How to Achieve the Zero Trust Principle: Verify Explicitly in Microsoft 365

Attackers target identities, devices, apps, and data at every layer — and traditional perimeter security simply can’t keep up. To protect your environment, you must verify every access request, every time, using all available context. These ideas underpin the principle of Zero Trust and its “verify explicitly” pillar.  

This guide explains how to implement the Verify Explicitly pillar of Zero Trust in Microsoft 365, where Microsoft’s native tooling falls short, and how platforms like CoreView can help close the gaps and operationalize Zero Trust at scale.

This article covers:

• Zero Trust: Verify explicitly, use least privilege, assume breach  
• Zero Trust foundations in Microsoft 365  
• Step-by-step tutorial: Implementing “Verify explicitly” in a Microsoft 365 tenant
• Microsoft’s Zero Trust gaps
• Zero Trust is an ongoing process

Executive Summary

Achieving the Zero Trust principle of Verify Explicitly in Microsoft 365 requires more than enabling MFA or creating basic Conditional Access policies. This guide explains the full, phased approach needed to secure identities, devices, applications, and data using Microsoft’s native capabilities, including Conditional Access, Intune, Purview, and continuous risk-based verification. It also highlights where Microsoft’s guidance leaves practical gaps in visibility, entitlement governance, least-privilege access, and multi-tenant oversight. Finally, it outlines how CoreView strengthens Zero Trust programs through unified entitlement visibility, operator access controls, drift detection, and continuous assurance to maintain a strong and scalable security posture.

Zero Trust: Verify explicitly, use least privilege, assume breach  

The Zero Trust security model is built on three core principles: Verify explicitly, Use least privilege, and Assume breach. In the context of a Microsoft 365 environment, Microsoft provides an official deployment plan (“Zero Trust deployment plan with Microsoft 365”) that maps these principles to capabilities across identity, devices, apps, data, AI agents and compliance.  

For organizations using Microsoft 365 (and hybrid or cloud-only identity via Microsoft Entra ID / Azure AD), achieving “verify explicitly” means ensuring that every access request — wherever it originates, from whichever device or user — is evaluated by strong authentication, device health, compliance posture, contextual signals, and that the access to apps and data is appropriately authorized.  

Microsoft’s guidance is solid, but in practice there are gaps — especially around governance, visibility, entitlement sprawl, and least privilege access. These are areas where CoreView can step in.

Zero Trust foundations in Microsoft 365  

The “verify explicitly” principle, according to Microsoft, is supported by a set of capabilities in Microsoft 365 across identity, device, applications, data and sessions.  

This means, in practice:  

• “Verify explicitly — Always authenticate and authorize based on all available data points.”  
• Microsoft lists the swim-lane “Secure remote and hybrid work” in the deployment plan, which covers identity & device access protection.  
• The “Zero Trust identity and device access configurations” guidance emphasizes: verify identities, devices and applications with strong authentication, device compliance, Conditional Access, app protection, etc.  

“Verify explicitly” boils down to a handful of key capability areas:

• Identity verification (MFA, sign-in risk, conditional access)
• Device verification (device enrollment, compliance, device health)
• Application access controls (block legacy auth, restrict sessions, limit unmanaged device access)
• Data access context (app enforced restrictions, session control, DLP)
• Continuous verification and adaptive access (risk signals, device risk, user risk)

Step-by-step tutorial: Implementing “Verify explicitly” in a Microsoft 365 tenant

How can you implement the “verify explicitly” mandate in Microsoft 365? Once you have secured the appropriate license (Entra ID P2, Microsoft 365 E5, Intune, etc.) for full features, there are a number of key steps you can take.  

Step 1: Prepare your identity foundation

1. Ensure your organization is using cloud identity (or hybrid with password hash sync / pass-through / federation) as Microsoft assumes in its plan.  

2. Require MFA for all users. You can use the Azure portal → Entra ID → Users → Ensure that all users are required to use MFA.

3. Enable security defaults if you have no Conditional Access yet — this gives basic MFA and security baseline. Remember that this is only a minimum to build on.

4. Using Entra ID, create baseline access reviews of privileged identities, service accounts, guest accounts.

Step 2: Create Conditional Access policies targeting “Verify explicitly”

1. In the Azure portal → Entra ID → Security → Conditional Access, create a new policy:
   
   1. Name: “Require MFA for All Users”
   2. Assign: All users (except emergency access / break-glass accounts)
      
   3. Target resources: All resources (or start with Microsoft 365 apps)
   4. Access controls: Grant → Require multi-factor authentication
   5. Enable policy.

2. Create another policy: “Block legacy authentication”
   
   1. Conditions → Client apps → Legacy authentication clients (a group – both entries, Exchange ActiveSync clients and Other clients, should be selected.
   2. Grant → Block access. This prevents older protocols from bypassing Conditional Access.  
   3. Create a policy: “Require compliant or hybrid-joined devices”
   4. Conditions → Device platform / filter for Windows, iOS, Android
   5. Grant → Require device to be marked compliant / Hybrid Azure AD joined.

Step 3: Enroll and verify device health/compliance

1. In Intune (Microsoft Endpoint Manager) deploy device enrollment for corporate devices (autopilot/fully managed) and configure BYOD scenarios (work profile). Microsoft’s guide covers this in detail.  

2. Create device compliance policies for each platform: Windows 11, iOS/iPadOS, Android. For example: require BitLocker, Secure Boot, minimum OS version, firewall enabled.  

3. Create app protection policies for mobile apps: for example, require approved apps, block copy/paste, restrict transfer to unmanaged apps. Then enforce via Conditional Access (require approved client apps or app protection policy)  

4. Ensure that Conditional Access policies reference device compliance: Grant → Require device to be marked compliant.  

5. Monitor device health via Microsoft Defender for Endpoint (if present) and feed device risk signals back into Conditional Access.

Step 4: Application and workload-specific access control

1. For apps such as Exchange Online, SharePoint Online, Teams: apply policy to limit access by unmanaged devices. For example in SharePoint admin center → Access control → Unmanaged devices → Allow limited or Block. Then set site-level policy via PowerShell.  

2. Configure session controls in Conditional Access: for example, Grant → Use app-enforced restrictions This ensures that even after access, user sessions are controlled.

3. For SaaS apps outside Microsoft, use Defender for Cloud Apps to discover shadow SaaS and apply policies (if you have it). Microsoft positions this under “Prevent or reduce business damage from a breach”.  

Step 5: Data protection and continuous verification

1. Use Microsoft Purview Information Protection (labels, sensitivity types, DLP) to identify, classify and protect sensitive information. This supports the data aspect of Zero Trust.  

2. Configure continuous monitoring and adaptive access: use signals such as user risk, device risk, app risk, location, time, session anomalies to adapt access.

3. Conduct periodic access reviews of user, guest and admin privileges — Microsoft provides tools in Entra ID for access review and entitlement management.

4. Use audit logs, alerting, investigations via Defender XDR / Sentinel, and so on to assume breach and validate your controls.

Step 6: Validate, monitor and iterate

1. Use Microsoft Secure Score, Entra ID Identity Score and Microsoft’s Zero Trust Assessment Tool (if available) to benchmark your implementation.  

2. Monitor conditional access policy hit counts, failed sign-ins, risky sign-ins, device compliance non-compliance.

3. Review accounts with standing privileges, zero-day compliance drift, guest user growth, device onboarding failures.

4. Adjust policies, refine segmentation (e.g., separate by workload classification: starting point, enterprise, specialized).  

Microsoft’s Zero Trust gaps

While Microsoft’s guidance and tools provide a strong foundation for “verify explicitly”, there are several practical gaps and challenges enterprises face. Below are key areas where Microsoft’s native coverage may fall short — and how CoreView adds differentiated value.

Gap #1 – Visibility into all entitlements and over-privileged accounts

In Microsoft 365, Entra ID and Azure provide RBAC and Privileged Identity Management (PIM) capabilities, but organizations often struggle with effective entitlements, wildcard permissions, delegated admin privileges, guest user permissions, and service-principal (app) permissions. For example, academic research shows that wildcard over-reach in Azure RBAC is common (a study found ~39 % of actions via wildcards have cross-resource over-reach).  

Microsoft’s guidance emphasizes the need for access reviews and least privilege but does not always make it easy to access the real-time state of all privileges, especially across multiple tenants or delegated/service accounts.

In these cases, solutions like CoreView provide discovery and visibility capabilities across Microsoft 365, for example with mailbox permissions, SharePoint/OneDrive access, Teams roles, guest accounts, Entra ID roles, delegated admin roles. It can provide insight into privilege creep and identify stale or redundant privileges. All of these enable stronger claims to the “Verify explicitly” principle by verifying who has what rights before access is granted, especially for admin or privileged access.

Gap #2 – Granular, role-scoped least-privilege operator access

Setting up least-privilege administrative models in Microsoft 365/Azure can be complex: splitting roles, scoping access, applying Just-In-Time (JIT) access, timing expiry, combining with device compliance and conditional access. Microsoft provides PIM, but for functional/operator access tasks (e.g., mailbox creation, Teams channel management) there is less native granular check-box style control and scoping.  

Microsoft alludes to trade-offs and manual work involved in this in its own materials.

An operator access model, such as that provided in CoreView lets organizations define functional roles, e.g., “create mailboxes”, “manage team settings”), assign them on a check-box basis, scope the assignment (e.g., virtual tenant, OU, location), set start/end dates and enforce expiry. This reduces standing privileges and enables auditing.

Gap #3 – Governance, configuration drift and continuous assurance

Enabling Conditional Access, device compliance, and app protection are essential, but organizations may still face configuration drift: policies changed, devices removed from compliance, unmanaged guests added, legacy authentication re-enabled.

Monitoring and enforcing that your “verify explicitly” controls remain active over time requires additional governance, scheduled reviews, alerts and audit. Microsoft surfaces audit logs and Secure Score, but bridging that to operational remediation is often not turnkey.

With solutions like CoreView, enterprises gain easy access to governance dashboards over Microsoft 365, enabling drift detection, visibility into orphaned guest accounts, inactive admin roles, device compliance failures, “what-ifs” for permissions, and scheduled reviews.

Gap #4 – Cross-tenant/multi-region/delegated admin oversight

Many organizations (or managed service providers) operate in multi-tenant environments, delegated admin privileges (DAP), cross-tenant access, or global service provider relationships. Microsoft tools are orientated to each tenant individually; getting a unified view of “verify explicitly” across multiple tenants, administrative consents, delegated roles, service provider access is more manual. Native Microsoft tooling to govern cross-tenant or delegated roles needs to gain more maturity before it can be considered completely reliable.  

Today, solutions like CoreView support multi-tenant management: you can roll up permissions across tenants, view delegated admin, service provider access, DAP assignments, guest/ B2B relationships.

Gap #5 – Data-level continuous verification and anomaly detection beyond sign-in/device

Microsoft provides DLP, sensitivity labels, session controls and machine risk signals. However, detecting anomalous data access, entitlements over time, credential misuse, lateral movement (post access) still often requires integration with XDR/SIEM, additional tooling or manual analysis.

The “assume breach” principle of Zero Trust touches this ,but the “verify explicitly” moment needs to cover after access too (ongoing verification). Microsoft’s documentation stresses what other experts echo: “Zero Trust is a security strategy … not a product or service”, and you need visibility to drive threat detection.  

CoreView brings continuous analytics around operations in Microsoft 365: unusual mailbox permission changes, Teams channel admin assignments, SharePoint external share links, guest access growth, service-principal escalations. With automatic alerts and remediation workflows, you can enforce ongoing verification of access and data movement — closing the gap between “access granted” and “access misused”.

Zero Trust checklist for Microsoft 365

Item	Action	Covered by Microsoft?	Enhanced by Coreview?
User MFA registration completed	All users MFA registered	Yes (via Entra ID)
Conditional Access – MFA for all users	Policy created + fast rollout
Conditional Access – Block legacy auth	Yes
Conditional Access – Require compliant/hybrid-joined devices	Yes
Device compliance policies defined for all platforms	Yes
App protection policies deployed for mobile apps	Yes
Workload-specific policies	Yes
Device risk & user risk integrated into CA	Yes (with approp license)
Entitlement inventory (roles, admin, mailbox permissions, etc.)	Partial (MS lacks full unified view)
Operator access scoping and time-bound privileges	Limited native tooling
Access review schedules defined	Yes
Guest/external user permissions managed and monitored	Partial
Multi-tenant/delegated admin oversight	Minimal native tooling
Continuous monitoring of privilege creep, configuration drift	Limited native tooling
Data-level anomaly detection (permission changes, sharing links, service-principal escalation)	Requires additional tools

Zero Trust is an ongoing process  

Microsoft’s Zero Trust deployment plan for Microsoft 365 provides a robust framework for “verify explicitly” (authenticate and authorize based on all available signals).  

Nevertheless, practical implementation in a complex enterprise Microsoft 365 environment reveals gaps in visibility, entitlement governance, least-privilege operator models, governance/detection of drift, cross-tenant oversight and data-level anomaly verification.

CoreView offers complementary capabilities that fill those gaps — enabling stronger “verify explicitly” enforcement, operationalizing least privilege, continuous assurance, cross-tenant visibility and data-centric monitoring.

1. Verification is not a one-time event — it must apply at access time and continuously thereafter.

2. Strong authentication and device compliance are insufficient on their own; organizations must take the step of verifying who has what entitlements, who can manage, and what data they access.

3. Drift detection and remediation workflows are vital to maintain Zero Trust posture over time.

4. In Microsoft 365 contexts especially, operational tools (like CoreView) make the difference between “we’ve turned on MFA and Conditional Access” and “we truly enforce Verify explicitly with least privilege and continuous assurance.”

5. License readiness matters: many of the advanced Microsoft capabilities require E5/P2 licenses. Where you lack these, or want a greater level of assurance, third-party solutions are pragmatic.

Implementing the “Verify explicitly” pillar of Zero Trust in a Microsoft 365 environment is absolutely achievable — Microsoft gives you the blueprint and tools. The challenge lies in operationalizing it at scale, maintaining it over time, covering entitlements, governing rights, monitoring drift, and applying the model across users/devices/apps/data combinations.

By combining Microsoft’s native controls (MFA, Conditional Access, Intune, Purview, etc) with CoreView’s governance, entitlement visibility, operator access management and continuous assurance capabilities, you can elevate your Zero Trust posture from “enabled” to enforced.

Read why analyst Kuppinger Cole recommends CoreView to secure your Microsoft 365 identities.

‍