“Zero Trust” has become the biggest buzzword in cybersecurity, and for good reason. The old “castle and moat” model — where you trusted everything inside your network — is dead. In a world of remote work and cloud apps, identity is the new perimeter.

Microsoft 365 provides an incredible toolkit for building a Zero Trust architecture, centered around Entra ID and Intune. However, having the tools and using them correctly are two very different things. We often see organizations claim they are “doing Zero Trust” because they turned on MFA, only to find gaping holes in their defense during an audit — or worse, an incident.

1. Using Conditional Access as a Blunt Instrument

Conditional Access (CA) is the policy engine of Zero Trust. It decides who gets in and who gets blocked.

The Mistake

Many admins treat CA policies like old-school firewall rules: simple “Allow” or “Block” lists based on IP addresses. For example, “Allow access if inside the office IP, require MFA if outside.”

Why It Fails

• Spoofing: IP addresses can be spoofed or bypassed.
• The “Coffee Shop” Problem: Legitimate users work from everywhere. If your policy is too rigid, you block productivity. If it’s too loose (just asking for MFA), you miss risks like infected devices.

The Fix

Move to context-based policies. Don’t just look at where the user is — look at what state their device is in. Is the device compliant? Use CA to enforce “Healthy Device” requirements, not just location.

2. Ignoring Device Compliance (The “Trusting the Unknown” Trap)

Zero Trust relies on three verified pillars: Identity (User), Device (Endpoint), and Network.

The Mistake

Organizations focus 100% on Identity (MFA) and ignore the Device. They allow any laptop — personal, unpatched, or infected — to sync corporate data as long as the user enters an MFA code.

Why It Fails

If a hacker steals a session token from an infected personal laptop, MFA won’t save you. The hacker is already “past” the MFA check.

The Fix

Implement device trust. Use Microsoft Intune to define what a “Compliant Device” looks like (BitLocker enabled, Antivirus running, latest OS updates). Then configure Conditional Access to block access for any device that isn’t managed by Intune or compliant with your policy.

3. “MFA Fatigue” and Implementation Gaps

Multi-Factor Authentication is non-negotiable, but how you implement it matters.

The Mistake

• SMS-based MFA: Easily phishable and intercepted.
• Prompt Bombing: Users getting so many push notifications they just hit “Approve” to make it stop.
• Legacy Auth: Leaving IMAP/POP3/SMTP enabled (protocols that don’t support MFA at all), creating a backdoor for attackers.

The Fix

• Disable Legacy Authentication immediately.
• Enforce Number Matching in Microsoft Authenticator (users must type a number displayed on screen).
• Move toward Phishing-Resistant MFA (FIDO2 keys or Windows Hello for Business).

4. Neglecting “Least Privilege” (Too Many Global Admins)

The Mistake

We audit tenants and regularly find 10+ Global Admins. Why? Because it’s “easier” than figuring out the exact granular permission a tech support engineer needs.

Why It Fails

One compromised Global Admin account is “Game Over” for your entire tenant. Attackers hunt for these accounts specifically.

The Fix

• Reduce Global Admins to fewer than 5 (ideally 2–3).
• Use Privileged Identity Management (PIM). No one should be a Global Admin 24/7. Admins should “activate” their role for 4 hours when needed, requiring an MFA check and justification.

5. The “Set It and Forget It” Mentality

Security is not a project; it’s a state.

The Mistake

Deploying a baseline configuration in January and assuming it’s still secure in December.

Why It Fails

• Configuration Drift: New admins change settings or create exceptions (“Just for testing!”) that never get removed.
• Evolving Threats: Microsoft releases new security features constantly. If you aren’t updating your policies to use them, you are falling behind.

The Fix

You need Governance as Code. Don’t rely on manual clicks in the portal. Use a baseline tool (like WaypointX) that monitors your configuration against a known “Gold Standard” and alerts you immediately when a setting drifts out of compliance.

---