diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 4904bd31f..92daa06f6 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -45,6 +45,12 @@
"url": "https://github.com/MicrosoftDocs/reusable-content",
"branch": "main",
"branch_mapping": {}
+ },
+ {
+ "path_to_root": "security-docs/includes/entra-content",
+ "url": "https://github.com/MicrosoftDocs/entra-docs-pr",
+ "branch": "main",
+ "branch_mapping": {}
}
],
"branch_target_mapping": {
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 52922db11..0e6d63c30 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1,5 +1,15 @@
{
"redirections": [
+ {
+ "source_path": "security-docs/zero-trust/siem-xdr-training.md",
+ "redirect_url": "security/zero-trust/security-adoption-discipline-architecture-tips",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "security-docs/zero-trust/ten-laws-of-security.md",
+ "redirect_url": "security/zero-trust/security-adoption-discipline-security-operations",
+ "redirect_document_id": false
+ },
{
"source_path": "security-docs/zero-trust/zero-trust-assessment-progress-tracking-resources.md",
"redirect_url": "security/zero-trust/assessment/get-started",
diff --git a/security-docs/docfx.json b/security-docs/docfx.json
index e28214cae..d4818ab11 100644
--- a/security-docs/docfx.json
+++ b/security-docs/docfx.json
@@ -47,8 +47,8 @@
"breadcrumb_path": "/security/breadcrumb/toc.json",
"feedback_system": "Standard",
"feedback_help_link_type": "get-help-at-qna",
- "ms.author": "kenwith",
- "author": "kenwith"
+ "ms.author": "raynew",
+ "author": "rayne-wiselman"
},
"fileMetadata": {
"titleSuffix": {
diff --git a/security-docs/index.yml b/security-docs/index.yml
index fc934fff8..68af97eaa 100644
--- a/security-docs/index.yml
+++ b/security-docs/index.yml
@@ -8,7 +8,7 @@ metadata:
ms.topic: marketing-hub
ms.author: saadad
author: sadadow
- ms.date: 05/05/2026
+ ms.date: 04/06/2026
ms.collection: # na
brand: azure
sections:
@@ -81,34 +81,67 @@ sections:
title: ""
blocks:
- componentType: icon-card
- title: Secure autonomous agentic AI systems
- summary: Apply solutions to operationalize mitigation across identity, governance, runtime enforcement, and detection.
- url: /security/zero-trust/sfi/secure-agentic-systems
+ title: Enable Defender for AI Services workload protection in Microsoft Defender for Cloud
+ summary: Enable and configure the Defender for AI Services plan in Microsoft Defender for Cloud to detect threats targeting Azure AI services workloads.
+ url: /training/modules/implement-defender-cloud-ai-services/
+ icon:
+ componentType: image
+ src: /security/media/hubpage/ignite-glyphs/training-1-purple.png
+ - componentType: icon-card
+ title: Assess data security posture in Microsoft Purview
+ summary: Work with Microsoft Purview Data Security Posture Management to protect your data.
+ url: /training/modules/purview-dspm-assess-data-security-posture/
+ icon:
+ componentType: image
+ src: /security/media/hubpage/ignite-glyphs/tutorial-1-purple.png
+ - componentType: icon-card
+ title: Generate playbooks using AI in Microsoft Sentinel
+ summary: Learn how to generate playbooks by using AI, configure required integrations, and deploy your automation workflows.
+ url: /azure/sentinel/automation/generate-playbook
+ icon:
+ componentType: image
+ src: /security/media/hubpage/ignite-glyphs/how-to-guide-2-orange.png
+ - componentType: icon-card
+ title: Apply data security and compliance to Microsoft Agent 365
+ summary: Use Microsoft Purview to manage data security & compliance for Microsoft Agent 365.
+ url: /purview/ai-agent-365
icon:
componentType: image
src: /security/media/hubpage/ignite-glyphs/concept-1-yellow.png
+
+# Put security into practice
+ - componentType: grid
+ title: Put security into practice
+ summary: Move from reading to improving your security posture. Explore practice-based quickstarts, tutorials, and guided modules that help you deploy, configure, and validate protections with Microsoft Security—so you can make meaningful progress in your environment, one focused step at a time.
+ blocks:
- componentType: icon-card
- title: "Quickstart: Build agents using MCP tools (Security Copilot)"
- summary: Build a Security Copilot agent that calls MCP tools — quickstart with sample code.
- url: /copilot/security/developer/mcp-quickstart
+ title: "Quickstart: Helm install for Defender for Containers"
+ summary: Deploy the Defender for Containers sensor with Helm.
+ url: /azure/defender-for-cloud/deploy-helm
icon:
componentType: image
src: /security/media/hubpage/ignite-glyphs/quickstart-2-rainbow.png
- componentType: icon-card
- title: AI Agent Service Security Controls
+ title: "Tutorial: Defender for Cloud + GHAS sandbox"
+ summary: Try Defender for Cloud +GHAS in a sandbox before you roll it out.
+ url: /azure/defender-for-cloud/github-advanced-security-deploy-sandbox
+ icon:
+ componentType: image
+ src: /security/media/hubpage/ignite-glyphs/tutorial-1-purple.png
+ - componentType: icon-card
+ title: "Module: AI Agent Service Security Controls"
summary: Configure RBAC and security controls for Azure AI Agent Service in this 20-minute module.
url: /training/modules/intro-ai-agent-service-security-controls/
icon:
componentType: image
src: /security/media/hubpage/ignite-glyphs/training-1-purple.png
- componentType: icon-card
- title: Get In the Loop
- summary: Catch up on the latest product drops, security updates, and demos—all in one place.
