{"id":90992,"date":"2020-04-30T09:00:29","date_gmt":"2020-04-30T16:00:29","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=90992"},"modified":"2023-11-15T11:18:24","modified_gmt":"2023-11-15T19:18:24","slug":"zero-trust-deployment-guide-azure-active-directory","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/","title":{"rendered":"Zero Trust Deployment Guide for Microsoft Azure Active Directory"},"content":{"rendered":"<p>Microsoft is providing a series of deployment guides for customers who have engaged in a <a href=\"https:\/\/aka.ms\/Zero-Trust\" target=\"_blank\" rel=\"noopener noreferrer\">Zero Trust security strategy<\/a>. In this guide, we cover how to deploy and configure Azure Active Directory (Azure AD) capabilities to support your <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/zero-trust\" target=\"_blank\" rel=\"noopener noreferrer\">Zero Trust<\/a> security strategy.<\/p>\n<p>For simplicity, this document will focus on ideal deployments and configuration. We will call out the integrations that need Microsoft products other than Azure AD and we will note the licensing needed within Azure AD (Premium P1 vs P2), but we will not describe multiple solutions (one with a lower license and one with a higher license).<\/p>\n<h3>Azure AD at the heart of your Zero Trust strategy<\/h3>\n<p>Azure AD provides critical functionality for your Zero Trust strategy. It enables strong authentication, a point of integration for device security, and the core of your user-centric policies to guarantee least-privileged access. Azure AD\u2019s Conditional Access capabilities are the policy decision point for access to resources based on user identity, environment, device health, and risk\u2014verified explicitly at the point of access. In the following sections, we will showcase how you can implement your Zero Trust strategy with Azure AD.<\/p>\n<h3>Establish your identity foundation with Azure AD<\/h3>\n<p>A <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/zero-trust\" target=\"_blank\" rel=\"noopener noreferrer\">Zero Trust<\/a> strategy requires that we verify explicitly, use least privileged access principles, and assume breach. Azure Active Directory can act as the policy decision point to enforce your access policies based on insights on the user, device, target resource, and environment. To do this, we need to put Azure Active Directory in the path of every access request\u2014connecting every user and every app or resource through this identity control plane. In addition to productivity gains and improved user experiences from single sign-on (SSO) and consistent policy guardrails, connecting all users and apps provides Azure AD with the signal to make the best possible decisions about the authentication\/authorization risk.<\/p>\n<ul>\n<li><strong>Connect your users, groups, and devices:<\/strong><br \/>\nMaintaining a healthy pipeline of your employees\u2019 identities as well as the necessary security artifacts (groups for authorization and devices for extra access policy controls) puts you in the best place to use consistent identities and controls, which your users already benefit from on-premises and in the cloud:<\/p>\n<ol>\n<li>Start by choosing the right authentication option for your organization. While we strongly prefer to use an authentication method that primarily uses Azure AD (to provide you the best brute force, DDoS, and password spray protection), follow our <a href=\"https:\/\/aka.ms\/auth-options\" target=\"_blank\" rel=\"noopener noreferrer\">guidance<\/a> on making the decision that\u2019s right for your organization and your compliance needs.<\/li>\n<li>Only bring the identities you absolutely need. For example, use going to the cloud as an opportunity to leave behind service accounts that only make sense on-premises; leave on-premises privileged roles behind (more on that under privileged access), etc.<\/li>\n<li>If your enterprise has more than 100,000 users, groups, and devices combined, we recommend you follow our <a href=\"https:\/\/aka.ms\/aadconnectperf\" target=\"_blank\" rel=\"noopener noreferrer\">guidance<\/a> building a high performance sync box that will keep your life cycle up-to-date.<\/li>\n<\/ol>\n<\/li>\n<li><strong>Integrate all your applications with Azure AD:<\/strong><br \/>\nAs mentioned earlier, SSO is not only a convenient feature for your users, but it\u2019s also a security posture, as it prevents users from leaving copies of their credentials in various apps and helps avoid them getting used to surrendering their credentials due to excessive prompting. Make sure you do not have multiple IAM engines in your environment. Not only does this diminish the amount of signal that Azure AD sees and allow bad actors to live in the seams between the two IAM engines, it can also lead to poor user experience and your business partners becoming the first doubters of your <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/zero-trust\" target=\"_blank\" rel=\"noopener noreferrer\">Zero Trust<\/a> strategy. Azure AD supports a variety of ways you can bring apps to authenticate with it:<\/p>\n<ol start=\"1\">\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/manage-apps\/plan-sso-deployment\" target=\"_blank\" rel=\"noopener noreferrer\">Integrate modern enterprise applications<\/a> that speak OAuth2.0 or SAML.