Select a category to get started
Identities
Verify and secure every identity with strong authentication across your entire digital estate.
Endpoints
Gain visibility into devices accessing the network and ensure compliance and health status before granting access.
Apps
Discover Shadow IT and control access with real-time analytics and monitoring.
Infrastructure
Harden defenses using granular access control, least privilege access principles, and real-time threat detection.
Data
Classify, label, and protect data in the cloud and on premises to thwart inappropriate sharing and insider risks.
Network
Move beyond traditional network security with microsegmentation, real-time threat detection, and end-to-end encryption.
Embrace a proactive approach to cybersecurity
Have you enabled multifactor authentication for internal users?
Which forms of passwordless authentication are enabled for your users?
Which of your user groups are provisioned with single sign-on (SSO)?
Which of the following security policy engines are you using to make access decisions for enterprise resources?
Have you disabled legacy authentication?
Are you using real-time user and sign-in risk detections when evaluating access requests?
Which of the following technologies have you integrated with your identity and access management solution?
Which of the following context is used in your access policies?
Are you using identity secure score for guidance?
Based on your responses, you are in the optimal stage of Zero Trust for Identity.
Based on your responses, you are in the advanced stage of Zero Trust for Identity.
Based on your responses, you are in the initial stage of Zero Trust for Identity.
Implement multifactor authentication.
- Multifactor authentication helps protect your applications by requiring users to confirm their identity using a second source of validation, such as a phone or token, before access is granted.
- Microsoft Entra ID can help you enable multifactor authentication for free.
- Already have Microsoft Entra ID? Start deploying today.
Enable passwordless authentication.
- Passwordless authentication methods such as Windows Hello and Microsoft Authenticator provide a simpler and more secure authentication experience across the web and mobile devices. Based on the recently developed FIDO2 standard, these methods allow users to authenticate easily and securely without requiring a password.
- Microsoft can help you adopt passwordless authentication today. Download the passwordless authentication datasheet to learn more.
- If you already have Microsoft Entra ID, see how you can enable passwordless authentication today.
Implement single sign-on (SSO).
- SSO not only strengthens security by removing the need to manage multiple credentials for the same person but also delivers a better user experience with fewer sign-in prompts.
- Microsoft Entra ID provides an SSO experience to popular software as a service (SaaS) apps, on-premises apps, and custom-built apps that reside on any cloud for any user type and any identity.
- Plan your SSO deployment.
Enforce access controls with adaptive, risk-based policies.
- Move beyond simple access/block decisions and tailor decisions based on risk appetite—such as allowing access, blocking, limiting access, or requiring additional proofs like multifactor authentication.
- Use conditional access in Microsoft Entra ID to enforce fine-tuned adaptive access controls, such as requiring multifactor authentication, based upon user context, device, location, and session risk information.
- Plan your conditional access deployment.
Block legacy authentication.
- One of the most common attack vectors for malicious actors is to use stolen or replayed credentials against legacy protocols, such as SMTP, that can’t use modern security challenges.
- Conditional access in Microsoft Entra ID can help you block legacy authentication. See more information about Block Legacy Authentication.
Protect identities against compromise.
- Real-time risk assessments can help protect against identity compromise at the time of login and during sessions.
- Azure Identity Protection delivers real-time continuous detection, automated remediation, and connected intelligence to investigate risky users and sign-ins to address potential vulnerabilities.
- Enable Identity Protection to get started. Bring in user session data from Microsoft Cloud App Security to enrich Microsoft Entra ID with possible risky user behavior after they were authenticated.
Enrich your Identity and Access Management (IAM) solution with more data.
- The more data you feed your IAM solution, the more you can improve your security posture with granular access decisions and better visibility into users accessing corporate resources, and the more you can tailor the end-user experience.
- Microsoft Entra ID, Microsoft Cloud App Security, and Microsoft Defender for Endpoint all work together to provide enriched signal processing for better decision making.
