Zero Trust with Defender & Conditional Access — Field Notes

Always authenticate and authorize based on all available data points.

• Identity: Use Conditional Access to enforce MFA and check for user risk (via Identity Protection).
• Device: Require devices to be Intune-managed and compliant before granting access.
• Location: Block access from anonymous proxies or specific high-risk geographies using named locations.
• Application: Scope policies to specific apps and use step-up authentication for sensitive actions.

Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA).

• PIM for Roles: Use Privileged Identity Management (PIM) to make all admin roles eligible for activation, not permanently assigned.
• PIM for Groups: Assign access to sensitive apps or SharePoint sites via a group that requires PIM activation.
• Entra ID Access Reviews: Schedule recurring reviews for group memberships and app access to remove stale permissions.

Minimize blast radius and segment access. Monitor everything.

• Network Segmentation: While not a cloud-native focus, use Conditional Access as a primary policy enforcement point instead of traditional network perimeters.
• Defender XDR Integration: Ensure signals from Defender for Endpoint (device risk), Identity (user risk), and Cloud Apps are feeding into your CA policies.
• Continuous Monitoring: Actively monitor Entra ID sign-in logs, audit logs, and Defender incidents for anomalies and policy gaps.
• Automation: Use automation in Defender to investigate and respond to low-level alerts, freeing up analysts for complex threats.