Sharegate >
Glossary
>
Zero Trust

What is Zero Trust?

Zero Trust is a security strategy built on one principle: never trust, always verify. Every access request is treated as a potential threat, regardless of where it comes from.

Also known as

Zero Trust architecture

Definition

Traditional security models assumed that anything inside the network was safe. Zero Trust rejects that assumption. It treats every access request, whether it comes from inside or outside the organization, as unverified until proven otherwise.

Microsoft defines Zero Trust around three principles.

  • Verify explicitly: always authenticate and authorize based on all available data points, including user identity, location, device health, and data classification.
  • Use least privilege: limit access to only what's needed, when it's needed.
  • Assume breach: minimize the impact of any incident, segment access, and use continuous monitoring to detect and respond to threats.

In Microsoft 365, Zero Trust isn't a single product or a policy checklist. It's an operating model that calls for consistent controls across identities, devices, applications, data, and infrastructure.

tip

Start with identity. Securing how users authenticate and what they can access is the foundation everything else in Zero Trust builds on.

Why it matters

Zero Trust is how organizations move from assuming the environment is safe to continuously verifying that it is.

  • Governance & security: Ungoverned permissions, long-standing guest access, and broadly accessible sensitive content are exactly the gaps Zero Trust is designed to close. Least privilege and continuous verification reduce the exposure that accumulates in Microsoft 365 environments over time.
  • AI readiness: A Zero Trust approach, where access is tightly scoped and continuously reviewed, reduces the risk of AI tools surfacing content that was never meant to be found.
  • Day-to-day operations: Zero Trust means making sure access decisions are intentional, monitored, and enforced consistently, without getting in the way of how people work.

Commonly confused with: A Microsoft product or a policy document

Zero Trust isn't a tool you buy or a checklist you complete. It's a security strategy that shapes how access is granted, reviewed, and monitored across your entire Microsoft 365 environment. Microsoft 365 includes tools that support Zero Trust, including Microsoft Entra ID, Conditional Access, Microsoft Purview, and Microsoft Defender. But implementing Zero Trust means applying a consistent operating model across all of them, not just enabling features.

ShareGate field notes:

What we see out there

Features get enabled. The operating model doesn't follow.

Organizations enable security features without aligning access decisions, data governance, and user experience behind them. The tools are there. The Zero Trust approach isn't.

Least privilege stays on paper.

Permissions get granted and never reviewed. Guests accumulate. Broad groups stay in place. Zero Trust requires a repeatable process for reviewing and tightening access over time, not a one-time cleanup.

Copilot makes the gaps impossible to ignore.

Organizations enabling Copilot discover that their access model doesn't reflect Zero Trust principles. Broadly accessible content, ungoverned guest accounts, and missing sensitivity labels all become visible problems when AI starts surfacing them.

Frequently asked questions

Where should Zero Trust start in Microsoft 365?

With identity. Microsoft recommends securing how users authenticate and what they can access before expanding to devices, data, and applications. In Microsoft 365, that means strong authentication, Conditional Access policies, and reviewing who has access to what.

How does Zero Trust relate to conditional access?

Conditional Access is one of the primary tools for implementing Zero Trust in Microsoft 365. It enforces access decisions based on signals like user identity, device compliance, location, and sign-in risk before granting access to any resource. That's how the "verify explicitly" principle gets applied in practice.

Does Zero Trust block collaboration?

No. Microsoft's guidance says that Zero Trust should secure and enable the organization, not restrict it. The goal is tighter controls on sensitive content and high-risk scenarios, not blanket restrictions on how people work.

What changes for guests under Zero Trust?

Guests get the same scrutiny as internal users. That means authenticating before accessing content, being subject to Conditional Access policies, and having their access reviewed regularly rather than staying indefinitely.