Zero Trust deployment plan with Microsoft 365

The only clickable deployment plan in the Zero Trust universe

Deploying Zero Trust using Microsoft 365 capabilities Prescriptive solution guides Supporting illustrations
This poster represents the work of deploying Zero Trust capabilities with Microsoft 365. This work is broken Each of these guides describe how to accomplish specific units of work that are prescribed by
These illustrations from the prescriptive solution guides are included here for your reference.
into units of work that can be configured together, starting from the bottom and working to the top to the deployment plan.
ensure that prerequisite work is complete.
Work unit Solution guides

This Microsoft 365 Zero Trust deployment stack illustrates the recommended units of work. Read more here — aka.ms/zero-trust-m365.
1 Deploy your identity infrastructure for Microsoft 365
aka.ms/zero-trust-m365-identity

Protect and SharePoint sites, 12 13

Microsoft 365
Teams, Power BI,
govern sensitive Exchange Online
productivity apps: Microsoft Defender
▪ Word for Cloud Apps
data ▪ Excel,
Endpoint devices:
Windows & macOS 2
On-premises file (SaaS application
▪ PowerPoint data classification
shares and
▪ Outlook and protection)
SharePoint Server

Pilot and deploy classification, labeling, information protection, and data loss prevention (DLP)

Create auto labeling rules Create data loss prevention (DLP) policies 2 Zero Trust identity and device access configurations 6
11 aka.ms/zero-trust-m365-mfa-policies
Review/add sensitive information types and create
Define data handling standards
sensitivity labels 6

Define data sensitivity schema

4 Manage endpoints with Intune and Microsoft 365

Defend against 9 Monitor device risk 10 Create Defender for
aka.ms/zero-trust-m365-devices
threats and compliance of Cloud Apps policies to
devices to security protect access and use 5 Step 1. Implement App Protection policies
baselines of SaaS apps Step 2. Enroll devices into management
Step 3. Set up compliance policies
8 7
Step 4. Require healthy and compliant devices
Defender for Office Defender for Defender for Cloud Step 5. Deploy device profiles
Defender for Identity
365 Endpoint Apps 9 Step 6. Monitor device risk
Step 7. Implement data loss prevention (DLP)
Pilot and deploy M365 Defender Evaluate and pilot Microsoft 365 Defender
12
7 Deploy Intune configuration profiles to harden devices against threats 8
Defender for Defender for Defender for Defender for
1 2 3 4 5 6 7
Identity Office 365 Endpoint Cloud Apps

Zero trust 6 Configure Enterprise (recommended) Zero Trust identity and device access policies 8 Evaluate, pilot, and deploy Microsoft 365 Defender
Require healthy and compliant devices
foundation aka.ms/zero-trust-m365-defender
5 Configure compliance policies
To be sure devices meet minimum requirements
Create the Repeat for each component: Investigate Promote your
evaluation ▪ Review architecture requirements and respond evaluation to
4 environment to threats production
Enroll devices into management 11 Deploy a Microsoft Information Protection solution ▪ Enable the evaluation
aka.ms/zero-trust-m365-info-protect ▪ Create the pilot environment
2 Configure starting point Zero Trust identity 3
and device access policies Add SaaS apps to Azure AD and include these in
Turn on Multi-Factor Authentication and configure app the scope of Multi-Factor Authentication policies
protection policies that don’t require managing devices
Deploy information protection for data privacy regulations
aka.ms/zero-trust-m365-data-privacy
1 Configure cloud identity (cloud only, hybrid with PHS, hybrid with PTA, or federated)
11

Microsoft 365 Zero Trust deployment stack

3 Integrate SaaS apps for Zero Trust with Microsoft 365
Identity Devices Security operations Information protection & governance aka.ms/zero-trust-m365-saas
10 Add SaaS apps to Azure AD and MFA
Create Defender for Cloud App policies
13 Deploy information protection for SaaS apps

November 2022 ©2022 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected].