2.3 Zero Trust Model
Key Takeaways
- Zero Trust is a security strategy and architecture, not a single product — it replaces the old 'trusted internal network' assumption with 'never trust, always verify.'
- The three guiding principles are verify explicitly, use least privileged access (just-in-time / just-enough-access), and assume breach.
- Microsoft's six Zero Trust pillars are identities, devices (endpoints), applications, data, infrastructure, and networks, coordinated by visibility, automation, and orchestration.
- Identity is treated as the primary control plane because access can originate from any network, device, location, or application.
- Exam framing is product-neutral: Entra implements identity verification, Defender/Sentinel implement detection and response, and Purview implements data protection — but no single product 'is' Zero Trust.
Zero Trust replaces the trusted-network assumption
Zero Trust is a security strategy for the modern workplace, where users work from many locations, use varied device types, and reach data spread across cloud services, on-premises systems, and partner applications. The traditional 'castle and moat' model assumed anything inside the corporate network perimeter was safe and anything outside was hostile. That assumption no longer fits: with remote work, BYOD, and SaaS, there is no single perimeter to defend. Zero Trust answers this with a simple mantra — never trust, always verify.
The most important exam point: Zero Trust is a strategy and architecture, not a product you can buy. Microsoft sells services that implement parts of Zero Trust, but enabling one feature (even MFA) does not 'complete' Zero Trust. SC-900 questions reward you for treating it as a reasoning framework: every access request is evaluated, every identity gets only the access it needs, and every design limits damage if a control fails.
Why identity is the control plane
Because access can come from any network, device, location, or app, Zero Trust makes identity the primary control point. Instead of trusting the network a request came from, you authenticate and authorize the identity behind every request, using rich signals before granting access.
The three guiding principles
Microsoft Learn defines Zero Trust through three principles. Each maps to a recognizable exam scenario:
| Principle | What it means | Scenario cue |
|---|---|---|
| Verify explicitly | Always authenticate and authorize using all available signals: identity, location, device health, service or workload, data classification, and anomalies/risk | 'Allow access only after checking the user, device compliance, location, and sign-in risk' |
| Use least privileged access | Limit access with just-in-time and just-enough-access (JIT/JEA) and risk-based adaptive policies; reduce standing privilege | 'Grant only the permissions needed, only for as long as needed' — broad standing admin rights are the wrong answer |
| Assume breach | Design as if an attacker is already inside: minimize blast radius, segment access, verify end-to-end encryption, and use analytics to detect and respond | 'Limit lateral movement and monitor activity so a compromise is contained' |
The principles are heavily tested through scenario language. If a question describes granting broad administrator rights 'just in case,' the violated principle is least privileged access. If it describes evaluating user, device, location, and risk before allowing access, the cue is verify explicitly. If it describes containing an attacker who already has a foothold, the cue is assume breach. Train yourself to map the wording to the principle.
The six pillars
Zero Trust principles are applied across six technology pillars, tied together by cross-cutting visibility, automation, and orchestration that collect signals and drive responses:
- Identities — users, services, and devices that request access; verify each strongly (MFA), govern, and apply least privilege.
- Devices (endpoints) — monitor device health and compliance; require devices to meet a security bar before they connect to data.
- Applications — discover shadow IT, control in-app permissions, gate access, and monitor for abnormal behavior.
- Data — classify, label, and encrypt data based on sensitivity so protection follows the data wherever it travels.
- Infrastructure — assess servers, VMs, containers, and cloud resources for configuration drift, version, and just-in-time access; flag and block unusual behavior.
- Networks — segment networks (including micro-segmentation), use real-time threat protection, and encrypt internal traffic instead of assuming the internal network is safe.
Product-neutral mapping (and the big trap)
Microsoft products implement pieces of the pillars, and the exam keeps this product-neutral:
- Microsoft Entra -> identities and access decisions (Conditional Access verifies explicitly).
- Microsoft Intune / Defender for Endpoint -> device compliance and health.
- Microsoft Defender XDR and Microsoft Sentinel -> detection, posture, and the assume-breach response loop.
- Microsoft Purview -> data classification, labeling, and protection.
The classic trap is assuming that buying one service 'completes' Zero Trust. MFA strengthens verification but is not the whole strategy; segmentation supports assume breach but does not replace identity governance; data labels help protect content but access still must be authorized. When a scenario describes modern remote work, personal devices, cloud apps, or partner access, the old 'trusted internal network' option is almost always the wrong answer.
Signals, decision, and enforcement
It helps to picture Zero Trust as a continuous loop. Signals are gathered from every pillar — the user's identity and sign-in risk, the device's compliance state, the application requested, the sensitivity of the data, the location, and the time. A policy engine makes a decision based on those signals (allow, block, or allow with conditions such as MFA or a compliant device). Then the decision is enforced at the resource. In Microsoft's stack, Microsoft Entra Conditional Access is the canonical example: it evaluates signals at sign-in and enforces controls in real time, which is exactly 'verify explicitly' put into practice.
This loop is why Zero Trust is described as signal-driven rather than perimeter-driven. The same request from the same user can be allowed from a compliant corporate laptop and blocked from an unmanaged device showing risky behavior, because the decision adapts to the signals rather than to the network location.
Quick exam recap
- Zero Trust is a strategy/architecture, never a single product.
- Three principles: verify explicitly, use least privileged access, assume breach.
- Six pillars: identities, devices, applications, data, infrastructure, networks — plus visibility, automation, and orchestration tying them together.
- Identity is the control plane; signals drive every access decision.
Which set correctly lists Microsoft's three Zero Trust guiding principles?
An administrator is granted permanent global-admin rights 'just in case' they are needed someday. Which Zero Trust principle does this most directly violate?
Which item is one of Microsoft's six Zero Trust pillars?
Which statement best reflects the 'assume breach' principle?