How to apply the Zero Trust model using Entra ID and Intune

How to apply the Zero Trust model using Entra ID and Intune

02/08/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in implementing the Zero Trust security model using the capabilities of Microsoft Entra ID (formerly Azure Active Directory) and Microsoft Intune. The Zero Trust model, founded on the "never trust, always verify" principle, is a modern security approach that assumes that no access request should be automatically trusted, regardless of where it originates or what resource it attempts to access [1].

Introduction

With the expansion of remote work, the proliferation of personal devices and migration to the cloud, the traditional security perimeter of corporate networks has become obsolete. The Zero Trust model emerges as a response to this new scenario, requiring explicit verification for each access attempt, granting access with least privileges and always assuming a violation. Microsoft Entra ID and Microsoft Intune are crucial components for building a robust Zero Trust architecture, protecting identities and endpoints, respectively [2].

This practical guide will cover the principles of Zero Trust and demonstrate how to configure and integrate Microsoft Entra ID and Microsoft Intune to apply these principles. Step-by-step instructions, configuration examples, and validation methods will be provided so that the reader can implement and strengthen their organization's security posture with a Zero Trust approach.

Zero Trust Principles

The Zero Trust model is built on three fundamental principles [3]:

  1. Verify explicitly: Always authenticate and authorize based on all available data points, including user identity, location, device health, resource sensitivity, and anomalies.
  2. Use least privilege access: Limit user access to only what is necessary. Use Just-In-Time (JIT) and Just-Enough Access (JEA), risk-based adaptive policies, and data protection to protect data and productivity.
  3. Assume Breach: Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to gain visibility, detect threats, and improve defenses.

Prerequisites

To implement the Zero Trust model with Microsoft Entra ID and Intune, you will need the following items:

  1. Licensing: Licenses appropriate for Microsoft Entra ID Premium P1 or P2 (for Conditional Access) and Microsoft Intune (usually part of Microsoft 365 E3/E5 or EMS E3/E5 packages) [4].
  2. Administrative Access: Accounts with Global Administrator, Security Administrator, or Intune Administrator permissions on the Microsoft Entra admin center (entra.microsoft.com) and Microsoft Endpoint Manager admin center (endpoint.microsoft.com) portals.
  3. Intune Enrolled Devices: Windows 10/11 devices already enrolled and managed by Microsoft Intune.
  4. Identities in Microsoft Entra ID: Users and groups synchronized or created in Microsoft Entra ID.

Step by Step: Applying the Zero Trust Model

We'll focus on how Microsoft Entra ID and Intune work together to enforce Zero Trust principles, especially "Explicitly Verify" and "Use Least Privilege Access."

1. Strengthening Identity with Microsoft Entra ID

Microsoft Entra ID is the backbone of Zero Trust for identities, ensuring only verified users have access.

1.1. Implement Multi-Factor Authentication (MFA)

MFA is a fundamental component of the "explicitly check" principle.

  1. Configure MFA via Conditional Access: As detailed in Article 3, create a Conditional Access policy to require MFA for all users, or for specific groups, or for access from outside the corporate network.
    • In the Microsoft Login admin center, go to Protection > Conditional Access.
    • Create a new policy with the following settings:
      • Assignments > Identity Users or Workloads: Select All Users (excluding emergency accounts).
      • Cloud Resources or Actions: All Cloud Applications.
      • Grant: Check Require multi-factor authentication.
      • Enable policy: Enabled.

1.2. Enable Azure AD Identity Protection

Identity Protection detects vulnerabilities that affect your organization's identities, configures automated risk-based policies to protect those identities, and investigates risky activities [5].

  1. In the Microsoft Login admin center, go to Protection > Identity Protection.
  2. User Risk Policies: Configure this policy to require MFA or password reset for medium or high risk users.
    • Roles > Users: Select All users.
    • Conditions > User Risk: Select Medium and higher.
    • Controls > Access: Grant access and Require password reset or Require multi-factor authentication.
    • Enable policy: Enabled.
  3. Input Risk Policies: Configure this policy to block or require MFA for risky inputs.
    • Roles > Users: Select All users.
    • Conditions > Entry Risk: Select Medium and higher.
    • Controls > Access: Grant access and Require multi-factor authentication (or Block access for high risk).
    • Enable policy: Enabled.

2. Ensuring Endpoint Integrity with Microsoft Intune

Intune ensures that devices accessing corporate resources are healthy and compatible by applying the "explicitly check" principle to the device.

2.1. Create Device Compliance Policies

Compliance policies define the security requirements that a device must meet to be considered compliant. Non-compliant devices may have access blocked or restricted via Conditional Access.

  1. In the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com), go to Endpoint Security > Device Compliance > Policies.
  2. Click Create Policy.
  3. Plataforma: Windows 10 e posterior.
  4. Compliance Settings:
    • Device Integrity: Require BitLocker, Secure Boot, etc.
    • Device Security: Require antivirus (e.g. Microsoft Defender Antivirus), firewall, complex passwords, etc.
    • Device Properties: Require a minimum OS version.
  5. Actions for Non-Compliance: Configure actions such as marking the device as non-compliant immediately or after a grace period.
  6. Assignments: Assign the policy to the relevant Windows device groups.