- Configure Conditional Access in Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Cloud App Security.
Fine-tune your access policies.
- Enforce granular access control with risk-based adaptive access policies that integrate across endpoints, apps, and networks to better protect your data.
- Conditional Access in Microsoft Entra ID enables you to enforce fine-tuned adaptive access controls, such as requiring multi-factor authentication, based upon user context, device, location, and session risk information.
- Fine-tune your Conditional Access policies.
Improve your identity security posture.
- The identity secure score in Microsoft Entra ID helps you assess your identity security posture by analyzing how well your environment aligns with Microsoft best-practice recommendations for security.
- Get your identity secure score
Are devices registered with your identity provider?
Are devices enrolled in mobile device management for internal users?
Are managed devices required to be compliant with IT configuration policies before granting access?
Do you have a model for users to connect to organizational resources from unmanaged devices?
Are devices enrolled in mobile device management for external users?
Do you enforce data loss prevention policies on all managed and unmanaged devices?
Have you implemented endpoint threat detection to enable real-time device risk evaluation?
Based on your responses, you are in the optimal stage of Zero Trust for Identity.
Based on your responses, you are in the advanced stage of Zero Trust for Identity.
Based on your responses, you are in the initial stage of Zero Trust for Identity.
Register your devices with your identity provider.
- In order to monitor security and risk across multiple endpoints used by any one person, you need visibility in all devices and access points that may be accessing your resources.
- Devices can be registered with Microsoft Entra ID, providing you with visibility into the devices accessing your network and the ability to utilize device health and status information in access decisions.
- Configure and manage device identities in Microsoft Entra ID
Enroll devices in Mobile Device Management for internal users.
- Once data access is granted, having the ability to control what the user does with your corporate data is critical to mitigating risk.
- Microsoft Endpoint Manager enables endpoint provisioning, configuration, automatic updates, device wipe, and other remote actions.
- Set up Mobile Device Management for internal users.
Ensure compliance before granting access.
- Once you have identities for all the endpoints accessing corporate resources and before access is granted, you want to ensure that they meet the minimum security requirements set by your organization.
- Microsoft Endpoint Manager can help you set compliance rules to ensure that devices meet minimum-security requirements before access is granted. Also, set remediation rules for noncompliant devices so that people know how to resolve the issue.
- Set rules on devices to allow access to resources in your organization using Intune.
Enable access for unmanaged devices as needed.
- Enabling your employees to access appropriate resources from unmanaged devices can be critical to maintaining productivity. However, it’s imperative that your data is still protected.
- Microsoft Intune Mobile Application Management lets you publish, push, configure, secure, monitor, and update mobile apps for your users, ensuring they have access to the apps they need to do their work.
- Configure access for unmanaged devices.
Enroll devices in Mobile Device Management for external users.
- Enroll external devices Enrolling devices from external users (such as contractors, vendors, partners, etc.) into your MDM solution is a great way to ensure your data is protected and they have the access they need to do their work.
- Microsoft Endpoint Manager provides endpoint provisioning, configuration, automatic updates, device wipe, and other remote actions.
- Set up Mobile Device Management for external users.
Enforce data loss prevention policies on your devices.
- Once data access is granted, controlling what the user can do with your data is critical. For example, if a user accesses a document with a corporate identity, you want to prevent that document from being saved in an unprotected consumer storage location, or from being shared with a consumer communication or chat app.
- Intune app protection policies will help protect data with or without enrolling devices in a device management solution by restricting access to company resources and keep data within the purview of your IT department.
- Get started with Intune App policies.
Enable real-time device risk evaluation.
- Ensuring only healthy and trusted devices are allowed access to your corporate resources is a critical step in a Zero Trust journey. Once your devices are enrolled with your identity provider, you can bring that signal into your access decisions to only allow safe and compliant devices access.
- Through integration with Microsoft Entra ID, Microsoft Endpoint Manager enables you to enforce more granular access decisions and fine-tune the Conditional Access policies based on your organization’s risk appetite. For example, excluding certain device platforms from accessing specific apps.
- Configure Conditional Access in Microsoft Defender for Endpoint
Are you enforcing policy-based access controls for your applications?
Are you enforcing policy-based session controls for your apps (for example, limit visibility or block download)?
Have you connected business-critical apps to your app security platform to monitor cloud data and cloud threats?
How many of your organization’s private apps and resources are available without VPN or hardwired connection?
Do you have ongoing Shadow IT Discovery, risk assessment, and control of unsanctioned apps?
Is administrative access to applications provided Just-In-Time/Just-Enough-Privilege to reduce risk of permanent permissions?
Based on your responses, you are in the optimal stage of Zero Trust for Identity.
Based on your responses, you are in the advanced stage of Zero Trust for Identity.
Based on your responses, you are in the initial stage of Zero Trust for Identity.
Enforce policy-based access control for your apps.
- Move beyond simple access/block decisions and tailor decisions based on risk appetite—such as allowing access, blocking, limiting access, or requiring additional proofs like multi-factor authentication.
- Conditional Access in Microsoft Entra ID enables you to enforce fine-tuned adaptive access controls, such as requiring multi-factor authentication, based upon user context, device, location, and session risk information.
- Configure Conditional Access for your app access
Enforce policy-based session controls.
- Stopping breaches and leaks in real time before employees intentionally or inadvertently put data and organizations at risk is key to mitigating risk after access is granted. Simultaneously, it’s critical for businesses to enable employees to securely use their own devices.
- Microsoft Cloud App Security (MCAS) integrates with Microsoft Entra ID conditional access so you can configure apps to work with Conditional Access App Control. Easily and selectively enforce access and session controls on your organization's apps based on any condition in conditional access (such as preventing data exfiltration, protecting on download, preventing uploads, blocking malware, and more).
- Create a Microsoft Cloud App Security session policy to get started.
Connect your business apps to your cloud application security broker (CASB).
- Visibility across apps and platforms is critical for performing governance actions, such as quarantining files or suspending users, as well as mitigating any flagged risk.
- Apps connected to Microsoft Cloud App Security (MCAS) get instant, out-of-the-box protection with built-in anomaly detection. MCAS uses entity and user behavioral analytics (UEBA) and machine learning to detect unusual behavior across cloud apps, helping identify threats, such as ransomware, compromised users, or rogue apps.
- Connect your business-critical cloud apps to Microsoft Cloud App Security.
Provide remote access to on-premises apps through an app proxy.
- Providing users with secure remote access to internal apps running on an on-premises server is critical to maintaining productivity today.
- Microsoft Entra ID Application Proxy provides secure remote access to on-premises web apps without a VPN or dual-homed servers and firewall rules. Integrated with Microsoft Entra ID and Conditional Access, it enables users to access web apps through single sign-on while enabling IT to configure Conditional Access policies for fine-tuned access control.
- Get started today.
Discover and manage shadow IT in your network.
- The total number of apps accessed by employees in the average enterprise exceeds 1,500. That equates to more than 80 GB of data uploaded monthly to various apps, fewer than 15 percent of which are managed by their IT department. As remote work becomes a reality for most, it’s no longer enough to apply access policies to only your network appliance.
- Microsoft Cloud App Security can help you discover which apps are being used, explore the risk of these apps, configure policies to identify new risky apps being used, and unsanction these apps to block them natively using your proxy or firewall appliance. See the e-book, to learn more.
- To get started discovering and assessing cloud apps, set up Cloud Discovery in Microsoft Cloud App Security.
Manage virtual machine access using Just-in-Time.
- Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive polices and data protection to protect both data and productivity.
- Lock down inbound traffic to your Azure Virtual Machines with Azure Security Center's just-in-time (JIT) virtual machine (VM) access feature to reduce your exposure to attacks while providing easy access when you need to connect to a VM.
