Entra ID Zero Trust Design
This article references a design following a
Microsoft’s Zero Trust model: Never
trust, always verify, and assumes breach by default. Identity
is the new perimeter, which is the first and most critical control plane, so
Entra ID becomes the foundation for both authentication and authorization
- Old
model: “Inside the network = trusted.”
- Zero
Trust: Trust nothing, verify everything.
Entra ID enforces this by continuously
validating identity, device, and context—shifting security from network-based
to identity-first.
1. Design Philosophy
The foundation of a Zero Trust architecture is built on
three uncompromising principles: never trust, always verify, least
privilege access, and assume breach. In this model, every
access request—regardless of origin—is treated as potentially hostile.
Authentication and authorization are enforced dynamically, based on real-time
risk signals, device health, user behavior, and sensitivity of the resource
being accessed.
Microsoft Entra ID serves as the backbone of identity and
access management in this paradigm, enabling organizations to lock down their
attack surface while maintaining operational agility.
Design Pillars: High-Level Structure
Pillar
Solution Component
Authenticate Explicitly (AuthN)
Use Passwordless MFA, Conditional Access, Risk-based policies
Authorize with Least Privilege (AuthZ)
Implement role-based access control (RBAC), entitlement management, PIM
Assume Breach
Enable logging, auditing, access reviews, and Just-In-Time (JIT) access
2. Authentication (AuthN) Strategy
Identity Sources
- Cloud-only
identities (Entra-native), or
- Hybrid via
Entra Connect sync from on-prem AD
Authentication in Entra ID must be resilient, adaptive, and
phishing-resistant. The design begins with choosing the right identity sources.
Organizations can opt for cloud-native identities or synchronize on-premises
Active Directory identities using Entra Connect. Regardless of the source, all
identities must be governed by strong authentication policies.
Passwordless authentication is a cornerstone of modern
security. Entra ID supports Windows Hello for Business, FIDO2 security keys,
and Microsoft Authenticator app—all of which reduce reliance on passwords and
mitigate phishing risks. Multi-factor authentication (MFA) is enforced
universally but intelligently using Conditional Access policies that
evaluate user risk, sign-in behavior, device compliance, location, and
application sensitivity.
Conditional Access becomes the policy engine of Zero Trust.
For example, access to admin portals from unmanaged or non-compliant devices
should be blocked outright. Entra ID Protection adds another layer by detecting
leaked credentials, risky sign-ins, and compromised accounts, and can
automatically trigger remediation actions such as password resets or access
blocks.
Component
Design Decision
Identity Provider
Use Microsoft Entra ID as the central IdP
MFA Enforcement
Enable Conditional Access policies to enforce MFA based on risk, location, device posture
Passwordless Options
Implement Windows Hello, FIDO2 keys, or Microsoft Authenticator
Device Trust
Require Intune-compliant or Hybrid Azure AD-joined devices
Risk-Based Access
Integrate Entra ID Protection to block risky sign-ins automatically
3. Authorization (AuthZ) Strategy
Authorization must follow the principle of least privilege.
Entra ID provides granular Role-Based Access Control (RBAC) for
both Azure resources and directory roles. Global Admin privileges should be
tightly restricted and replaced with custom roles wherever possible.
To manage access at scale, Entitlement Management within
Entra ID Governance allows administrators to create access packages for apps,
groups, and Teams. These packages can include approval workflows, expiration
policies, and periodic access reviews—ensuring that access is always justified
and time-bound.
For elevated privileges, Privileged Identity
Management (PIM) enforces Just-In-Time (JIT) access. Admins must
request role activation, which can require MFA and approval. Every privileged
action is logged and auditable, reducing the risk of persistent admin access.
Component
Design Decision
Role-Based Access Control (RBAC)
Use Entra ID roles and custom roles for least privilege
App Access Management
Use Enterprise Apps with App Role Assignments
Group-Based Access
Automate access via dynamic groups and Entitlement Management
Privileged Access
Implement PIM (Privileged Identity Management) for just-in-time elevation
Audit & Logging
Enable Microsoft Purview and Entra ID logs for full traceability
4. Conditional Access Enforcement
Conditional Access is the enforcement layer of Zero Trust.
Policies should be crafted to dynamically respond to context and risk. Key
scenarios include:
- Unmanaged
or non-compliant devices: Block or restrict access.
- High-risk
sign-ins: Require MFA or deny access.
- Sensitive
applications: Enforce access only from compliant devices with MFA.
- External
users: Apply guest restrictions and limit access scope.
These policies ensure that access is not only authenticated
but also contextually authorized.
Scenario
Policy
Unmanaged Device
Block or restrict access
High-Risk User Sign-In
Require MFA or block
Accessing Sensitive Apps
Require compliant device + MFA
External Users
Enforce guest policies and limit access scope
5. Monitoring, Compliance & Lifecycle Governance
Visibility and governance are critical in a Zero Trust
model. All identity-related events—sign-ins, role activations, access
changes—must be logged to Microsoft Sentinel or a third-party
SIEM. Entra ID provides audit logs and sign-in logs that can be used for
forensic analysis and compliance reporting.
Lifecycle governance is handled through Identity
Lifecycle Workflows, which automate joiner-mover-leaver processes. Access
Reviews should be scheduled periodically for users, guests, and privileged
roles to ensure continued relevance of access.
- Access
Reviews: Periodic reviews for users, guests, and privileged roles
- Automated
Workflows: Use Identity Governance for
onboarding/offboarding
- B2B/B2C
Strategy: Secure external identities with Entra ID External ID
6. Device & Application Trust
Device trust is enforced through Intune compliance
policies integrated with Conditional Access. Only devices that meet
compliance standards—such as encryption, antivirus, and patch levels—should be
allowed to access sensitive resources.
Application trust is extended through App-based
Conditional Access. All SaaS and on-premises applications should be
integrated with Entra ID using SAML or OIDC for Single Sign-On (SSO). This
ensures consistent policy enforcement and centralized access control.
7. Operational Governance & Admin Hardening
Operational governance must be documented and regularly
reviewed. This includes Conditional Access policies, role definitions,
escalation paths, and incident response plans. Admins should operate from Privileged
Access Workstations (PAW) or Dedicated Admin Workstations
(DAW) to isolate administrative tasks from general-purpose computing.
A Red Forest approach—where admin accounts are
segregated and hardened—can further reduce lateral movement risks. Admins
should use separate accounts for privileged tasks and be subject to PIM
controls.
By combining strong authentication, granular authorization, dynamic policy enforcement, and continuous monitoring, Microsoft Entra ID enables a robust Zero Trust architecture. This design not only reduces the attack surface but also enhances operational resilience and compliance posture.