2.2. Create Device Configuration Profiles

Configuration profiles allow you to deploy specific security settings, such as firewall settings, Microsoft Defender security settings, and device restrictions.

  1. In the Microsoft Endpoint Manager admin center, go to Devices > Windows > Configuration Profiles.
  2. Click Create profile.
  3. Platform: Windows 10 and later.
  4. Profile type: Select templates such as Endpoint protection to configure Microsoft Defender Antivirus and Firewall, or Device restrictions to disable specific features.
  5. Configure security settings according to your organization's best practices.
  6. Assignments: Assign the profile to the relevant Windows device groups.

3. Integrating Entra ID and Intune with Conditional Access

Conditional Access is the engine that brings together identity (Entra ID) and device (Intune) policies to enforce Zero Trust.

3.1. Create a Conditional Access Policy to Require Compatible Device

This policy will ensure that only devices that meet Intune's compliance standards can access cloud apps.

  1. In the Microsoft Login admin center, go to Protection > Conditional Access.
  2. Click New Policy > Create New Policy.
  3. Name: Require Compatible Device for Access.
  4. Assignments > Identity Users or Workloads: Select All Users (excluding emergency accounts).
  5. Cloud Resources or Actions: All Cloud Applications.
  6. Conditions (Optional): You can add conditions like Device Platforms for Windows.
  7. Grant:
    • Select Grant access.
    • Check Require device to be marked as compatible. Click Select*.
  8. Enable Policy: Enabled.
  9. Click Create.

Validation and Testing

Validating Zero Trust implementation is crucial to ensure policies are working as expected.

1. Test Access from a Compatible Device

  1. On an Intune-managed, compliant Windows device, try to access a cloud application (ex: portal.office.com).
  2. Access must be granted after user authentication (and MFA, if configured).

2. Test Access from a Non-Compliant Device

  1. On a Windows device that is not compliant (e.g., disable the firewall, change the OS version to one not allowed by the Intune compliance policy, or use an unmanaged device).
  2. Try accessing a cloud application (e.g. portal.office.com).
  3. Access must be blocked, and the user must receive a message indicating that the device is not compliant and cannot access the resource.

3. Monitor Conditional Access Reports

  1. In the Microsoft Login admin center, go to Protection > Conditional Access > Reports.
  2. Review the input logs to see which Conditional Access policies were applied and the result (success, failure, report only).

Security Tips and Best Practices

  • Start Small, Expand Gradually: Implement Zero Trust policies in test groups before expanding organization-wide to minimize disruptions.
  • Education and Communication: Clearly communicate changes to users and provide training on how to keep their devices compatible and how to use MFA.
  • Continuous Monitoring: Regularly monitor Intune compliance reports and Conditional Access and Identity Protection logs to identify any gaps or anomalies.
  • Least Privilege Access: Combine Conditional Access policies with PIM (Privileged Identity Management) to ensure privileged access is Just-In-Time and Just-Enough.
  • Assuma Violação: Configure o Microsoft Defender for Endpoint para detecção avançada de ameaças em endpoints e o Microsoft Sentinel para orquestração de segurança e resposta automatizada.
  • Periodic Review: Review and adjust your Zero Trust policies regularly to adapt to changes in the threat environment and business requirements.

Common Troubleshooting

  • Access Blocked Unexpectedly: Check the Conditional Access sign-in logs to identify which policy is blocking access. Check the Intune compliance policies for the affected device.
  • Device Not Compliant: Check your device's compliance status in Intune. It may be that the device has not received the policies, or that some configuration is preventing compliance (e.g. disabled antivirus, old OS version).
  • Policy Conflicts: Review all Conditional Access and compliance policies to ensure there are no conflicting exclusions or inclusions that could lead to unexpected behavior.
  • Sync Issues: Make sure devices and users are syncing correctly with Intune and Azure AD, respectively.

Conclusion

Applying the Zero Trust model is an essential security strategy to protect organizations in the current digital landscape. By leveraging Microsoft Entra ID to manage identities and Microsoft Intune to ensure endpoint integrity, companies can implement a robust security approach that explicitly checks every access request and operates based on the principle of least privilege. Integrating these tools through Conditional Access creates a powerful, adaptive defense, ensuring that only trusted users and devices can access corporate resources, regardless of their location. The journey to Zero Trust is ongoing and requires constant monitoring and refinement, but the benefits in terms of reducing risk and strengthening security are invaluable.

References:

[1] Microsoft Learn. What is Zero Trust?. Available at: https://learn.microsoft.com/pt-br/security/zero-trust/zero-trust-overview [2] Microsoft Learn. Zero Trust with Microsoft Intune. Available at: https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/zero-trust-with-microsoft-intune [3] Microsoft Learn. Zero Trust Guiding Principles. Available at: https://learn.microsoft.com/pt-br/security/zero-trust/guidance-principles [4] Microsoft Learn. Licensing for Microsoft Enter ID. Available at: https://azure.microsoft.com/pt-br/pricing/details/active-directory/ [5] Microsoft Learn. What is Identity Protection?. Available at: https://learn.microsoft.com/pt-br/entra/identity/identity-protection/overview-identity-protection