CA-09: Implementing Zero Trust Network Access
Overview
This guide walks you through implementing a Zero Trust access model using Conditional Access policies. Zero Trust operates on the principle of "never trust, always verify" - every access request is fully authenticated, authorized, and encrypted regardless of where it originates.
Control ID: CA-09 Category: Conditional Access Severity: Critical License Required: Microsoft Entra ID P2 + Microsoft Intune (included in Microsoft 365 E5)
Why This Matters
Traditional perimeter-based security assumes everything inside the corporate network is trusted. Zero Trust eliminates this assumption:
- No implicit trust - Every sign-in is verified regardless of network location
- Device verification - Only compliant, healthy devices access resources
- Continuous validation - Access is re-evaluated continuously, not just at login
- Least privilege - Users get minimum access needed for their task
- Assume breach - Architecture assumes attackers are already inside
This is a Level 3 (Maximum Security) control that represents the most comprehensive access protection.
Prerequisites
Required Roles
You need the following roles:
For Conditional Access:
- Conditional Access Administrator or Global Administrator
For Intune:
- Intune Administrator or Global Administrator
For Identity Protection:
- Security Administrator or Global Administrator
Required Licenses
- Microsoft Entra ID P2
- Microsoft Intune
- Microsoft Defender for Endpoint (recommended)
- Included in: Microsoft 365 E5
Pre-Configuration Requirements
Before implementing Zero Trust:
- Intune device enrollment - Devices must be managed
- Compliance policies - Define what makes a device compliant
- Identity Protection - Enable risk-based policies
- MFA registered - All users have MFA methods
- Emergency access accounts - Break-glass accounts configured
Time Estimate
| Task | Duration |
|---|---|
| Compliance policy creation | 1-2 hours |
| Named locations configuration | 30 minutes |
| Core Zero Trust policies | 2-3 hours |
| Risk-based policies | 1 hour |
| Testing and validation | 1-2 days |
| Rollout planning | 1-2 weeks |
| Total | 2-3 weeks for full implementation |
Zero Trust Architecture Components
Zero Trust in Microsoft 365 consists of multiple integrated controls:
+------------------+
| User Identity |
| (MFA, Risk-based)|
+--------+---------+
|
+--------v---------+
| Device Health |
| (Compliance, MDM)|
+--------+---------+
|
+--------v---------+
| Network Location |
| (Named Locations)|
+--------+---------+
|
+--------v---------+
| Application Risk |
| (App policies) |
+--------+---------+
|
+--------v---------+
| Session Controls |
| (CAE, Monitoring)|
+--------+---------+
|
+--------v---------+
| GRANT ACCESS |
+------------------+
Step-by-Step Instructions
Part 1: Configure Device Compliance Policies
Device compliance is foundational to Zero Trust.
Step 1: Navigate to Intune Compliance
- Sign in to Microsoft Intune admin center
- Select Devices > Compliance
- Click + Create policy
Step 2: Create Windows Compliance Policy
- Platform: Windows 10 and later
- Name:
Zero Trust - Windows Compliance
Device Health:
| Setting | Value |
|---|---|
| Require BitLocker | Require |
| Require Secure Boot | Require |
| Require code integrity | Require |
| Require Device Threat Level | Secured (if using Defender for Endpoint) |
Device Properties:
| Setting | Value |
|---|---|
| Minimum OS version | 10.0.19041 (or current minimum) |
System Security:
| Setting | Value |
|---|---|
| Require password | Yes |
| Minimum password length | 12 |
| Password expiration (days) | 365 |
| Firewall | Require |
| TPM | Require |
| Antivirus | Require |
| Antispyware | Require |
| Real-time protection | Require |
- Assign to All devices or appropriate groups
Step 3: Create iOS/iPadOS Compliance Policy
- Platform: iOS/iPadOS
- Name:
Zero Trust - iOS Compliance
Device Health:
| Setting | Value |
|---|---|
| Jailbroken devices | Block |
| Device Threat Level | Secured |
Device Properties:
| Setting | Value |
|---|---|
| Minimum OS version | 15.0 |
System Security:
| Setting | Value |
|---|---|
| Require passcode | Yes |
| Minimum passcode length | 6 |
| Simple passcodes | Block |
- Assign to All devices
Step 4: Create Android Compliance Policy
- Platform: Android Enterprise
- Name:
Zero Trust - Android Compliance
Device Health:
| Setting | Value |
|---|---|
| Rooted devices | Block |
| SafetyNet attestation | Basic integrity and certified devices |
| Device Threat Level | Secured |
System Security:
| Setting | Value |
|---|---|
| Require password | Yes |
| Minimum password length | 6 |
| Encryption | Require |
- Assign to All devices
Part 2: Configure Named Locations
Define trusted and untrusted network locations.
