Securing identity with Zero Trust

Before most organizations start a Zero Trust journey, their approach to identity might be fragmented with various identity providers, a lack of single sign-on (SSO) between cloud and on-premises apps, and limited visibility into identity risk.

Cloud applications and mobile workers require a new way of thinking when it comes to security. Many employees bring their own devices and work in a hybrid manner. Data is regularly accessed outside the traditional corporate network perimeter and shared with external collaborators like partners and vendors. Traditional corporate applications and data are moving from on-premises to hybrid and cloud environments.

Traditional network controls for security aren't enough anymore.

Identities represent the people, services, or devices, across networks, endpoints, and applications. In the Zero Trust security model, they function as a powerful, flexible, and granular means to control access to resources.

Before an identity attempts to access a resource, organizations must:

  • Verify the identity with strong authentication.
  • Ensure access is compliant and typical for that identity.
  • Follow least privilege access principles.

Once the identity is verified, we can control access to resources based on organization policies, ongoing risk analysis, and other tools.

Identity Zero Trust deployment objectives

When implementing an end-to-end Zero Trust framework for identity, we recommend you focus first on these initial deployment objectives:

After the previous areas are addressed, focus on these deployment objectives:

I. Cloud identity federates with on-premises identity systems

Microsoft Entra ID enables strong authentication, a point of integration for endpoint security, and the core of your user-centric policies to guarantee least-privileged access. Microsoft Entra Conditional Access is the policy engine used to make decisions for access to resources based on user identity, environment, device health, and risk verified explicitly at the time of access. You can implement a Zero Trust identity strategy with Microsoft Entra ID.

Diagram of the steps within phase 1 of the initial deployment objectives.

Connect all of your users to Microsoft Entra ID and federate with on-premises identity systems

Maintaining a healthy pipeline of your employees' identities and the necessary security artifacts including groups for authorization and endpoints for access policy controls puts you in the best place to use consistent identities and controls in the cloud.

Follow these steps:

  1. Choose an authentication option. Microsoft Entra ID provides you the best brute force, DDoS, and password spray protection, but make the decision that's right for your organization and your compliance needs.
  2. Only bring the identities you absolutely need. Use going to the cloud as an opportunity to leave behind service accounts that only make sense on-premises. Leave on-premises privileged roles on-premises.
  3. Ensure you meet the hardware requirements for Microsoft Entra Connect Sync based on your organization's size.

Establish your Identity Foundation with Microsoft Entra ID

A Zero Trust strategy requires verifying explicitly, using least-privileged access principles, and assuming breach. Microsoft Entra ID can act as the policy decision point to enforce your access policies based on insights on the user, endpoint, target resource, and environment.

Put Microsoft Entra ID in the path of every access request. This process connects every user, app, and resource through a common identity control plane and provides Microsoft Entra ID with the signals to make the best possible decisions about the authentication/authorization risk. In addition, single sign-on (SSO) and consistent policy guardrails provide a better user experience and contribute to productivity gains.

Integrate all your applications with Microsoft Entra ID

Single sign-on prevents users from leaving copies of their credentials in various apps and helps avoid phishing attacks or MFA fatigue due to excessive prompting.

Make sure you don't have multiple identity and access management (IAM) solutions in your environment. This duplication diminishes signals that Microsoft Entra ID sees, allows bad actors to live in the shadows between the two IAM engines, and leads to poor user experience. This complexity might lead to your business partners becoming doubters of your Zero Trust strategy.

Follow these steps:

  1. Integrate modern enterprise applications that speak OAuth2.0 or SAML.
  2. For Kerberos and form-based auth applications, integrate them using the Microsoft Entra application proxy.
  3. If you publish your legacy applications using application delivery networks/controllers, use Microsoft Entra ID to integrate with most of the major ones (such as Citrix, Akamai, and F5).
  4. To help discover and migrate your apps off of ADFS and existing/older IAM engines, review Resources for migrating applications to Microsoft Entra ID.
  5. Automate user provisioning.

Verify explicitly with strong authentication

Follow these steps:

  1. Roll out Microsoft Entra multifactor authentication. This effort is a foundational piece of reducing user session risk. As users appear on new devices and from new locations, being able to respond to an MFA challenge is one of the most direct ways that your users can teach us that these are familiar devices/locations as they move around the world (without having administrators parse individual signals).
  2. Block legacy authentication. One of the most common attack vectors for malicious actors is to use stolen/replayed credentials against legacy protocols, such as SMTP, that can't do modern security challenges.

II. Conditional Access policies gate access and provide remediation activities

Microsoft Entra Conditional Access analyzes signals such as user, device, and location to automate decisions and enforce organizational access policies for resource. You can use Conditional Access policies to apply access controls like multifactor authentication (MFA). Conditional Access policies allow you to prompt users for MFA when needed for security and stay out of users' way when not needed.

Diagram of Conditional Access policies in Zero Trust.

Microsoft provides standard conditional policies called security defaults that ensure a basic level of security. However, your organization might need more flexibility than security defaults offer. You can use Conditional Access to customize security defaults with more granularity and to configure new policies that meet your requirements.

Planning your Conditional Access policies in advance and having a set of active and fallback policies is a foundational pillar of your Access Policy enforcement in a Zero Trust deployment. Take the time to configure known network locations in your environment. Even if you don't use these network locations in a Conditional Access policy, configuring these IPs informs the risk of Microsoft Entra ID Protection.

Take this step:

Register devices with Microsoft Entra ID to restrict access from vulnerable and compromised devices

Follow these steps:

  1. Enable Microsoft Entra hybrid join or Microsoft Entra join. If you're managing the user's laptop/computer, bring that information into Microsoft Entra ID and use it to help make better decisions. For example, allowing rich clients, that have offline copies on the computer, access to data if you know the user is coming from a machine that your organization controls and manages.
  2. Enable the Intune service within Microsoft Endpoint Manager (EMS) for managing your users' mobile devices and enroll devices. The same can be said about user mobile devices as about laptops: The more you know about them (patch level, jailbroken, rooted, etc.), the more you can provide a rationale for why you block/allow access.

III. Analytics improve visibility

As you build your estate in Microsoft Entra ID with authentication, authorization, and provisioning, it's important to have strong operational insights into what is happening in the directory.

Configure logging and reporting to improve visibility

Take this step: