Zero Trust on a budget: M365 + Conditional Access

Zero Trust has become cybersecurity's buzzword: every vendor tells you that you need their product to "implement Zero Trust". The reality is more uncomfortable for the seller and more convenient for you: if you already use Microsoft 365 Business Premium - and most Italian SMEs do - you already have the tools to start, without a single extra euro. Because Zero Trust is not a product to buy: it is a strategy, and a huge part of the strategy is configuring things you already own.

What Zero Trust really is (and what it is not)

The principle is simple: trust nobody, always verify. The term was coined by analyst John Kindervag (Forrester) around 2010, and today the technical reference is NIST SP 800-207, which defines its architecture. The core idea is that the perimeter is dead: with remote work, cloud and personal devices, "being inside the network" no longer means "being trusted". Microsoft sums it up in three operating principles: verify explicitly (every access, every time), use least privilege (only what is needed, when it is needed), assume breach (design as if the attacker were already inside). And it applies across several fronts: CISA's Zero Trust Maturity Model organizes them into five pillars - identity, devices, networks, applications and data - reminding us that Zero Trust is a journey through maturity levels, not a switch.

Identity is the new perimeter

If the perimeter is no longer the network, then it is identity: that is where the game is played. And the single highest-return control of all is MFA: according to Microsoft's data, multi-factor authentication blocks over 99% of automated account-compromise attacks. With a caveat I tie to my piece on infostealers: not all MFA is equal. SMS MFA is better than nothing but phishable; passkeys and FIDO2 keys are phishing-resistant. And even MFA is not enough if your session cookie is stolen - which is why you need to bind the session to a compliant device, exactly what Conditional Access lets you do.

Conditional Access: the heart, at zero spend

Conditional Access in Entra ID (the former Azure AD) is the engine that translates Zero Trust into concrete rules. It allows granular policies, evaluated on every access: MFA required outside the corporate network? Done. Access to SharePoint only from compliant devices? Done. Blocking access from countries you do not operate in? Done. Blocking legacy authentication - the old protocols that bypass MFA, the silent hole in half of all companies? Done. Each policy is configured in minutes and applies immediately.

A typical configuration for an SME

The baseline I set, in order of priority: MFA for everyone, non-negotiable; blocking legacy authentication (without it, MFA is theater); device compliance via Intune, even just to verify Windows is updated and encrypted; geographic blocking of countries where the company does not operate; risk-based access computed by Identity Protection (impossible travel, suspicious addresses); and reduced session lifetimes for sensitive applications. It is a level of security that five years ago required enterprise investment, achieved with a license the company is already paying for.

The mistakes to avoid

Three, in particular. First: treating it as a product - there is no "the" Zero Trust product, there is the discipline of always verifying. Second: not blocking legacy authentication - if you leave the old protocols open, the attacker simply bypasses MFA and everything else is pointless. Third: trying to do everything at once - CISA's maturity model goes from "traditional" to "optimal" in steps; start with identity, the highest-impact pillar, and build from there.

A checklist to start

• MFA for everyone, ideally phishing-resistant (passkeys), no exceptions.
• Block legacy authentication - it is the prerequisite for MFA to actually count.
• Conditional Access: compliant devices, geographic blocking, risk-based policies.
• Shorter sessions on sensitive applications, bound to compliant devices.
• Least privilege: review who is an administrator and why.
• Start with identity, then extend to devices, apps and data in steps.

The takeaway

Zero Trust is not a budget line, it is a strategy - and for most SMEs the tools to enact it are already paid for, sitting unused in the M365 tenant. The gap is not financial, it is configuration and discipline. There is no need to wait for the next investment: MFA for everyone and blocking legacy authentication can be turned on this week, and on their own they shift the balance more than any product you could buy.