- Enable JIT virtual machine access.
Have you enabled cloud infrastructure protection solutions across your hybrid and multicloud digital estate?
Does each workload have an app identity assigned?
Are user and resource (machine-to-machine) access segmented for each workload?
Does your security operations team have access to specialized threat detection tools for endpoints, email attacks, and identity attacks?
Does your security operations team have access to a security information and event management (SIEM) solution to aggregate and analyze events across multiple sources?
Does your security operations team use behavior analytics to detect and investigate threats?
Does your security operations team use security orchestration, automation, and remediation (SOAR) tooling to reduce manual effort in threat response?
Do you regularly review administrative privileges (at least every 180 days) to ensure admins only have just enough administrative rights?
Have you enabled Just-in-Time access for administration of servers and other infrastructure?
Based on your responses, you are in the optimal stage of Zero Trust for Identity.
Based on your responses, you are in the advanced stage of Zero Trust for Identity.
Based on your responses, you are in the initial stage of Zero Trust for Identity.
Use a cloud workload protection solution.
- Having a comprehensive view across all of your cloud workloads is critical to keeping your resources safe in a highly distributed environment.
- Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises.
- Configure Azure Security Center
Assign app identities.
- Assigning an app identity is critical to securing communication between different services.
- Azure supports managed identities from Microsoft Entra ID, making it easy access other Microsoft Entra ID-protected resources such as Azure Key Vault where secrets and credentials are securely stored.
- Assign an app identity in the Azure Portal
Segment user and resource access.
- Segmenting access for each workload is a key step in your Zero Trust journey.
- Microsoft Azure offers many ways to segment workloads to manage user and resource access. Network segmentation is the overall approach, and, within Azure, resources can be isolated at the subscription level with Virtual networks (VNets), VNet peering rules, Network Security Groups (NSGs), Application Security Groups (ASGs), and Azure Firewalls.
- Create an Azure Virtual Network to enable your Azure resources to secure communicate together.
Implement threat detection tools.
- Preventing, detecting, investigating, and responding to advanced threats across your hybrid infrastructure will help improve your security posture.
- Microsoft Defender for Endpoint Advanced Threat Protection is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
- Plan your Microsoft Defender for Endpoint Advanced Threat Protection deployment
Deploy a Security Information and Event Management (SIEM) solution.
- As the value of digital information continues to increase, so do the number and sophistication of attacks. SIEM’s provide a central way to mitigate threats across the entire estate.
- Azure Sentinel is a cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution that will allow your Security Operations Center (SOC) to work from a single pane of glass to monitor security events across your enterprise. It helps to protect all of your assets by collecting signals from your entire hybrid organization and then applying intelligent analytics to identify threats quickly.
- Deploy Sentinel to get started.
Implement behavioral analytics.
- When you create new infrastructure, you need to ensure that you also establish rules for monitoring and raising alerts. This is key for identifying when a resource is displaying unexpected behavior.
- Microsoft Defender for Identity enables signal collection to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
- Learn more about Microsoft Defender for Identity
Setup automated investigations.
- Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Implementing a solution with automated investigation and remediation (AIR) capabilities can help your security operations team address threats more efficiently and effectively.
- Microsoft Defender for Endpoint Advanced Threat Protection includes automated investigation and remediation capabilities to help examine alerts and take immediate action to resolve breaches. These capabilities can significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives.
- Learn more about automated investigations.
Govern access to privileged resources.
- Personnel should use administrative access sparingly. When administrative functions are required, users should receive temporary administrative access.
- Privileged Identity Management (PIM) in Microsoft Entra ID enables you to discover, restrict, and monitor access rights for privileged identities. PIM can help ensure your admin accounts stay secure by limiting access to critical operations using just-in-time, time-bound, and role-based access control.
- Deploy Privileged Identity Management to get started
Provide just-in-time access for privileged accounts.
- Personnel should use administrative access sparingly. When administrative functions are required, users should receive temporary administrative access.
- Privileged Identity Management (PIM) in Microsoft Entra ID enables you to discover, restrict, and monitor access rights for privileged identities. PIM can help ensure your admin accounts stay secure by limiting access to critical operations using just-in-time, time-bound, and role-based access control.
- Deploy Privileged Identity Management to get started.
Has your organization defined a data classification taxonomy?
Are access decisions governed by data sensitivity rather than simple network perimeter controls?
Is corporate data actively and continuously discovered by sensitivity in any location?
Are data access decisions governed by policy and enforced by a cloud security policy engine? (e.g. available anywhere on internet)
Are the most sensitive files persistently protected with encryption to prevent unautorized access use?
Are there data loss prevention controls in place to monitor, alert, or restrict the flow of sensitive information (for example, blocking email, uploads, or copying to USB)?
Based on your responses, you are in the optimal stage of Zero Trust for Identity.
Based on your responses, you are in the advanced stage of Zero Trust for Identity.
Based on your responses, you are in the initial stage of Zero Trust for Identity.
Define a classification taxonomy.
- Defining the right label taxonomy and protection policies is the most critical step in an data protection strategy, so start with creating a labeling strategy that reflects your organization's sensitivity requirements for information.
- Learn about data classification.
- When you're ready, get started with sensitivity labels.
Govern access decisions based on sensitivity.
- The more sensitive the data, the greater the protection control and enforcement needed. Similarly, the controls should also be commensurate with the nature of the risks associated with how and from where the data is accessed (for example, if a request originates from unmanaged devices or from external users). Microsoft Information Protection offers a flexible set of protection controls based on data sensitivity and risk.
- Some sensitive data needs protection by policies that enforce encryption to ensure only authorized users can access the data.
- Set up sensitivity labels govern access decisions. The new Azure Purview provides a unified data governance service that builds on Microsoft Information Protection. Read the announcement blog
- to learn more.
Implement a robust data classification and labeling strategy.
- Enterprises have vast amounts of data that can be challenging to adequately label and classify. Using machine learning for smarter, automated classification can help reduce the burden on end users and lead to a more consistent labeling experience.
- Microsoft 365 provides three ways to classify content, including manually, automated pattern matching, and our new Trainable classifiers. Trainable classifiers are well-suited to content that isn't easily identified by manual or automated pattern matching methods. For on-premises file repositories and on-premises SharePoint 2013+ sites, Azure Information Protection (AIP) scanner can help discover, classify, label, and protect sensitive information.
- See our labeling deployment guidance to get started.
Govern access decisions based on policy.
- Move beyond simple access/block decisions and tailor access decisions for your data based on risk appetite—such as allowing access, blocking, limiting access, or requiring additional proofs like multi-factor authentication.
- Conditional Access in Azure AD enables you to enforce fine-tuned adaptive access controls, such as requiring multi-factor authentication, based upon user context, device, location, and session risk information.
- Integrate Azure Information Protection with Microsoft Cloud App Security to enable Conditional Access policies.
Enforce access and usage rights to data shared outside company boundaries.
- To properly mitigate risk without negatively impacting productivity, you need to be able control and secure email, documents, and sensitive data you share outside your company.
- Azure Information Protection helps secure email, documents, and sensitive data inside and outside your company walls. From easy classification to embedded labels and permissions, always enhance data protection with Azure Information Protection, no matter where it's stored or who it's shared with.
- Plan your deployment to get started.
Implement data loss prevention (DLP) policies.
- To comply with business standards and industry regulations, organizations must protect sensitive information and prevent its inadvertent disclosure. Sensitive information can include financial data or personally identifiable information such as credit card numbers, social security numbers, or health records.
- Use a range of DLP policies in Microsoft 365 to identify, monitor, and automatically protect sensitive items across services such as Teams, Exchange, SharePoint, and OneDrive, Office apps such as Word, Excel, and PowerPoint, Windows 10 endpoints, non-Microsoft cloud apps, on-premises file shares and SharePoint, and Microsoft Cloud App Security.
Are your networks segmented to prevent lateral movement?
What protections do you have in place to protect your networks?
Are you using secure access controls to protect your network?
Do you encrypt all your network communication (including machine to machine) using certificates?
Are you using ML-based threat protection and filtering with context-based signals?
Based on your responses, you are in the optimal stage of Zero Trust for Identity.
Based on your responses, you are in the advanced stage of Zero Trust for Identity.
Based on your responses, you are in the intial stage of Zero Trust for Identity.
Segment your networks.
- Segmenting networks by implementing software-defined perimeters with increasingly granular controls increases the cost to attackers to propagate through your network, dramatically reducing the lateral movement of threats.
- Azure offers many ways to segment networks to manage user and resource access. Network segmentation is the overall approach. Within Azure, resources can be isolated at the subscription level with virtual networks, virtual network peering rules, network security groups, application security groups, and Azure Firewall.
- Plan your segmentation strategy.
Put network protections in place.
- Cloud applications that have opened up endpoints to external environments, such as the internet or your on-premises footprint, are at risk of attacks coming in from those environments. It's imperative that you scan the traffic for malicious payloads or logic.
- Azure provides services such as Azure DDoS Protection Service, Azure Firewall, and Azure Web Application Firewall that deliver comprehensive threat protection.
- Setup your network protection tools
Set up encrypted admin access.
- Admin access is often a critical threat vector. Securing access is essential to preventing compromise.
- Azure VPN Gateway is a cloud-native, high-scale VPN service that enables remote access for users fully integrated with Microsoft Entra ID, conditional access, and multifactor authentication. Azure Virtual Desktop from Azure enables a secure, remote desktop experience from anywhere, managed by Azure Microsoft Entra ID Application Proxy publishes your on-premises web apps using a Zero Trust access approach.
- Azure Bastion provides secure Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) connectivity to all the virtual machines in the virtual network in which it is provisioned. Using Azure Bastion helps to protect your virtual machines from exposing RDP/SSH ports to the outside world while still providing secure access using RDP/SSH.
- Deploy Azure Bastion.
Encrypt all network traffic.
- Organizations that fail to protect data in transit are more susceptible to man-in-the-middle attacks, eavesdropping, and session hijacking. These attacks can be the first step attackers use to gain access to confidential data.
- End to end encryption starts with connectivity to Azure first, and all the way to the backend application or resource. Azure VPN Gateway makes it easier to connect to Azure over an encrypted tunnel. Azure Front Door and Application Gateway can help with SSL offloading, WAF inspection and re-encryption. Customers can design their traffic to run over SSL end-to-end. Azure Firewall Premium TLS inspection allow you to view, detect and block malicious traffic within an encrypted connection via its advanced IDPS engine. End-to-end TLS encryption in Azure Application Gateway helps you encrypt and securely transmit sensitive data to the backend while taking advantage of the Layer-7 load-balancing features. End-to-end TLS encryption in Azure Application Gateway with Azure Application Gateway.
Implement machine learning-based threat protection and filtering.
- As the sophistication and frequency of attacks continues to increase, organizations must ensure they’re equipped to handle them. Machine learning-based threat protection and filtering can help organizations respond more quickly, improve investigation, automate remediation, and manage scale more easily. Additionally, events can be aggregated from multiple services (DDoS, WAF, and FW) into the Microsoft SIEM, Azure Sentinel, to provide intelligent security analytics.
- Azure DDoS Protection uses machine learning to help monitor your Azure-hosted application traffic, baseline and detect volumetric traffic floods, and apply automatic mitigations.
- Turn on Azure DDoS Protection Standard.
Follow Microsoft Security