<\/li>\n<li>For Kerberos and Form-based auth applications, you can <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/manage-apps\/application-proxy-deployment-plan\" target=\"_blank\" rel=\"noopener noreferrer\">integrate them using the Azure AD Application Proxy<\/a>.<\/li>\n<li>If you publish your legacy applications using application delivery networks\/controllers, Azure AD is able to <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/manage-apps\/secure-hybrid-access\" target=\"_blank\" rel=\"noopener noreferrer\">integrate<\/a> with most of the major ones (such as Citrix, Akamai, F5, etc.).<\/li>\n<li>To help migrate your apps off of existing\/older IAM engines, we provide <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/manage-apps\/migration-resources\" target=\"_blank\" rel=\"noopener noreferrer\">a number of resources<\/a>\u2014including tools to help you discover and migrate apps off of ADFS.<\/li>\n<\/ol>\n<\/li>\n<li><strong>Automate provisioning to applications:<\/strong><br \/>\nOnce you have your users\u2019 identities in Azure AD, you can now use Azure AD to power pushing those user identities into your various cloud applications. This gives you a tighter identity lifecycle integration within those apps. Use this <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/app-provisioning\/plan-auto-user-provisioning\" target=\"_blank\" rel=\"noopener noreferrer\">detailed guide<\/a> to deploy provisioning into your SaaS applications.<\/li>\n<li><strong>Get your logging and reporting in order:<br \/>\n<\/strong>As you build your estate in Azure AD with authentication, authorization, and provisioning, it\u2019s important to have strong operational insights into what is happening in the directory. Follow <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/reports-monitoring\/plan-monitoring-and-reporting\" target=\"_blank\" rel=\"noopener noreferrer\">this guide<\/a> to learn how to to persist and analyze the logs from Azure AD either in Azure or using a SIEM system of choice.<\/li>\n<\/ul>\n<h3>Enacting the 1<sup>st<\/sup> principle: least privilege<\/h3>\n<p>Giving the right access at the right time to only those who need it is at the heart of a Zero Trust philosophy:<\/p>\n<ul>\n<li><strong>Plan your Conditional Access deployment:<br \/>\n<\/strong>Planning your Conditional Access policies in advance and having a set of active <strong><em>and<\/em><\/strong> fallback policies is a foundational pillar of your Access Policy enforcement in a Zero Trust deployment. Take the time to configure your trusted IP locations in your environment. Even if you do not use them in a Conditional Access policy, configure these IPs informs the risk of Identity Protection mentioned above. Check out our <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/conditional-access\/plan-conditional-access\" target=\"_blank\" rel=\"noopener noreferrer\">deployment guidance<\/a> and <a href=\"https:\/\/aka.ms\/resilientaad\" target=\"_blank\" rel=\"noopener noreferrer\">best practices<\/a> for resilient Conditional Access policies.<\/li>\n<li><strong>Secure privileged access with privileged identity management:<\/strong><br \/>\nWith privileged access, you generally take a different track to meeting the end users where they are most likely to need and use the data. You typically want to control the devices, conditions, and credentials that users use to access privileged operations\/roles. Check out our <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/users-groups-roles\/directory-admin-roles-secure\" target=\"_blank\" rel=\"noopener noreferrer\">detailed guidance<\/a> on how to take control of your privileged identities and secure them. Keep in mind that in a digitally transformed organization, privileged access is not only administrative access, but also application owner or developer access that can change the way your mission critical apps run and handle data. Check out our detailed guide on <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/privileged-identity-management\/pim-deployment-plan\" target=\"_blank\" rel=\"noopener noreferrer\">how to use Privileged Identity Management (P2) to secure privileged identities<\/a>.<\/li>\n<li><strong>Restrict user consent to applications:<\/strong><br \/>\nUser consent to applications is a very common way for modern applications to get access to organizational resources. However, we recommend you <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/manage-apps\/manage-consent-requests\" target=\"_blank\" rel=\"noopener noreferrer\">restrict user consent and manage consent requests<\/a> to ensure that no unnecessary exposure of your organization\u2019s data to apps occurs. This also means that you need to <a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/security\/office-365-security\/detect-and-remediate-illicit-consent-grants?view=o365-worldwide\" target=\"_blank\" rel=\"noopener noreferrer\">review prior\/existing consent in your organization<\/a> for any excessive or malicious consent.<\/li>\n<li><strong>Manage entitlements (Azure AD Premium P2):<\/strong><br \/>\nWith applications centrally authenticating and driven from Azure AD, you should streamline your access request, approval, and recertification process to make sure that the right people have the right access and that you have a trail of why users in your organization have the access they have. Using entitlement management, you can create access packages that they can request as they join different teams\/project and that would assign them access to the associated resources (applications, SharePoint sites, group memberships). Check out how you can <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/governance\/entitlement-management-access-package-create\" target=\"_blank\" rel=\"noopener noreferrer\">start a package<\/a>. If deploying entitlement management is not possible for your organization at this time, we recommend you at least enable self-service paradigms in your organization by deploying <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/users-groups-roles\/groups-self-service-management\" target=\"_blank\" rel=\"noopener noreferrer\">self-service group management<\/a> and <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/manage-apps\/manage-self-service-access\" target=\"_blank\" rel=\"noopener noreferrer\">self-service application access<\/a>.<\/li>\n<\/ul>\n<h3>Enacting the 2<sup>nd<\/sup> principle: verify explicitly<\/h3>\n<p>Provide Azure AD with a rich set of credentials and controls that it can use to verify the user at all times.<\/p>\n<ul>\n<li><strong>Roll out Azure multi-factor authentication (MFA) (P1):<br \/>\n<\/strong>This is a foundational piece of reducing user session risk. As users appear on new devices and from new locations, being able to respond to an MFA challenge is one of the most direct ways that your users can teach us that these are familiar devices\/locations as they move around the world (without having administrators parse individual signals). Check out this <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/howto-mfa-getstarted\" target=\"_blank\" rel=\"noopener noreferrer\">deployment guide<\/a>.<\/li>\n<li><strong>Enable Azure AD Hybrid Join or Azure AD Join:<br \/>\n<\/strong>If you are managing the user\u2019s laptop\/computer, bringing that information into Azure AD and use it to help make better decisions. For example, you may choose to allow rich client access to data (clients that have offline copies on the computer) if you know the user is coming from a machine that your organization controls and manages. If you do not bring this in, you will likely choose to block access from rich clients, which may result in your users working around your security or using Shadow IT. Check out our resources for <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/devices\/concept-azure-ad-join-hybrid\" target=\"_blank\" rel=\"noopener noreferrer\">Azure AD Hybrid Join<\/a> or <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/devices\/concept-azure-ad-join\" target=\"_blank\" rel=\"noopener noreferrer\">Azure AD Join<\/a>.<\/li>\n<li><strong>Enable <\/strong><a href=\"https:\/\/docs.microsoft.com\/en-us\/mem\/intune\/remote-actions\/device-management\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>Microsoft Intune<\/strong><\/a><strong> for managing your users\u2019 mobile devices (EMS):<\/strong><br \/>\nThe same can be said about user mobile devices as laptops. The more you know about them (patch level, jailbroken, rooted, etc.) the more you are able to trust or mistrust them and provide a rationale for why you block\/allow access. Check out our <a href=\"https:\/\/docs.microsoft.com\/en-us\/mem\/intune\/enrollment\/device-enrollment\" target=\"_blank\" rel=\"noopener noreferrer\">Intune device enrollment guide<\/a> to get started.