Zero Trust Architecture ReferenceZero Trust Architecture Reference
Prinzipien, Pfeiler, Implementierungscheckliste und Microsoft-Kontrollen für eine Zero-Trust-Zielarchitektur.Principles, pillars, implementation checklist, and Microsoft controls for a Zero Trust target architecture.
PrinzipienPrinciples
Verify explicitly, least privilege, assume breach.Verify explicitly, least privilege, assume breach.
EngineEngine
Conditional Access + Identity + Device + Data Signals.Conditional Access + identity + device + data signals.
BetriebOperations
Monitoring, Sentinel, Defender XDR und Playbooks.Monitoring, Sentinel, Defender XDR, and playbooks.
Zero-Trust-PrinzipienZero Trust principles
| PrinzipPrinciple | KernaussageCore statement |
|---|---|
| Verify explicitlyVerify explicitly | Jede Anforderung anhand von Identität, Gerät, Standort, Risiko und Datenkontext prüfen.Validate every request with identity, device, location, risk, and data context. |
| Least privilegeLeast privilege | Nur minimale Rechte und möglichst kurze Aktivierungsdauer gewähren.Grant only the minimum rights and keep activation windows short. |
| Assume breachAssume breach | Seitliche Bewegung und Token-Missbrauch jederzeit mitdenken.Always assume lateral movement and token abuse are possible. |
Zero-Trust-PfeilerZero Trust pillars
| PillarPillar | FokusFocus | Microsoft-KontrollenMicrosoft controls |
|---|---|---|
| Identity | Benutzer, Workloads, Gastzugriffe, Auth-Methoden, Risiko.Users, workloads, guest access, auth methods, and risk. | Entra ID, Conditional Access, PIM, Identity ProtectionEntra ID, Conditional Access, PIM, Identity Protection |
| Devices | Geräteidentität, Compliance, Join-State und Endpoint-Schutz.Device identity, compliance, join state, and endpoint protection. | Intune, Defender for Endpoint, Windows Hello for BusinessIntune, Defender for Endpoint, Windows Hello for Business |
| Applications | SaaS, Eigenentwicklungen, API-Zugriffe, Sitzungsschutz.SaaS, custom apps, API access, and session protection. | Entra App Registration, Conditional Access, Defender for Cloud AppsEntra app registration, Conditional Access, Defender for Cloud Apps |
| Data | Klassifizierung, Verschlüsselung, DLP und Governance.Classification, encryption, DLP, and governance. | Purview, Sensitivity Labels, DLP, Information ProtectionPurview, sensitivity labels, DLP, and information protection |
| Infrastructure | Cloud- und Hybrid-Ressourcen, privilegierte Verwaltung.Cloud and hybrid resources, privileged administration. | Azure RBAC, PIM, Defender for Cloud, Azure PolicyAzure RBAC, PIM, Defender for Cloud, Azure Policy |
| Network | Zugriffspfade, Internet-/Private-Access, Segmentierung.Access paths, internet/private access, and segmentation. | Entra Internet Access, Entra Private Access, GSA, ZTNAEntra Internet Access, Entra Private Access, GSA, ZTNA |
Microsoft Zero Trust Deployment GuideMicrosoft Zero Trust deployment guide
| PfeilerPillar | Quick winsQuick wins | AdvancedAdvanced |
|---|---|---|
| Identity | MFA, Auth Strengths, Gast- und Admin-Policies einführen.Introduce MFA, auth strengths, and guest/admin policies. | Passwordless, Workload CA, Lifecycle Governance, Terms of Use.Passwordless, workload CA, lifecycle governance, and terms of use. |
| Devices | Join-Modelle definieren, Compliance-Baselines und Defender-Onboarding.Define join models, compliance baselines, and Defender onboarding. | Privileged Access Devices, Token Protection, device-based CA.Privileged Access Devices, token protection, and device-based CA. |
| Applications | SSO standardisieren, Enterprise Apps reviewen, Legacy Auth abbauen.Standardize SSO, review Enterprise Apps, and retire legacy auth. | Auth Context, session controls, app governance, just-in-time access.Auth context, session controls, app governance, and just-in-time access. |
| Data | Labels, Verschlüsselung, DLP-Baselines bereitstellen.Provide labels, encryption, and DLP baselines. | Automatisierte Klassifizierung, Insider Risk, Endpoint DLP.Automated classification, insider risk, and endpoint DLP. |
| Infrastructure | PIM für Azure RBAC, Defender for Cloud, Policy-Guardrails.PIM for Azure RBAC, Defender for Cloud, and policy guardrails. | Workload identity governance, drift detection, JIT admin paths.Workload identity governance, drift detection, and JIT admin paths. |
| Network | Pilot mit Global Secure Access, Named Locations bereinigen.Pilot with Global Secure Access and clean up named locations. | Private Access für interne Apps und adaptive Access-Entscheidungen.Use Private Access for internal apps and adaptive access decisions. |
Entra ID als Identity-PlattformEntra ID as the identity platform
Entra ID ist die zentrale Kontrollschicht für Identität, starke Authentifizierung, Geräteclaims, App-Consent, B2B und privilegierte Verwaltung. In Zero-Trust-Architekturen liefert Entra die Entscheidungsebene, während Intune, Defender, Purview und Azure die zusätzlichen Signale und Durchsetzungsmechanismen liefern.Entra ID is the central control layer for identity, strong authentication, device claims, app consent, B2B, and privileged administration. In Zero Trust architectures, Entra provides the decision layer while Intune, Defender, Purview, and Azure contribute additional signals and enforcement mechanisms.
