Menu

 Español

Zero Trust: what it is and how to apply it in a Microsoft environment

Zero Trust: what it is and how to apply it in a Microsoft environment
Sergio Darias Pérez Sergio Darias Pérez

For years, many companies have viewed security as a kind of wall, if you're inside, you're trustworthy; if you're outside, you're not. The problem is that this logic no longer fits with reality. Today, we work from home, from our mobile phones, from airports, with cloud applications and equipment that are not always under the full control of IT. In this scenario, continuing to trust “by default” is simply a risk.

How do you protect an environment where there is no longer a clear perimeter?

The transition to more flexible working models has brought new challenges in cybersecurity and IT management, making solutions such as Zero Trust key to designing truly secure managed services tailored to current needs.

What is Zero Trust really?

Coined by an analyst at Forrester Research Inc. in 2010, Zero Trust is a security approach based on an uncomfortable but realistic idea, don't take anything for granted just because it seems internal or familiar.

This means that a user should not automatically be granted access to an application just because they are connected to the corporate network. Nor should a device be considered trustworthy just because it belongs to the company. All access must be validated based on its context, who is entering, from where, with what device, and what they want to access.

The most accurate way to understand it is as an approach or model of security, a way of designing access and protection of resources based on the idea of not trusting users, devices, or connections by default. From there, this approach is translated into specific policies, processes, and technologies.

When we talk about implementing it in a Microsoft environment, we are not referring to activating a tool, but rather applying that model to identities, devices, access, and data with the help of capabilities such as Entra ID, Intune, Defender, or Conditional Access.

It is not about systematically distrusting everyone, but rather about no longer assuming that everything we know is secure.

Why is Microsoft's Zero Trust approach important?

In Microsoft environments, Zero Trust makes a lot of sense because much of the daily work already revolves around identities, devices, collaboration, and data distributed across Microsoft 365, Azure, Teams, SharePoint, or OneDrive. In other words, it's exactly the type of ecosystem where a model based solely on the internal network falls short.

In addition, Microsoft has been building its security stack around this approach for some time. The advantage is that many organizations already have some of the pieces in place, even if they are not always using them strategically.

How to implement a Zero Trust policy

It sometimes seems like something huge or abstract, but in reality it starts with a few well-made decisions. Rather than trying to transform everything at once, it makes sense to review four areas: identity, devices, access, and data.

  • Identity: Strengthen access with MFA, review accounts with elevated privileges, and eliminate insecure authentication methods.
  • Devices: Ensure that devices accessing corporate resources are up to date, protected, and managed.
  • Access: Apply policies based on context and risk, not the same for all users and scenarios.
  • Data: Protect sensitive information with classification, sharing restrictions, and well-defined permissions.

Steps to adopting a Zero Trust approach

  •  Enable MFA for all users
  •  Review and reduce the number of global administrators
  •  Block legacy authentication
  •  Configure basic Conditional Access policies
  •  Check which devices access Microsoft 365
  •  Define minimum compliance requirements for corporate computers
  •  Manage devices with Intune or equivalent solution
  •  Review permissions in SharePoint, Teams, and OneDrive
  •  Classify sensitive information
  •  Limit external sharing when it is not necessary.
  •  Audit anomalous or risky access.
  •  Establish a periodic review of accounts, roles, and access.

Zero Trust is not about complicating access, but rather about ensuring that trust is no longer implicit but justified. In a Microsoft environment, this translates into better management of identity, devices, privileges, and data.

It is also important to avoid two common mistakes: thinking that this approach is a tool that can be activated, or reducing it all to implementing MFA. In reality, we are talking about a broader security approach, which must be applied judiciously and without creating unnecessary friction for the business.

The good news is that you don't have to tackle everything at once. In fact, it usually works better when implemented step by step, starting with the most critical aspects and refining the strategy over time.

Would you like to implement this approach in your company? Talk to our team of experts.

Sergio Darias Pérez
Sergio Darias Pérez

Marketing Team Lead

All author posts

Categories

 
Related posts
National Security Scheme (ENS): What you need to know
Cybersecurity
National Security Scheme (ENS): What you need to know
By Sergio Darias Pérez  |  08 January 2026

Find out what the National Security Scheme (ENS) is and how to meet the requirements to work with public administrations

Read more
The DORA Regulation requirements for the financial sector
Cybersecurity
The DORA Regulation requirements for the financial sector
By Iván García Medina  |  12 December 2025

Discover the DORA requirements and ensure regulatory compliance, cybersecurity, and digital operational resilience for your financial institution.

Read more
Digital Operational Resilience Act (DORA): What it is and regulatory compliance
Cybersecurity
Digital Operational Resilience Act (DORA): What it is and regulatory compliance
By Iván García Medina  |  09 December 2025

In a highly digitalized financial environment, the Digital Operational Resilience Act (DORA) establishes a mandatory framework to strengthen the cybersecurity of the European financial sector.

Read more