Zero Trust Scorecard

Assess your Microsoft 365 and Entra ID environment against five Zero Trust pillars: identity, Conditional Access, privileged access, device security, and data protection. Identify the gaps that commonly undermine security posture — including whether your MFA strategy is phish-resistant.

Identity & MFA

How identities are secured — and whether MFA can withstand modern phishing attacks.

How many Global Admin accounts exist?

Are admin accounts separated from standard user accounts?

What type of MFA is enforced for admin accounts?

Phish-resistant = FIDO2 keys, Windows Hello for Business, passkeys, or certificate-based auth. Standard = push notifications, Authenticator OTP, SMS, or phone call.

What type of MFA is enforced for standard user accounts?

Even with MFA enabled, standard methods can be bypassed by adversary-in-the-middle (AiTM) attacks and MFA fatigue.

What is the MFA registration coverage across enabled accounts?

Users who haven't registered MFA methods are not protected even when policies are enabled.

Conditional Access & authentication

Policies that govern how and when access is granted.

Is Conditional Access used?

Is legacy authentication blocked?

Legacy protocols (POP, IMAP, SMTP AUTH, older ActiveSync) bypass MFA entirely.

Are admin portals restricted to trusted/compliant devices?

Are risk-based Conditional Access policies enabled?

Entra ID Protection provides sign-in risk (suspicious login behaviour) and user risk (compromised credential detection) signals.

Is device compliance required as a condition for access?

Are session controls configured (sign-in frequency, persistent browser)?

Privileged access & governance

How privileged roles are managed, scoped, and reviewed.

Is Privileged Identity Management (PIM) used?

PIM provides just-in-time role activation instead of permanent standing assignments.

Is there regular access review / governance in place?

Are break-glass (emergency access) accounts documented and tested?

If Conditional Access or MFA locks out all admins, break-glass accounts are the recovery path.

Are scoped admin roles used instead of Global Admin for workload tasks?

E.g. Exchange Admin, SharePoint Admin, User Admin — rather than Global Admin for everything.

Device & endpoint

Device identity, management, and access restrictions.

Are devices required to be Entra ID joined or registered?

Is device management (Intune / MDM) enforced?

Are unmanaged devices restricted from accessing corporate data?

E.g. web-only access, app protection policies, or blocking downloads on personal devices.

Data protection

Classification, labelling, and data loss prevention.

Are sensitivity labels / information protection in use?

Microsoft Purview Information Protection sensitivity labels for classifying and protecting documents and emails.

Are DLP policies configured?

Data Loss Prevention for Exchange, Teams, SharePoint, OneDrive, and endpoint.