Implementierungs-ChecklisteImplementation checklist
| ## | CheckCheck |
|---|---|
| 1 | Break-glass-Konten definieren und offline schützen.Define and offline-protect break-glass accounts. |
| 2 | Legacy Authentication vollständig blockieren.Block legacy authentication completely. |
| 3 | MFA für alle Benutzer aktivieren.Enable MFA for all users. |
| 4 | Phishing-resistant MFA für Administratoren erzwingen.Require phishing-resistant MFA for administrators. |
| 5 | Authentication Methods Policy auf moderne Methoden beschränken.Limit the authentication methods policy to modern methods. |
| 6 | Combined Registration und SSPR bereitstellen.Provide combined registration and SSPR. |
| 7 | Sign-in-Risk- und User-Risk-Policies definieren.Define sign-in-risk and user-risk policies. |
| 8 | PIM für privilegierte Rollen aktivieren.Enable PIM for privileged roles. |
| 9 | Access Reviews für privilegierte Rollen planen.Schedule access reviews for privileged roles. |
| 10 | Join-State-Strategie je Gerätetyp festlegen.Define the join-state strategy by device type. |
| 11 | Intune Compliance Policies definieren.Define Intune compliance policies. |
| 12 | Defender for Endpoint auf verwalteten Geräten ausrollen.Roll out Defender for Endpoint to managed devices. |
| 13 | Windows Hello for Business oder FIDO2 pilotieren.Pilot Windows Hello for Business or FIDO2. |
| 14 | Conditional Access für unmanaged Browser auf SPO einschränken.Restrict unmanaged browsers to SPO through Conditional Access. |
| 15 | BYOD mobile über App Protection steuern.Control BYOD mobile through app protection. |
| 16 | Admin-Portale separat schützen.Protect admin portals separately. |
| 17 | Azure Management separat schützen.Protect Azure Management separately. |
| 18 | Enterprise Apps und OAuth-Consents reviewen.Review Enterprise Apps and OAuth consents. |
| 19 | Service Principals auf Zertifikate oder Managed Identities umstellen.Move service principals to certificates or managed identities. |
| 20 | Guest- und Cross-Tenant-Defaults härten.Harden guest and cross-tenant defaults. |
| 21 | Terms of Use für Gäste und sensible Bereiche einsetzen.Use terms of use for guests and sensitive areas. |
| 22 | Named Locations auf echte Corporate Egresses begrenzen.Limit named locations to real corporate egress points. |
| 23 | Global Secure Access / Internet Access evaluieren.Evaluate Global Secure Access / Internet Access. |
| 24 | Private Access für interne Webapps prüfen.Assess Private Access for internal web apps. |
| 25 | Sensitivity Labels für Teams, Sites und Dateien aktivieren.Enable sensitivity labels for teams, sites, and files. |
| 26 | DLP-Baselines für Exchange, SharePoint, Teams, Endpoints aktivieren.Enable DLP baselines for Exchange, SharePoint, Teams, and endpoints. |
| 27 | Verschlüsselung und Schlüsselmanagement dokumentieren.Document encryption and key management. |
| 28 | Unified Audit Log und Sentinel-Konnektoren aktivieren.Enable the unified audit log and Sentinel connectors. |
| 29 | Defender XDR Incident-Workflow definieren.Define the Defender XDR incident workflow. |
| 30 | Risk Playbooks für MFA fatigue, leaked credentials und AitM erstellen.Create risk playbooks for MFA fatigue, leaked credentials, and AiTM. |
| 31 | Workload Identity Protection überwachen.Monitor workload identity protection. |
| 32 | Token Protection und CAE für geeignete Clients pilotieren.Pilot token protection and CAE for suitable clients. |
| 33 | Admin-Workstations oder PAW/PAD-Konzept einführen.Introduce admin workstations or a PAW/PAD concept. |
| 34 | Dokumentierte Policy-Owner und Review-Rhythmus festlegen.Define documented policy owners and a review cadence. |
