2.3 Zero Trust Model
Key Takeaways
- Zero Trust is a security strategy, not a single product or technology.
- The three guiding principles are verify explicitly, use least privileged access, and assume breach.
- Identity is central because access requests can come from many networks, devices, applications, and locations.
- Zero Trust uses signals across identities, devices, applications, data, infrastructure, networks, and visibility with automation.
Zero Trust is a strategy for modern access
Zero Trust is a security strategy, not a single product. It responds to a world where users work from many locations, use different device types, and access data across cloud services, on-premises systems, and partner applications. The old assumption that traffic inside a corporate network is automatically safe does not fit that environment.
Microsoft Learn presents three guiding principles for Zero Trust: verify explicitly, use least privileged access, and assume breach. Verify explicitly means authenticate and authorize based on available signals such as identity, location, device health, application, data sensitivity, and risk. Least privileged access means grant only the access needed, for only as long as needed. Assume breach means design as if an attacker might already be present, then limit movement, encrypt data, monitor activity, and respond quickly.
| Zero Trust principle | What it means in an exam scenario |
|---|---|
| Verify explicitly | Evaluate identity, device, app, data, location, and risk signals. |
| Use least privileged access | Give only required permissions and reduce standing privilege. |
| Assume breach | Segment, monitor, encrypt, and prepare response instead of trusting the inside. |
Zero Trust is often tested through scenario language. If a question asks about granting broad administrator rights just in case, least privilege is the problem. If it asks about allowing access only after checking user, device, location, and risk, verify explicitly is the cue. If it asks about limiting lateral movement after compromise, assume breach is the cue.
Microsoft Learn also describes Zero Trust across interconnected pillars. Identities must be verified and governed. Devices need health and compliance checks. Applications need visibility and permission control. Data should be classified, labeled, and encrypted based on sensitivity. Infrastructure should be assessed for configuration and unusual behavior. Networks should be segmented and monitored. Visibility, automation, and orchestration collect signals and help teams respond.
Product-neutral exam framing
-
Zero Trust is the model; products help implement parts of it.
-
Microsoft Entra supports identity and access decisions.
-
Microsoft Defender and Sentinel support detection, posture, incident, and response scenarios.
-
Microsoft Purview supports data classification, protection, governance, and compliance scenarios.
A common trap is to treat Zero Trust as if buying one service completes the model. SC-900 questions are more likely to test the model's logic. For example, requiring multifactor authentication can strengthen verification, but it is not the whole strategy. Network segmentation can support assume breach, but it does not replace identity governance. Data labels can help protect sensitive content, but access still needs to be authorized.
Use Zero Trust as a reasoning pattern. Every access request should be evaluated. Every identity should have only the access it needs. Every design should limit damage if a control fails or an attacker gets inside. When you see a scenario about modern remote work, cloud applications, personal devices, or partner access, expect the old trusted-network assumption to be the wrong answer.
Which statement best describes Zero Trust for SC-900?
Which Zero Trust principle is shown by granting only the permissions needed for a task?
Which scenario best reflects assume breach?