CA-09: Implementing Zero Trust Network Access

Overview

This guide walks you through implementing a Zero Trust access model using Conditional Access policies. Zero Trust operates on the principle of "never trust, always verify" - every access request is fully authenticated, authorized, and encrypted regardless of where it originates.

Control ID: CA-09 Category: Conditional Access Severity: Critical License Required: Microsoft Entra ID P2 + Microsoft Intune (included in Microsoft 365 E5)

Why This Matters

Traditional perimeter-based security assumes everything inside the corporate network is trusted. Zero Trust eliminates this assumption:

  • No implicit trust - Every sign-in is verified regardless of network location
  • Device verification - Only compliant, healthy devices access resources
  • Continuous validation - Access is re-evaluated continuously, not just at login
  • Least privilege - Users get minimum access needed for their task
  • Assume breach - Architecture assumes attackers are already inside

This is a Level 3 (Maximum Security) control that represents the most comprehensive access protection.


Prerequisites

Required Roles

You need the following roles:

For Conditional Access:

  • Conditional Access Administrator or Global Administrator

For Intune:

  • Intune Administrator or Global Administrator

For Identity Protection:

  • Security Administrator or Global Administrator

Required Licenses

  • Microsoft Entra ID P2
  • Microsoft Intune
  • Microsoft Defender for Endpoint (recommended)
  • Included in: Microsoft 365 E5

Pre-Configuration Requirements

Before implementing Zero Trust:

  1. Intune device enrollment - Devices must be managed
  2. Compliance policies - Define what makes a device compliant
  3. Identity Protection - Enable risk-based policies
  4. MFA registered - All users have MFA methods
  5. Emergency access accounts - Break-glass accounts configured

Time Estimate

TaskDuration
Compliance policy creation1-2 hours
Named locations configuration30 minutes
Core Zero Trust policies2-3 hours
Risk-based policies1 hour
Testing and validation1-2 days
Rollout planning1-2 weeks
Total2-3 weeks for full implementation

Zero Trust Architecture Components

Zero Trust in Microsoft 365 consists of multiple integrated controls:

                    +------------------+
                    |  User Identity   |
                    | (MFA, Risk-based)|
                    +--------+---------+
                             |
                    +--------v---------+
                    |  Device Health   |
                    | (Compliance, MDM)|
                    +--------+---------+
                             |
                    +--------v---------+
                    | Network Location |
                    | (Named Locations)|
                    +--------+---------+
                             |
                    +--------v---------+
                    | Application Risk |
                    |  (App policies)  |
                    +--------+---------+
                             |
                    +--------v---------+
                    | Session Controls |
                    | (CAE, Monitoring)|
                    +--------+---------+
                             |
                    +--------v---------+
                    |   GRANT ACCESS   |
                    +------------------+

Step-by-Step Instructions

Part 1: Configure Device Compliance Policies

Device compliance is foundational to Zero Trust.

Step 1: Navigate to Intune Compliance

  1. Sign in to Microsoft Intune admin center
  2. Select Devices > Compliance
  3. Click + Create policy

Step 2: Create Windows Compliance Policy

  1. Platform: Windows 10 and later
  2. Name: Zero Trust - Windows Compliance

Device Health:

SettingValue
Require BitLockerRequire
Require Secure BootRequire
Require code integrityRequire
Require Device Threat LevelSecured (if using Defender for Endpoint)

Device Properties:

SettingValue
Minimum OS version10.0.19041 (or current minimum)

System Security:

SettingValue
Require passwordYes
Minimum password length12
Password expiration (days)365
FirewallRequire
TPMRequire
AntivirusRequire
AntispywareRequire
Real-time protectionRequire
  1. Assign to All devices or appropriate groups

Step 3: Create iOS/iPadOS Compliance Policy

  1. Platform: iOS/iPadOS
  2. Name: Zero Trust - iOS Compliance

Device Health:

SettingValue
Jailbroken devicesBlock
Device Threat LevelSecured

Device Properties:

SettingValue
Minimum OS version15.0

System Security:

SettingValue
Require passcodeYes
Minimum passcode length6
Simple passcodesBlock
  1. Assign to All devices

Step 4: Create Android Compliance Policy

  1. Platform: Android Enterprise
  2. Name: Zero Trust - Android Compliance

Device Health:

SettingValue
Rooted devicesBlock
SafetyNet attestationBasic integrity and certified devices
Device Threat LevelSecured

System Security:

SettingValue
Require passwordYes
Minimum password length6
EncryptionRequire
  1. Assign to All devices

Part 2: Configure Named Locations

Define trusted and untrusted network locations.