| 35 | Search- und Reporting-Ansichten für Ausnahmen aufbauen.Build search and reporting views for exceptions. |
| 36 | Jede Ausnahme zeitlich befristen und nachhalten.Time-bound and track every exception. |
Conditional Access als Zero-Trust-EngineConditional Access as the Zero Trust engine
Conditional Access verbindet Signalsammlung und technische Durchsetzung. Eine ausgereifte Zero-Trust-Policy-Landschaft besteht meist aus Baseline-Policies, privilegierten Policies, Geräte-Policies, Gast-Policies und Risiko-Policies – nicht aus einer einzigen Monster-Policy.Conditional Access connects signal collection and technical enforcement. A mature Zero Trust policy landscape typically consists of baseline policies, privileged policies, device policies, guest policies, and risk policies—not one giant monster policy.
Geräte-Trust-ChainDevice trust chain
| StatusState | BeschreibungDescription | EinsatzUse |
|---|---|---|
| Entra registeredEntra registered | Benutzerbezogene Registrierung für BYOD und leichte Szenarien.User-centric registration for BYOD and light scenarios. | App Protection, eingeschränkte Browser- oder mobile Zugriffe.App protection, restricted browser, or mobile access. |
| Entra joinedEntra joined | Cloud-native Geräteidentität mit PRT und Verwaltungssignalen.Cloud-native device identity with PRT and management signals. | Moderne verwaltete Windows-Geräte und Passwordless.Modern managed Windows devices and passwordless. |
| Hybrid joinedHybrid joined | AD + Entra für Übergangs- und Hybridwelten.AD plus Entra for transition and hybrid estates. | Alte Intranet-/Line-of-business-Szenarien und stufenweiser Umbau.Legacy intranet or line-of-business scenarios and phased modernization. |
NetzwerkzugriffNetwork access
| ServiceService | NutzenPurpose | Wann sinnvollWhen useful |
|---|---|---|
| Entra Internet AccessEntra Internet Access | Secure Web Gateway für SaaS und Webzugriff.Secure web gateway for SaaS and web access. | Für identitäts- und kontextbasierten Internetzugriff.For identity- and context-based internet access. |
| Entra Private AccessEntra Private Access | ZTNA-Zugriff auf private Apps ohne klassisches VPN.ZTNA access to private apps without classic VPN. | Für interne Webapps und Hybrid-Apps mit modernem Remote-Zugriff.For internal web apps and hybrid apps with modern remote access. |
Datenschutz und DatenkontrolleData protection
| KontrolleControl | ZweckPurpose |
|---|---|
| Sensitivity LabelsSensitivity labels | Dateien, Mails, Sites und Teams klassifizieren und schützen.Classify and protect files, emails, sites, and teams. |
| DLPDLP | Datenabfluss in Exchange, SharePoint, Teams und Endpoints begrenzen.Limit data exfiltration in Exchange, SharePoint, Teams, and endpoints. |
| EncryptionEncryption | Daten im Transit und im Ruhezustand schützen.Protect data in transit and at rest. |
Monitoring und ReaktionMonitoring and response
| WerkzeugTool | NutzenPurpose |
|---|---|
| Microsoft SentinelMicrosoft Sentinel | Korrelation, Analytic Rules, Playbooks und SOC-Automation.Correlation, analytic rules, playbooks, and SOC automation. |
| Defender XDRDefender XDR | Incident-zentrierte Sicht über Endpoints, Identities, Email und Apps.Incident-centric view across endpoints, identities, email, and apps. |
| Entra LogsEntra logs | Sign-ins, Audits, Risk Detections und CA-Auswertung.Sign-ins, audits, risk detections, and CA evaluation. |
PowerShell
Connect-MgGraph -Scopes "Policy.Read.All","AuditLog.Read.All"
Get-MgIdentityConditionalAccessPolicy
Get-MgAuditLogSignIn -Top 20 | Select-Object UserDisplayName, AppDisplayName, ConditionalAccessStatus