Before diving into configuration, it’s essential to understand how Microsoft views identity in
modern IT architecture.
1. Zero Trust – The Core Principle
Zero Trust means “Never trust, always verify.”
Every access request is verified, no matter where it comes from.
Three guiding principles:
Verify explicitly. Always authenticate using multiple signals like device health or
user risk.
Use least privilege access. Give users only the access they need, nothing more.
Assume breach. Always prepare as though attackers are already inside your
network.
Example:
If an employee logs in from a new country, even with the right password, the system can
demand MFA (Multi-Factor Authentication) before granting access.
2. Identity Systems
Microsoft provides identity systems for various scenarios:
Type Description Example
Business -to-Business
(B2B) External partner access to
internal systems. A vendor accessing your
SharePoint site.
Business-to-Consumer
(B2C) Customers logging into your
app using social or local
accounts. Users signing into your retail
app using Google or
Facebook.
Decentralized Identity /
Verifiable Credentials Digital identity owned by the
user, not a central authority. A student using a verified
digital diploma to apply for
jobs.
3. Identity Actions
Identity systems allow:
Authentication – Prove who you are.
Authorization – Get permission to do something.
Administration – Manage access and identities.
Auditing – Monitor who did what and when.
4. From Classic Identity to Zero Trust
Old model (Perimeter-based security):
Everything inside the firewall was trusted.
Once authenticated, users had full access.
Example: Logging into the o Ưice network gave you access to all shared folders.
Modern model (Zero Trust):
Assets can be anywhere—on-premises or cloud.
Each access request is verified by policy.
Example: Even internal employees must pass MFA and device compliance checks
before opening a sensitive HR file.