<\/li>\n<li><strong>Start rolling out passwordless credentials:<\/strong><br \/>\nWith Azure AD now supporting FIDO 2.0 and passwordless phone sign-in, you can move the needle on the credentials that your users (especially sensitive\/privileged users) are using on a day-to-day basis. These credentials are strong authentication factors that can mitigate risk as well. <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/howto-authentication-passwordless-deployment\" target=\"_blank\" rel=\"noopener noreferrer\">Our passwordless authentication deployment guide<\/a> walks you through how to roll out passwordless credentials in your organization.<\/li>\n<\/ul>\n<h3>Enacting the 3<sup>rd<\/sup> principle: assume breach<\/h3>\n<p>Provide Azure AD with a rich set of credentials and controls that it can use to verify the user.<\/p>\n<ul>\n<li><strong>Deploy Azure AD Password Protection:<\/strong><br \/>\nWhile enabling other methods to verify users explicitly, you should not forget about weak passwords, password spray and breach replay attacks. Read <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/azure-active-directory-identity\/your-pa-word-doesn-t-matter\/ba-p\/731984\" target=\"_blank\" rel=\"noopener noreferrer\">this blog<\/a> to find out why classic complex password policies are not tackling the most prevalent password attacks. Then follow this guidance to enable Azure AD Password Protection for your users <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/concept-password-ban-bad\" target=\"_blank\" rel=\"noopener noreferrer\">in the cloud first<\/a> and then <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/howto-password-ban-bad-on-premises-deploy\" target=\"_blank\" rel=\"noopener noreferrer\">on-premises as well<\/a>.<\/li>\n<li><strong>Block legacy authentication:<br \/>\n<\/strong>One of the most common attack vectors for malicious actors is to use stolen\/replayed credentials against legacy protocols, such as SMTP, that cannot do modern security challenges. We recommend you <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/conditional-access\/block-legacy-authentication\" target=\"_blank\" rel=\"noopener noreferrer\">block legacy authentication<\/a> in your organization.<\/li>\n<li><strong>Enable identity protection (Azure AD Premium 2):<\/strong><br \/>\n<a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/identity-protection\/overview-identity-protection\" target=\"_blank\" rel=\"noopener noreferrer\">Enabling identity protection<\/a> for your users will provide you with more granular session\/user risk signal. You\u2019ll be able to investigate risk and confirm compromise or dismiss the signal which will help the engine understand better what risk looks like in your environment.<\/li>\n<li><strong>Enable restricted session to use in access decisions<\/strong>:<br \/>\nTo illustrate, let\u2019s take a look at controls in Exchange Online and SharePoint Online (P1): When a user\u2019s risk is low but they are signing in from an unknown device, you may want to allow them access to critical resources, but not allow them to do things that leave your organization in a non-compliant state. Now you can configure Exchange Online and SharePoint Online to offer the user a restricted session that allows them to read emails or view files, but not download them and save them on an untrusted device. Check out our guides for enabling limited access with <a href=\"https:\/\/aka.ms\/spolimitedaccessdocs\" target=\"_blank\" rel=\"noopener noreferrer\">SharePoint Online<\/a> and <a href=\"https:\/\/aka.ms\/owalimitedaccess\" target=\"_blank\" rel=\"noopener noreferrer\">Exchange Online<\/a>.<\/li>\n<li><strong>Enable Conditional Access integration with Microsoft Cloud App Security (MCAS) (E5): <\/strong><br \/>\nUsing signals emitted after authentication and with MCAS proxying requests to application, you will be able to monitor sessions going to SaaS Applications and enforce restrictions. Check out our <a href=\"https:\/\/docs.microsoft.com\/en-us\/cloud-app-security\/proxy-intro-aad\" target=\"_blank\" rel=\"noopener noreferrer\">MCAS and Conditional Access integration guidance<\/a> and see how this can even be <a href=\"https:\/\/docs.microsoft.com\/bs-latn-ba\/azure\/active-directory\/manage-apps\/application-proxy-integrate-with-microsoft-cloud-application-security\" target=\"_blank\" rel=\"noopener noreferrer\">extended to on-premises apps<\/a>.<\/li>\n<li><strong>Enable Microsoft Cloud App Security (MCAS) integration with identity protection (E5):<\/strong><br \/>\nMicrosoft Cloud App Security is a UEBA product monitoring user behavior <em>inside<\/em> SaaS and modern applications. This gives Azure AD signal and awareness about what happened to the user after they authenticated and received a token. If the user pattern starts to look suspicious (user starts to download gigabytes of data from OneDrive or starts to send spam emails in Exchange Online), then a signal can be fed to Azure AD notifying it that the user seems to be compromised or high risk and on the next access request from this user; Azure AD can take correct action to verify the user or block them. Just enabling MCAS monitoring will enrich the identity protection signal. Check out our <a href=\"https:\/\/docs.microsoft.com\/en-us\/cloud-app-security\/azip-integration\" target=\"_blank\" rel=\"noopener noreferrer\">integration guidance<\/a> to get started.<\/li>\n<li><strong>Integrate Azure Advanced Threat Protection (ATP) with Microsoft Cloud App Security:<br \/>\n<\/strong>Once you\u2019ve successfully deployed and configured Azure ATP, <a href=\"https:\/\/docs.microsoft.com\/en-us\/cloud-app-security\/aatp-integration\" target=\"_blank\" rel=\"noopener noreferrer\">enable the integration<\/a> with Microsoft Cloud App Security to bring on-premises signal into the risk signal we know about the user. This enables Azure AD to know that a user is indulging in risky behavior while accessing on-premises, non-modern resources (like File Shares) which can then be factored into overall user risk to block further access in the cloud. You will be able to see a <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/enterprise-mobility-security\/introducing-investigation-priority-built-on-user-and-entity\/ba-p\/360853\" target=\"_blank\" rel=\"noopener noreferrer\">combined Priority Score<\/a> for each user at risk to give a holistic view of which ones your SOC should focus on.<\/li>\n<li><strong>Enable Microsoft Defender ATP (E5):<\/strong><br \/>\nMicrosoft Defender ATP allows you to attest to Windows machines health and whether they are undergoing a compromise and feed that into mitigating risk at runtime. Whereas Domain Join gives you a sense of control, Defender ATP allows you to react to a malware attack at near real time by detecting patterns where multiple user devices are hitting untrustworthy sites and react by raising their device\/user risk at runtime. See our guidance on <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-atp\/configure-conditional-access\" target=\"_blank\" rel=\"noopener noreferrer\">configuring Conditional Access in Defender ATP<\/a>.<\/li>\n<\/ul>\n<h3>Conclusion<\/h3>\n<p>We hope the above guides help you deploy the identity pieces central to a successful Zero Trust strategy. Make sure to check out the other deployment guides in the series by following the <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Security blog<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft is providing a series of deployment guides for customers who have engaged in a Zero Trust security strategy to configure Azure Active Directory (Azure AD) capabilities. <\/p>\n","protected":false},"author":96,"featured_media":90994,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3659],"topic":[3689],"products":[3702,3703],"threat-intelligence":[],"tags":[3742],"coauthors":[2308],"class_list":["post-90992","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-best-practices","topic-zero-trust","products-microsoft-entra","products-microsoft-entra-id","tag-azure","review-flag-1694638265-576","review-flag-1-1694638265-354","review-flag-2-1694638266-864","review-flag-3-1694638266-241","review-flag-integ-1694638263-281","review-flag-new-1694638263-340"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Zero Trust Deployment Guide for Microsoft Azure Active Directory | Microsoft Security Blog<\/title>\n<meta name=\"description\" content=\"Microsoft is providing a series of deployment guides for customers who have engaged in a Zero Trust security strategy to configure Azure Active Directory (Azure AD) capabilities.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Zero Trust Deployment Guide for Microsoft Azure Active Directory\" \/>\n<meta property=\"og:description\" content=\"Microsoft is providing a series of deployment guides for customers who have engaged in a Zero Trust security strategy to configure Azure Active Directory (Azure AD) capabilities.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2020-04-30T16:00:29+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-11-15T19:18:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/04\/Zero-Trust-Deployment-Guide-for-Microsoft-Azure-Active-Directory-BANNER.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Tarek Dawoud\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Zero Trust Deployment Guide for Microsoft Azure Active Directory\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/04\/Zero-Trust-Deployment-Guide-for-Microsoft-Azure-Active-Directory-BANNER.