Step 1: Create Trusted Corporate Locations

  1. Navigate to Entra admin center > Protection > Conditional Access > Named locations
  2. Click + IP ranges location
  3. Name: Corporate Networks
  4. Check Mark as trusted location
  5. Add your corporate IP ranges:
    • Office public IPs
    • VPN exit points
    • Data center IPs
  6. Click Create

Step 2: Create High-Risk Country Location

  1. Click + Countries/Regions location
  2. Name: High-Risk Countries
  3. Select blocked countries (see CA-08)
  4. Click Create

Part 3: Create Core Zero Trust Policies

Create the Conditional Access policies that enforce Zero Trust.

Policy 1: Require Compliant Device for All Access

  1. Navigate to Conditional Access > Policies
  2. Click + New policy
  3. Name: Zero Trust - Require Compliant Device

Users:

  • Include: All users
  • Exclude: Emergency access accounts

Cloud Apps:

  • Include: All cloud apps

Conditions:

  • Leave unconfigured (applies everywhere)

Grant:

  • Grant access
  • Require device to be marked as compliant
  • For multiple controls: Require all selected

Session:

  • Leave unconfigured

Enable: Start with Report-only, then On

Policy 2: Block Access from Untrusted Locations

  1. Create new policy
  2. Name: Zero Trust - Block High-Risk Countries

Users:

  • Include: All users
  • Exclude: Emergency access accounts

Cloud Apps:

  • Include: All cloud apps

Conditions:

  • Locations: Include High-Risk Countries

Grant:

  • Block access

Enable: On

Policy 3: Require MFA for Non-Trusted Networks

  1. Create new policy
  2. Name: Zero Trust - MFA Outside Corporate Network

Users:

  • Include: All users
  • Exclude: Emergency access accounts

Cloud Apps:

  • Include: All cloud apps

Conditions:

  • Locations:
    • Include: All locations
    • Exclude: Corporate Networks (trusted location)

Grant:

  • Grant access
  • Require multifactor authentication

Enable: On

Policy 4: Enhanced Protection for Admin Roles

  1. Create new policy
  2. Name: Zero Trust - Admin Enhanced Protection

Users:

  • Include: Directory roles (all admin roles)
  • Exclude: Emergency access accounts

Cloud Apps:

  • Include: All cloud apps

Grant:

  • Grant access
  • Require multifactor authentication
  • Require device to be marked as compliant
  • For multiple controls: Require all selected

Session:

  • Sign-in frequency: 4 hours
  • Persistent browser session: Never persistent

Enable: On


Part 4: Enable Risk-Based Policies

Add dynamic risk-based protection.

Sign-In Risk Policy

  1. Create new policy
  2. Name: Zero Trust - Sign-In Risk

Users:

  • Include: All users
  • Exclude: Emergency access accounts

Cloud Apps:

  • Include: All cloud apps

Conditions:

  • Sign-in risk: High, Medium

Grant:

  • Grant access
  • Require multifactor authentication

Enable: On

User Risk Policy

  1. Create new policy
  2. Name: Zero Trust - User Risk

Users:

  • Include: All users
  • Exclude: Emergency access accounts

Cloud Apps:

  • Include: All cloud apps

Conditions:

  • User risk: High

Grant:

  • Grant access
  • Require password change
  • Require multifactor authentication
  • For multiple controls: Require all selected

Enable: On


Part 5: Enable Continuous Access Evaluation

Ensure sessions are validated continuously.

Configure CAE

  1. Navigate to Conditional Access > Policies
  2. Create or edit a policy
  3. Under Session, check Customize continuous access evaluation
  4. Select Strictly enforce location policies

Strict Location Enforcement:

  • Disables resilience defaults
  • Location changes immediately revoke access
  • Critical events cause immediate token revocation

Policy Interaction and Priority

Zero Trust policies work together. Here's how they interact:

Request comes in:
    |
    v
Is user from blocked country? --Yes--> BLOCK
    |No
    v
Is device compliant? --No--> BLOCK (or require enrollment)
    |Yes
    v
Is sign-in risky? --Yes--> Require MFA
    |No
    v
Is user risky? --Yes--> Require password change + MFA
    |No
    v
Is access from corporate network? --No--> Require MFA
    |Yes
    v
Is user an admin? --Yes--> Require MFA + compliant device + session limits
    |No
    v
GRANT ACCESS

Verification Checklist

After implementing Zero Trust, verify each component:

Device Compliance Verification

  • Windows compliance policy is assigned and devices are evaluated
  • iOS compliance policy is assigned
  • Android compliance policy is assigned
  • Non-compliant devices are blocked from accessing resources

Named Locations Verification

  • Corporate networks named location contains correct IPs
  • High-risk countries named location contains blocked countries
  • Trusted location is marked as trusted

Conditional Access Policy Verification

For each policy:

  • Policy is enabled (not Report-only after testing)
  • Correct users/groups are targeted
  • Correct cloud apps are targeted
  • Grant controls are correctly configured
  • Emergency access accounts are excluded

Risk-Based Policy Verification

  • Sign-in risk policy is enabled
  • User risk policy is enabled
  • Test risky sign-in detection works (use What If tool)

CAE Verification

  • CAE is enabled for policies
  • Strict location enforcement is enabled for admin policies
  • Test token revocation on critical events

Troubleshooting

Compliant Devices Being Blocked

Symptom: Devices that should be compliant are blocked.

Solutions:

  1. Check device compliance status in Intune
  2. Verify compliance policy requirements
  3. Check if device recently synced with Intune
  4. Review Intune compliance evaluation logs

Non-Compliant Devices Not Blocked

Symptom: Non-compliant devices can still access resources.

Solutions:

  1. Verify policy is enabled (not Report-only)
  2. Check if device is excluded via group membership
  3. Verify Intune MDM authority is configured
  4. Check compliance policy assignment

Legitimate Access Blocked

Symptom: Users with compliant devices from trusted networks are blocked.

Solutions:

  1. Use the "What If" tool to diagnose
  2. Review all policies for conflicts
  3. Check named location IP ranges
  4. Verify user is not in blocked groups

Risk Detection Not Working

Symptom: Risky sign-ins are not triggering policies.

Solutions:

  1. Verify Entra ID P2 licenses are assigned
  2. Check Identity Protection dashboard for detections
  3. Risk evaluation can take 5-10 minutes
  4. Verify risk condition is configured correctly

Session Revocation Not Immediate

Symptom: Disabled users can still access resources.

Solutions:

  1. CAE reduces but doesn't eliminate the window
  2. Standard tokens have up to 1-hour lifetime
  3. Some apps may not support CAE
  4. Force sign-out via Entra admin center

Policy Configuration Summary

Core Zero Trust Policies

PolicyUsersAppsConditionsGrantSession
Require Compliant DeviceAll (excl. BG)AllNoneCompliant deviceNone
Block High-Risk CountriesAll (excl. BG)AllHigh-risk locationsBlockNone
MFA Outside CorporateAll (excl. BG)AllNon-trusted locationsMFANone
Admin EnhancedAdmin rolesAllNoneMFA + Compliant4hr sign-in
Sign-In RiskAll (excl. BG)AllMedium/High riskMFANone
User RiskAll (excl. BG)AllHigh user riskPassword + MFANone

BG = Break-glass/emergency access accounts


Rollout Strategy

Phase 1: Foundation (Week 1-2)

  1. Deploy compliance policies to pilot group
  2. Create named locations
  3. Enable core policies in Report-only mode
  4. Monitor sign-in logs for impact

Phase 2: Pilot (Week 3-4)

  1. Enable policies for pilot group
  2. Monitor for issues
  3. Adjust policies based on feedback
  4. Document exceptions and edge cases

Phase 3: Broad Deployment (Week 5-6)

  1. Extend compliance policies to all devices
  2. Enable policies for larger groups
  3. Continue monitoring
  4. Communicate changes to users

Phase 4: Full Enforcement (Week 7+)

  1. Enable all policies for all users
  2. Remove Report-only status
  3. Establish ongoing monitoring
  4. Document final configuration

Related Controls

  • CA-01: Require MFA for All Users (baseline MFA)
  • CA-03: Sign-In Risk Policy (risk-based protection)
  • CA-04: User Risk Policy (credential compromise protection)
  • CA-06: Privileged Access Workstation Policy (admin device restriction)
  • CA-08: Block High-Risk Countries (geographic restriction)
  • DV-01: Device Compliance for Admins (admin-specific device requirements)
  • PA-07: Continuous Access Evaluation (token protection)

Additional Resources