Identity: The New Perimeter in Zero Trust

Posted on by
Reading Time: 12 minutes

Welcome to the first deep dive in my Zero Trust blog series. If you’ve read the series introduction, you’ll know that Zero Trust isn’t a single product or a quick fix it’s a strategic approach that touches every part of your digital environment. Over the coming posts, I’ll be breaking down each of the core pillars that make up a practical Zero Trust strategy, with a focus on real-world implementation in Microsoft 365 and Azure.

We’re starting where it matters most: identity. In today’s cloud-first, hybrid world, identity has become the new security perimeter. Let’s explore why securing identity is the foundation of Zero Trust—and how you can put these principles into action.

Introduction

In the not-so-distant past, cybersecurity was all about building walls around your network with firewalls, VPNs, and network boundaries designed to keep threats out and trusted users in. But the world has changed. With the rise of cloud computing, hybrid work, and SaaS, the traditional perimeter has all but disappeared. Users now access resources from anywhere, on any device, and attackers have adapted their tactics accordingly.

Identity has become the new perimeter. Instead of focusing solely on securing networks, modern security strategies must start with verifying who is requesting access, every single time. Why? Because identity is now the gateway to everything in your digital environment, email, files, applications, infrastructure, and more. If an attacker compromises a single user account, they can potentially unlock your entire estate.

This shift is at the heart of the Zero Trust model. Zero Trust assumes that no user or device inside or outside the network should be trusted by default. Every access request must be explicitly verified, based on signals like user behaviour, device health, location, and risk level. In this world, securing identity isn’t just a technical requirement; it’s the foundation of your entire security posture.

Why Identity Matters More Than Ever

  • Attackers target identities first: Phishing, credential theft, and brute-force attacks are now the most common ways adversaries gain access. Once inside, they move laterally, escalate privileges, and seek out sensitive data.
  • Cloud and hybrid work have made identity the constant: Devices, locations, and networks change, but identity remains the anchor for access decisions.
  • A compromised identity is a compromised business: Especially in Microsoft 365 and Azure, where one account can unlock a vast array of services and data.

The Zero Trust Mindset

Zero Trust is not a product or a checkbox, it’s a mindset. It means always verifying, never assuming, and continuously monitoring for risk. By putting identity at the centre, you ensure that only the right people, on the right devices, under the right conditions, can access your resources.

Practical Steps to Secure Identity

So, how do you actually put Zero Trust identity principles into practice? Here’s a real-world roadmap, grounded in Microsoft 365 and Azure, but relevant to any modern environment.

Make Multi-Factor Authentication (MFA) Non-Negotiable

Passwords are no longer enough. Attackers have a vast arsenal, phishing kits, credential stuffing, brute force tools and they’re relentless. MFA is your first and most effective line of defence. But not all MFA is created equal.

What’s “Basic” MFA?

  • SMS codes and voice calls: Vulnerable to SIM swapping and interception.
  • App push notifications (including Microsoft Authenticator with number matching): Better than SMS, but still susceptible to sophisticated phishing attacks, where users can be tricked into approving fraudulent prompts.

What’s Phishing-Resistant MFA?

  • FIDO2 security keys (e.g., YubiKey)
  • Windows Hello for Business (biometrics or PIN tied to device)
  • Passkeys (including those managed by Microsoft Authenticator, but only when used as a cryptographic credential, not just for number matching)
  • Certificate-based authentication
  • Smart cards

These methods use cryptographic authentication tied to the device, making it nearly impossible for attackers to intercept or replay credentials even if a user is tricked by a phishing site.

Best Practice

  • Aim for phishing-resistant MFA for all users, not just admins or privileged roles. While Microsoft Authenticator with number matching is a solid baseline, it is not truly phishing-resistant. Where possible, move your entire user base to FIDO2, passkeys, or Windows Hello for Business.
  • Educate users about the differences and why phishing-resistant methods matter.
  • Regularly review MFA registration and usage reports to spot gaps and enforce compliance.

Why it matters

Microsoft’s own data shows that enabling any form of MFA can prevent over 99% of account compromise attacks. But for true resilience, especially as phishing attacks become more sophisticated phishing-resistant methods are essential for everyone, not just high-risk users.

How to do it

  • Enforce MFA for all users via Conditional Access.
  • Prioritise passwordless and phishing-resistant options to reduce reliance on passwords and basic MFA.
  • Provide clear guidance and support to help users register and use phishing-resistant credentials.

Build a Layered Defence with Conditional Access

Conditional Access (CA) is the policy engine at the heart of Microsoft Entra ID. Think of it as your digital bouncer evaluating every access request in real time, based on user, device, location, risk, and more.

Key CA strategies:

  • Require MFA for all users, especially admins and high-risk sign-ins.
  • Block legacy authentication protocols (POP, IMAP, SMTP Basic Auth) that don’t support modern security controls.
  • Restrict access from unmanaged or non-compliant devices. Only allow access to sensitive apps from devices that meet your security standards.
  • Enforce location-based policies. Block access from high-risk countries or anonymous IP addresses.
  • Leverage risk-based policies (with Entra ID P2) to automatically challenge or block risky sign-ins.

Why it matters:
CA lets you apply Zero Trust dynamically, adapting to risk signals and context, not just static rules.

How to do it:

  • Start with baseline policies (block legacy auth, require MFA for admins).
  • Gradually expand to cover all users and critical apps.
  • Use Microsoft’s CA templates as a starting point, then tailor to your environment.

Looking for the best step-by-step guides on Conditional Access and MFA setup?
I highly recommend Ewelina’s blog at https://www.welkasworld.com. It covers everything from the fundamentals to advanced scenarios, including:

  • Step-by-step guides for setting up Conditional Access policies in Microsoft 365 and Azure
  • Best practices for naming conventions and policy organisation
  • Deep dives into advanced topics like authentication contexts, custom security attributes, and cross-tenant scenarios
  • Practical advice for migrating from legacy MFA and SSPR to modern authentication methods
  • Real-world examples, troubleshooting tips, and regular updates reflecting the latest Microsoft Entra features
    Whether you’re just starting out or looking to refine your policy design, Ewelina’s real-world examples and clear explanations make her blog a top resource for anyone working with Microsoft Entra or Microsoft 365 security.

Whether you’re just starting out or looking to refine your policy design, Ewelina’s real-world examples and clear explanations make her blog a top resource for anyone working with Microsoft Entra, or Microsoft 365 security.

Control Privileged Access with PIM

Standing admin rights are a major risk. Microsoft Entra Privileged Identity Management (PIM) lets you move to just-in-time (JIT) admin access so users only get elevated permissions when they need them, and only for as long as necessary.

Best practices:

  • Require approval workflows for privilege elevation.
  • Enforce MFA for all privileged operations.
  • Set up alerts for unusual admin activity.
  • Regularly review and remove standing admin rights.

PIM alone isn’t enough:
As powerful as PIM is, it should be part of a broader privileged access strategy. In fact, I would argue that using a Privileged Access Workstation (PAW) is even more important than PIM itself. A PAW is a dedicated, hardened device used exclusively for privileged tasks separated from your day-to-day workstation. This dramatically reduces the risk of credential theft, malware, or session hijacking when performing admin activities.

Further strengthen your privileged access by

  • Ensuring all privileged accounts are separate, cloud-only accounts (not synced from on-premises AD), with no mailbox or unnecessary licenses assigned.
  • Integrating PIM with Authentication Contexts in Conditional Access, so that every time a privileged role is activated, users are challenged for MFA even if they’ve already authenticated. This adds an extra layer of assurance at the moment of privilege elevation.

Why it matters:
Reducing standing privileges and isolating admin activity shrinks your attack surface and limits the damage if an account is compromised.

How to do it:

  • Enable PIM for all admin roles.
  • Configure role activation to require justification and approval.
  • Integrate PIM with Authentication Contexts to enforce MFA at role activation.
  • Require all privileged operations to be performed from a PAW.
  • Schedule regular access reviews for privileged roles.
  • Use separate, cloud-only admin accounts for all privileged access.

Detect and Respond to Identity Risks

Attackers are persistent, creative, and increasingly automated. They exploit leaked credentials, simulate legitimate sign-ins, and bypass traditional defences with tactics like impossible travel, token theft, and adversary-in-the-middle phishing. That’s why proactive identity risk detection is essential.

Microsoft Entra Identity Protection helps you spot and respond to risky sign-ins and users using real-time signals like:

  • Unfamiliar sign-in locations
  • Impossible travel scenarios
  • Use of anonymizing proxies or TOR
  • Leaked credentials from dark web sources

Key actions:

  • Enable risk-based Conditional Access policies to automatically block or challenge risky sign-ins.
  • Use access reviews to ensure only the right people retain access to sensitive resources, especially in high-risk groups or roles.
  • Automate lifecycle management for joiners, movers, and leavers to prevent orphaned accounts and stale access.

Why it matters:
Automated detection and response buys you time and reduces risk especially against sophisticated attacks that move fast and quietly. It also helps enforce Zero Trust principles by continuously evaluating trust signals, not just at sign-in but throughout the session.

How to do it:

  • Turn on Identity Protection and configure user risk and sign-in risk policies.
  • Integrate with Microsoft Sentinel to ingest identity logs, correlate with other threat signals, and trigger automated responses.
  • Use Sentinel’s analytics rules and playbooks to alert on suspicious activity (e.g., repeated risky sign-ins, MFA bypass attempts, mass consent to apps).
  • Regularly review risk reports and take action on flagged users either manually or through automated workflows.

Monitor, Audit, and Learn

Zero Trust is a journey, not a destination. It’s not just about setting policies it’s about continuously validating that those policies are working, adapting to new threats, and learning from incidents. Monitoring and auditing are the backbone of this process.

Key steps:

  • Integrate identity logs with Microsoft Sentinel or another SIEM to centralize visibility and correlate identity signals with broader threat data.
  • Set up alerts for suspicious activity, such as:
    • Mass consent to third-party apps
    • Unusual admin activity (e.g., role activations outside business hours)
    • Sign-ins from unexpected or high-risk locations
  • Regularly review Conditional Access and PIM activity logs to ensure policies are being enforced and not bypassed.

Why it matters:
Visibility and rapid response are essential for effective security operations. Without monitoring, even the best policies can be undermined by misconfigurations, insider threats, or evolving attack techniques.

How to do it:

  • Schedule regular reviews of audit logs, sign-in reports, and incident summaries.
  • Use automation in Microsoft Sentinel to respond to common threats such as disabling accounts, triggering access reviews, or notifying security teams.
  • Feed lessons learned back into your policies and training programs. For example, if a user repeatedly triggers risky sign-ins, consider adjusting Conditional Access or providing targeted education.

Tip: Combine Sentinel with Microsoft Defender XDR to enrich identity signals with endpoint, email, and app telemetry—giving you a full-spectrum view of user behaviour and risk.

Empower Your People

Technology is only half the battle. Your users are both your greatest asset and your biggest risk. Even with the strongest identity controls in place, a single click on a phishing link or a reused password can undermine your entire security posture.

That’s why empowering your people is essential to any Zero Trust strategy. It’s not just about training it’s about building a culture where security is understood, valued, and practiced daily.

Best practices:

  • Run regular security awareness training focused on phishing, credential hygiene, and secure authentication. Make it relevant, engaging, and scenario-based.
  • Make it easy for users to report suspicious activity whether it’s a strange login prompt, a suspicious email, or a device behaving oddly.
  • Foster a culture where security is everyone’s responsibility. Encourage curiosity, reward caution, and normalise asking questions.

Why it matters:
The human element is often the weakest link or your strongest defence. Attackers target users because they’re adaptable, emotional, and sometimes unaware. But with the right mindset and support, users can become your first line of defence.

How to do it:

  • Use Microsoft’s built-in training modules (e.g., Microsoft Defender for Office 365 Attack Simulator) or third-party platforms.
  • Communicate policy changes clearly and explain the “why” behind them. Users are more likely to comply when they understand the purpose.
  • Recognise and reward good security behaviour whether it’s reporting a phishing attempt, using a strong password manager, or completing training early.

Conclusion

In today’s digitally connected world, identity is no longer just a technical concern it is the linchpin of modern cybersecurity. As organisations embrace cloud services, hybrid work, and federated access models, the traditional network perimeter has faded into irrelevance. What remains constant is identity: the anchor point for access, trust, and control.

Securing identity is not about ticking boxes or meeting minimum compliance requirements. It is about establishing a resilient, adaptive foundation that underpins every other aspect of your security strategy. From preventing credential-based attacks to enforcing least privilege and detecting anomalous behaviour, identity is the thread that weaves through every layer of Zero Trust.

By implementing strong, phishing-resistant authentication, enforcing dynamic Conditional Access policies, managing privileged roles with just-in-time controls, continuously monitoring for risk signals, and cultivating a security-aware workforce, organisations can transform identity from a vulnerability into a strategic advantage.

Zero Trust is not a destination it is a continuous process of verification, refinement, and vigilance. And it begins with identity. When secured properly, identity becomes your most powerful defence against modern threats, enabling secure collaboration, confident access, and operational resilience.

Posted in Azure, Cyber Security, Entra, Microsoft, Passwordless, Privileged Access, Privileged Identity, Zero Trust and tagged , , , , .

Leave a Reply

Your email address will not be published. Required fields are marked *