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Tarek Dawoud\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/tarek-dawoud\/\",\"@type\":\"Person\",\"@name\":\"Tarek Dawoud\"}],\"headline\":\"Zero Trust Deployment Guide for Microsoft Azure Active Directory\",\"datePublished\":\"2020-04-30T16:00:29+00:00\",\"dateModified\":\"2023-11-15T19:18:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/\"},\"wordCount\":2301,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/04\/Zero-Trust-Deployment-Guide-for-Microsoft-Azure-Active-Directory-BANNER.png\",\"keywords\":[\"Azure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/\",\"name\":\"Zero Trust Deployment Guide for Microsoft Azure Active Directory | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/04\/Zero-Trust-Deployment-Guide-for-Microsoft-Azure-Active-Directory-BANNER.png\",\"datePublished\":\"2020-04-30T16:00:29+00:00\",\"dateModified\":\"2023-11-15T19:18:24+00:00\",\"description\":\"Microsoft is providing a series of deployment guides for customers who have engaged in a Zero Trust security strategy to configure Azure Active Directory (Azure AD) capabilities.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/04\/Zero-Trust-Deployment-Guide-for-Microsoft-Azure-Active-Directory-BANNER.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/04\/Zero-Trust-Deployment-Guide-for-Microsoft-Azure-Active-Directory-BANNER.png\",\"width\":1200,\"height\":630,\"caption\":\"Two men at PC workstations.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Zero Trust Deployment Guide for Microsoft Azure Active Directory\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Zero Trust Deployment Guide for Microsoft Azure Active Directory | Microsoft Security Blog","description":"Microsoft is providing a series of deployment guides for customers who have engaged in a Zero Trust security strategy to configure Azure Active Directory (Azure AD) capabilities.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/","og_locale":"en_US","og_type":"article","og_title":"Zero Trust Deployment Guide for Microsoft Azure Active Directory","og_description":"Microsoft is providing a series of deployment guides for customers who have engaged in a Zero Trust security strategy to configure Azure Active Directory (Azure AD) capabilities.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/","og_site_name":"Microsoft Security Blog","article_published_time":"2020-04-30T16:00:29+00:00","article_modified_time":"2023-11-15T19:18:24+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/04\/Zero-Trust-Deployment-Guide-for-Microsoft-Azure-Active-Directory-BANNER.png","type":"image\/png"}],"author":"Tarek Dawoud","twitter_card":"summary_large_image","twitter_title":"Zero Trust Deployment Guide for Microsoft Azure Active Directory","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/04\/Zero-Trust-Deployment-Guide-for-Microsoft-Azure-Active-Directory-BANNER.png","twitter_misc":{"Written by":"Tarek Dawoud","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/tarek-dawoud\/","@type":"Person","@name":"Tarek Dawoud"}],"headline":"Zero Trust Deployment Guide for Microsoft Azure Active Directory","datePublished":"2020-04-30T16:00:29+00:00","dateModified":"2023-11-15T19:18:24+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/"},"wordCount":2301,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/04\/Zero-Trust-Deployment-Guide-for-Microsoft-Azure-Active-Directory-BANNER.png","keywords":["Azure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/","name":"Zero Trust Deployment Guide for Microsoft Azure Active Directory | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/04\/Zero-Trust-Deployment-Guide-for-Microsoft-Azure-Active-Directory-BANNER.png","datePublished":"2020-04-30T16:00:29+00:00","dateModified":"2023-11-15T19:18:24+00:00","description":"Microsoft is providing a series of deployment guides for customers who have engaged in a Zero Trust security strategy to configure Azure Active Directory (Azure AD) capabilities.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/04\/Zero-Trust-Deployment-Guide-for-Microsoft-Azure-Active-Directory-BANNER.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/04\/Zero-Trust-Deployment-Guide-for-Microsoft-Azure-Active-Directory-BANNER.png","width":1200,"height":630,"caption":"Two men at PC workstations."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/04\/30\/zero-trust-deployment-guide-azure-active-directory\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Zero Trust Deployment Guide for Microsoft Azure Active Directory"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/90992"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=90992"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/90992\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/90994"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=90992"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=90992"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=90992"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=90992"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=90992"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=90992"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=90992"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}