Zero Trust deployment plan with Microsoft 365

A clickable deployment plan in the Zero Trust universe

Deploying Zero Trust using Microsoft 365 capabilities Prescriptive solution guides Supporting illustrations
Each of these guides describe how to accomplish specific units of work that are prescribed by
This poster represents the work of deploying Zero Trust capabilities with Microsoft 365. This work is broken These illustrations from the prescriptive solution guides are included here for your reference.
the deployment plan.
into units of work that can be configured together, starting from the bottom and working to the top to
ensure that prerequisite work is complete.
Work
Solution guides
unit
This Microsoft 365 Zero Trust deployment stack illustrates the recommended units of work. Read more here — aka.ms/zero-trust-m365.

1 Deploy your identity infrastructure for Microsoft 365

aka.ms/zero-trust-m365-identity
SharePoint sites, 12 13
Microsoft 365
Teams, Power BI, Microsoft Defender
productivity apps:
Exchange
▪ Word for Cloud Apps 1 2 3 4 2
Endpoint devices:
▪ Excel, Windows & macOS (SaaS application
On-premises file
▪ PowerPoint data classification
shares and
Protect and SharePoint Server
▪ Outlook and protection)
govern
Pilot and deploy classification, labeling, information protection, and data loss prevention (DLP)
sensitive
data 6
Create auto labeling rules Create DLP policies
11 2 Zero Trust identity and device access configurations
Review/add sensitive information types and create
Define data handling standards
sensitivity labels aka.ms/zero-trust-m365-mfa-policies
6
Define data sensitivity schema

9 Monitor device risk 10 Create Defender for

and compliance of Cloud Apps policies to
4 Manage endpoints with Intune and Microsoft 365
devices to security protect access and use aka.ms/zero-trust-m365-devices
baselines of SaaS apps
5 Step 1. Implement App Protection policies
Step 2. Enroll devices into management
Defend 8
Step 3. Set up compliance policies
Defender for Office Defender for Defender for Cloud 7
against threats Defender for Identity
365 Endpoint Apps Step 4. Require healthy and compliant devices Evaluate and pilot Microsoft 365 Defender
Step 5. Deploy device profiles
9 Step 6. Monitor device risk Defender for Defender for Defender for Defender for
Pilot and deploy Microsoft 365 Defender 1 2 3 4 5 6 7
Step 7. Implement DLP Identity Office 365 Endpoint Cloud Apps
7 Deploy Intune configuration profiles to harden devices against threats 12

6 8
Configure Enterprise (recommended) Zero Trust identity and device access policies
Require healthy and compliant devices
8 Evaluate, pilot, and deploy Microsoft 365 Defender Create the Repeat for each component: Investigate Promote your
5 Configure compliance policies
aka.ms/zero-trust-m365-defender evaluation ▪ Review architecture requirements and respond evaluation to
environment to threats production
To be sure devices meet minimum requirements ▪ Enable the evaluation
▪ Create the pilot environment
4 Enroll devices into management
Zero trust
11 Deploy a Microsoft Information Protection solution
foundation 2 3 aka.ms/zero-trust-m365-info-protect
Configure starting point Zero Trust identity
and device access policies Add SaaS apps to Azure AD and include these in
Turn on Multi-Factor Authentication (MFA) and the scope of MFA policies
configure Intune app protection policies that don’t
require managing devices Manage data privacy and data protection 1 2 3 4
aka.ms/zero-trust-m365-data-privacy 11
Configure cloud identity: cloud only, hybrid with Password Hash Synchronization (PHS),
1 hybrid with Pass-Through Authentication (PTA), or federated

Microsoft 365 Zero Trust deployment stack

3 Integrate SaaS apps for Zero Trust with Microsoft 365
Identity Devices Security operations Information protection & governance
aka.ms/zero-trust-m365-saas
10 1. Add SaaS apps to Azure AD and MFA Apply Zero Trust principles to Azure IaaS infrastructure
2. Create Defender for Cloud Apps policies aka.ms/zero-trust-azure-iaas
13 3. Deploy information protection for SaaS apps This set of articles shows you how to apply Zero Trust to Azure Storage services,
virtual machines, spoke virtual networks (Vnets), and hub Vnets.

February 2023 ©2023 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected].