft 365 for enterprise
Describes Microsoft recommendations and core concepts for deploying secure email, docs, and apps policies and configurations for Zero Trust.
Zero Trust illustrations for IT architects and implementers
Print or customize technical illustrations in the Zero Trust library for your deployment.
Zero Trust guidance for small businesses
Zero Trust guidance for small and medium-sized business customers and Microsoft partners.