Secure data with Zero Trust


Zero Trust is a security strategy used to design security principles for your organization. Zero Trust helps secure corporate resources by implementing the following security principles:

  • Verify explicitly. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.

  • Use least privilege access. Limit user access with just-in-time (JIT) and just-enough-access (JEA), risk-based adaptive policies, and data protection to help secure both data and productivity.

  • Assume breach. Minimize the blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

Microsoft Purview proposes five core elements for a data defense in depth strategy and a Zero Trust implementation for data:

  1. Data classification and labeling
    If you don't know what sensitive data you have on-premises and in cloud services, you can't adequately protect it. Discover and detect data across your entire organization and classify it by sensitivity level.

  2. Information Protection
    Conditional and least privilege access to sensitive data reduce data security risks. Apply sensitivity-based access control guardrails, rights management and encryption where environmental controls are insufficient. Use information sensitivity markings to increase awareness and security policy compliance.

  3. Data Loss Prevention
    Access control resolves only part of the problem. Checking and controlling risky data activities and movements which might result in a data security or compliance incident allows organizations to prevent oversharing of sensitive data.

  4. Insider Risk Management
    Data access might not always provide the whole story. Minimize risks to data by enabling behavioral detection from a broad array of signals, and acting on potentially malicious and inadvertent activities in your organization that could be precursors to or an indication of a data breach.

  5. Data Governance
    Proactively managing the lifecycle of sensitive data reduces its exposure. Limit the number of copies or propagation of sensitive data and delete data that is no longer needed to minimize data breach risks.

Data Zero Trust deployment objectives

We recommend you focus on these initial deployment objectives when implementing an end-to-end Zero Trust framework for data:

List icon with one checkmark.

I. Classify and label data. Automatically classify and label data where possible. Apply manually where it isn't.

II. Apply encryption, access control, and content markings. Apply encryption where protection and access control are insufficient.

III. Control access to data. Control access to sensitive data so they're better protected. Ensure that access and usage policy decisions are inclusive of data sensitivity.

As you make progress achieving the above objectives, add these additional deployment objectives:

List icon with two checkmarks.

IV. Prevent data leakage. Use DLP policies that are driven by risky signals and data sensitivity.

V. Manage risks. Manage risks that might lead to a data security incident by checking risky security related user activities and data activity patterns that might result in a data security or compliance incident.

VI. Reduce data exposure. Reduce data exposure through data governance and continual data minimization

Zero Trust deployment guide for data

This guide will walk you step-by-step through a Zero Trust approach to data protection. Please keep in mind that these items will vary widely depending on the sensitivity of your information and the size and complexity of your organization.

As a precursor to any data security implementation, Microsoft recommends that you create a data classification framework and sensitivity label taxonomy that defines high level categories of data security risk. That taxonomy will be used to simplify everything from data inventory or activity insights, to policy management to investigation prioritization.

For more information, see:

Checklist icon with one checkmark.

Initial deployment objectives

I. Classify, label and discover sensitive data

An information protection strategy needs to encompass your organization's entire digital content.

Classifications and sensitivity labels let you understand where your sensitive data is located, how it moves, and implement appropriate access and usage controls consistent with zero trust principles:

  • Use automated classification and labeling to detect sensitive information and scale discovery across your data estate.

  • Use manual labeling for documents and containers, and manually curate data sets used in analytics where classification and sensitivity are best established by knowledgeable users.

Follow these steps:

Once you have configured and tested classification and labeling, scale up data discovery across your data estate.

Follow these steps to extend discovery beyond Microsoft 365 services:

As you discover, classify and label your data, use those insights to remediate risk and inform your policy management initiatives.

Follow these steps:

II. Apply encryption, access control and content markings

Simplify your least privilege implementation by using sensitivity labels to protect your most sensitive data with encryption and access control. Use content markings to enhance user awareness and traceability.

Protect document and emails

Microsoft Purview Information Protection enables access and usage control based on sensitivity labels or user defined permissions for documents and emails. It can also optionally apply markings and encrypt information that resides in or flows out to lesser trust environments internal or external to your organization. It provides protection at rest, in motion, and in use for enlightened applications.

Follow these steps:

Protect documents in Exchange, SharePoint, and OneDrive

For data stored in Exchange, SharePoint, and OneDrive, automatic classification with sensitivity labels can be deployed via policies to targeted locations to restrict access and manage encryption on authorized egress.

Take this step:

III. Control access to data

Providing access to sensitive data must be controlled so that they're better protected. Ensure that access and usage policy decisions are inclusive of data sensitivity.

Control data access and sharing in Teams, Microsoft 365 Groups and SharePoint sites

Use container sensitivity labels to implement conditional access and sharing restrictions to Microsoft Teams, Microsoft 365 Groups or SharePoint sites.

Take this step:

Control access to data in SaaS applications

Microsoft Defender for Cloud Apps provides additional capabilities for conditional access and to manage sensitive files in Microsoft 365 and third-party environments such as Box or Google Workspace, including:

  • Removing permissions to address excessive privilege and prevent data leakage.

  • Quarantining files for review.

  • Applying labels to sensitive files.

Follow these steps:


Check out Integrate SaaS apps for Zero Trust with Microsoft 365 to learn how to apply Zero Trust principles to help manage your digital estate of cloud apps.

Control access to in IaaS/PaaS storage

Deploy mandatory access control policies to IaaS/PaaS resources that contain sensitive data.

Take this step:

IV. Prevent data leakage

Controlling access to data is necessary but insufficient in exerting control over data movement and in preventing inadvertent or unauthorized data leakage or loss. That is the role of data loss prevention and insider risk management, which is described in section IV.

Use Microsoft Purview DLP policies to identify, check, and automatically protect sensitive data across:

  • Microsoft 365 services such as Teams, Exchange, SharePoint, and OneDrive

  • Office applications such as Word, Excel, and PowerPoint

  • Windows 10, Windows 11 and macOS (three latest released versions) endpoints

  • on-premises file shares and on-premises SharePoint

  • non-Microsoft cloud apps.

Follow these steps:

V. Manage insider risks

Least privilege implementations help minimize known risks, but it's also important to correlate additional security related user behavioral signals, check sensitive data access patterns, and to broad detection, investigation and hunting capabilities.

Take these steps:

VI. Delete unnecessary sensitive information

Organizations can reduce their data exposure by managing the lifecycle of their sensitive data.

Remove all privileges where you're able, by deleting the sensitive data itself when it's no longer valuable or permissible for your organization.

Take this step:

Minimize duplication of sensitive data by favoring in-place sharing and use rather than data transfers.

Take this step:

Products covered in this guide

Microsoft Purview

Microsoft Defender for Cloud Apps

For further information or help with implementation, please contact your Customer Success team.

The Zero Trust deployment guide series

Icon for the introduction

Icon for identity

Icon for endpoints

Icon for applications

Icon for data

Icon for infrastructure

Icon for networks

Icon for visibility, automation, orchestration