Step 1: Create Trusted Corporate Locations
- Navigate to Entra admin center > Protection > Conditional Access > Named locations
- Click + IP ranges location
- Name:
Corporate Networks - Check Mark as trusted location
- Add your corporate IP ranges:
- Office public IPs
- VPN exit points
- Data center IPs
- Click Create
Step 2: Create High-Risk Country Location
- Click + Countries/Regions location
- Name:
High-Risk Countries - Select blocked countries (see CA-08)
- Click Create
Part 3: Create Core Zero Trust Policies
Create the Conditional Access policies that enforce Zero Trust.
Policy 1: Require Compliant Device for All Access
- Navigate to Conditional Access > Policies
- Click + New policy
- Name:
Zero Trust - Require Compliant Device
Users:
- Include: All users
- Exclude: Emergency access accounts
Cloud Apps:
- Include: All cloud apps
Conditions:
- Leave unconfigured (applies everywhere)
Grant:
- Grant access
- Require device to be marked as compliant
- For multiple controls: Require all selected
Session:
- Leave unconfigured
Enable: Start with Report-only, then On
Policy 2: Block Access from Untrusted Locations
- Create new policy
- Name:
Zero Trust - Block High-Risk Countries
Users:
- Include: All users
- Exclude: Emergency access accounts
Cloud Apps:
- Include: All cloud apps
Conditions:
- Locations: Include High-Risk Countries
Grant:
- Block access
Enable: On
Policy 3: Require MFA for Non-Trusted Networks
- Create new policy
- Name:
Zero Trust - MFA Outside Corporate Network
Users:
- Include: All users
- Exclude: Emergency access accounts
Cloud Apps:
- Include: All cloud apps
Conditions:
- Locations:
- Include: All locations
- Exclude: Corporate Networks (trusted location)
Grant:
- Grant access
- Require multifactor authentication
Enable: On
Policy 4: Enhanced Protection for Admin Roles
- Create new policy
- Name:
Zero Trust - Admin Enhanced Protection
Users:
- Include: Directory roles (all admin roles)
- Exclude: Emergency access accounts
Cloud Apps:
- Include: All cloud apps
Grant:
- Grant access
- Require multifactor authentication
- Require device to be marked as compliant
- For multiple controls: Require all selected
Session:
- Sign-in frequency: 4 hours
- Persistent browser session: Never persistent
Enable: On
Part 4: Enable Risk-Based Policies
Add dynamic risk-based protection.
Sign-In Risk Policy
- Create new policy
- Name:
Zero Trust - Sign-In Risk
Users:
- Include: All users
- Exclude: Emergency access accounts
Cloud Apps:
- Include: All cloud apps
Conditions:
- Sign-in risk: High, Medium
Grant:
- Grant access
- Require multifactor authentication
Enable: On
User Risk Policy
- Create new policy
- Name:
Zero Trust - User Risk
Users:
- Include: All users
- Exclude: Emergency access accounts
Cloud Apps:
- Include: All cloud apps
Conditions:
- User risk: High
Grant:
- Grant access
- Require password change
- Require multifactor authentication
- For multiple controls: Require all selected
Enable: On
Part 5: Enable Continuous Access Evaluation
Ensure sessions are validated continuously.
Configure CAE
- Navigate to Conditional Access > Policies
- Create or edit a policy
- Under Session, check Customize continuous access evaluation
- Select Strictly enforce location policies
Strict Location Enforcement:
- Disables resilience defaults
- Location changes immediately revoke access
- Critical events cause immediate token revocation
Policy Interaction and Priority
Zero Trust policies work together. Here's how they interact:
Request comes in:
|
v
Is user from blocked country? --Yes--> BLOCK
|No
v
Is device compliant? --No--> BLOCK (or require enrollment)
|Yes
v
Is sign-in risky? --Yes--> Require MFA
|No
v
Is user risky? --Yes--> Require password change + MFA
|No
v
Is access from corporate network? --No--> Require MFA
|Yes
v
Is user an admin? --Yes--> Require MFA + compliant device + session limits
|No
v
GRANT ACCESS
Verification Checklist
After implementing Zero Trust, verify each component:
Device Compliance Verification
- Windows compliance policy is assigned and devices are evaluated
- iOS compliance policy is assigned
- Android compliance policy is assigned
- Non-compliant devices are blocked from accessing resources
Named Locations Verification
- Corporate networks named location contains correct IPs
- High-risk countries named location contains blocked countries
- Trusted location is marked as trusted
Conditional Access Policy Verification
For each policy:
- Policy is enabled (not Report-only after testing)
- Correct users/groups are targeted
- Correct cloud apps are targeted
- Grant controls are correctly configured
- Emergency access accounts are excluded
Risk-Based Policy Verification
- Sign-in risk policy is enabled
- User risk policy is enabled
- Test risky sign-in detection works (use What If tool)
CAE Verification
- CAE is enabled for policies
- Strict location enforcement is enabled for admin policies
- Test token revocation on critical events
Troubleshooting
Compliant Devices Being Blocked
Symptom: Devices that should be compliant are blocked.
Solutions:
- Check device compliance status in Intune
- Verify compliance policy requirements
- Check if device recently synced with Intune
- Review Intune compliance evaluation logs
Non-Compliant Devices Not Blocked
Symptom: Non-compliant devices can still access resources.
Solutions:
- Verify policy is enabled (not Report-only)
- Check if device is excluded via group membership
- Verify Intune MDM authority is configured
- Check compliance policy assignment
Legitimate Access Blocked
Symptom: Users with compliant devices from trusted networks are blocked.
Solutions:
- Use the "What If" tool to diagnose
- Review all policies for conflicts
- Check named location IP ranges
- Verify user is not in blocked groups
Risk Detection Not Working
Symptom: Risky sign-ins are not triggering policies.
Solutions:
- Verify Entra ID P2 licenses are assigned
- Check Identity Protection dashboard for detections
- Risk evaluation can take 5-10 minutes
- Verify risk condition is configured correctly
Session Revocation Not Immediate
Symptom: Disabled users can still access resources.
Solutions:
- CAE reduces but doesn't eliminate the window
- Standard tokens have up to 1-hour lifetime
- Some apps may not support CAE
- Force sign-out via Entra admin center
Policy Configuration Summary
Core Zero Trust Policies
| Policy | Users | Apps | Conditions | Grant | Session |
|---|---|---|---|---|---|
| Require Compliant Device | All (excl. BG) | All | None | Compliant device | None |
| Block High-Risk Countries | All (excl. BG) | All | High-risk locations | Block | None |
| MFA Outside Corporate | All (excl. BG) | All | Non-trusted locations | MFA | None |
| Admin Enhanced | Admin roles | All | None | MFA + Compliant | 4hr sign-in |
| Sign-In Risk | All (excl. BG) | All | Medium/High risk | MFA | None |
| User Risk | All (excl. BG) | All | High user risk | Password + MFA | None |
BG = Break-glass/emergency access accounts
Rollout Strategy
Phase 1: Foundation (Week 1-2)
- Deploy compliance policies to pilot group
- Create named locations
- Enable core policies in Report-only mode
- Monitor sign-in logs for impact
Phase 2: Pilot (Week 3-4)
- Enable policies for pilot group
- Monitor for issues
- Adjust policies based on feedback
- Document exceptions and edge cases
Phase 3: Broad Deployment (Week 5-6)
- Extend compliance policies to all devices
- Enable policies for larger groups
- Continue monitoring
- Communicate changes to users
Phase 4: Full Enforcement (Week 7+)
- Enable all policies for all users
- Remove Report-only status
- Establish ongoing monitoring
- Document final configuration
Related Controls
- CA-01: Require MFA for All Users (baseline MFA)
- CA-03: Sign-In Risk Policy (risk-based protection)
- CA-04: User Risk Policy (credential compromise protection)
- CA-06: Privileged Access Workstation Policy (admin device restriction)
- CA-08: Block High-Risk Countries (geographic restriction)
- DV-01: Device Compliance for Admins (admin-specific device requirements)
- PA-07: Continuous Access Evaluation (token protection)