- url: https://aka.ms/SecurityProductDrops_May26
+ title: "Documentation: Security Analyst Agent in Defender"
+ summary: Investigate with the Security Analyst Agent to quickly identify, assess, and prioritize risks.
+ url: /defender-xdr/security-analyst-agent
icon:
componentType: image
- src: /security/media/hubpage/ignite-glyphs/whats-new-1-magenta.png
-
+ src: /security/media/hubpage/ignite-glyphs/how-to-guide-2-orange.png
# Modules
# - componentType: cards
@@ -160,28 +193,28 @@ sections:
url: /training/paths/ai-security-fundamentals/?wt.mc_id=securityhub_fundamentals_webpage_sci
icon:
componentType: image
- src: /security/media/hubpage/generic-trophy.svg
+ src: /security/media/hubpage/ignite-glyphs/training-1-purple.png
- componentType: icon-card
title: Understand data security investigations
summary: Learn concepts that define data security investigations, how they differ from alerts and audit, and when deeper, data-focused investigation adds value to security decisions.
url: /training/modules/purview-data-security-investigations-understand/?wt.mc_id=securityhub_securityinvestigations_webpage_sci
icon:
componentType: image
- src: /security/media/hubpage/generic-badge.svg
+ src: /security/media/hubpage/ignite-glyphs/tutorial-1-purple.png
- componentType: icon-card
title: Mitigate incidents using Microsoft Defender
summary: Investigate and respond to incidents using Microsoft Sentinel and Defender XDR. Correlate alerts, hunt threats, manage incidents, and stop attacks faster with unified security operations workflows.
url: /training/modules/mitigate-incidents-microsoft-365-defender/?wt.mc_id=securityhub_defendertraining_webpage_sci
icon:
componentType: image
- src: /security/media/hubpage/training-clipboard.png
+ src: /security/media/hubpage/ignite-glyphs/reference-2-yellow.png
- componentType: icon-card
title: Plan, implement, and administer Conditional Access
summary: Conditional Access gives a fine granularity of control over which users can do specific activities, access which resources, and how to ensure data and systems are safe.
url: /training/modules/plan-implement-administer-conditional-access//?wt.mc_id=securityhub_conditionalaccess_webpage_sci
icon:
componentType: image
- src: /security/media/hubpage/training-whiteboard.png
+ src: /security/media/hubpage/ignite-glyphs/concept-1-yellow.png
# Microsoft Security product documentation
- componentType: grid
diff --git a/security-docs/security-resources/featured-top-picks.md b/security-docs/security-resources/featured-top-picks.md
index d87e5b064..b62160d20 100644
--- a/security-docs/security-resources/featured-top-picks.md
+++ b/security-docs/security-resources/featured-top-picks.md
@@ -5,13 +5,22 @@ ms.service: security
ms.topic: whats-new
author: ttorble
ms.author: ralyon
-ms.date: 05/05/2026
+ms.date: 04/06/2026
---
# Featured top picks
This article brings together the history of top picks from the Security hub organized by publication date in descending order. Explore a curated selection of noteworthy security content to inspire your security learning journey.
+## May 2026
+
+| Featured date | Title | Description |
+|---------|---------|---------|
+| May 5 | [Secure autonomous agentic AI systems](/security/zero-trust/sfi/secure-agentic-systems) | Apply solutions to operationalize mitigation across identity, governance, runtime enforcement, and detection. |
+| | [Quickstart: Build agents using MCP tools (Security Copilot)](/copilot/security/developer/mcp-quickstart) | Build a Security Copilot agent that calls MCP tools — quickstart with sample code. |
+| | [AI Agent Service Security Controls](/training/modules/intro-ai-agent-service-security-controls/) | Configure RBAC and security controls for Azure AI Agent Service in this 20-minute module. |
+| | [Get In the Loop](https://aka.ms/SecurityProductDrops_May26) | Catch up on the latest product drops, security updates, and demos—all in one place. |
+
## April 2026
| Featured date | Title | Description |
|---------|---------|---------|
diff --git a/security-docs/security-resources/index.yml b/security-docs/security-resources/index.yml
index 996c38403..5059f6b57 100644
--- a/security-docs/security-resources/index.yml
+++ b/security-docs/security-resources/index.yml
@@ -10,7 +10,7 @@ metadata:
ms.topic: landing-page
ms.author: ralyon
author: ttorble
- ms.date: 05/05/2026
+ ms.date: 04/06/2026
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | tutorial | overview | quickstart | reference | sample | tutorial | video | whats-new
@@ -19,30 +19,30 @@ landingContent:
# Start card title with a verb
# Card
# Card
- - title: April top picks
+ - title: May top picks
linkLists:
- linkListType: overview
links:
- - text: Secure AI solutions in the cloud
- url: /credentials/applied-skills/secure-ai-solutions-in-the-cloud/
- - text: Learn about Security Copilot agents
- url: /copilot/security/security-copilot-inclusion?wt.mc_id=securityhub_inclusion_webpage_sci
- - text: Configure your Microsoft Sentinel Environment
- url: /training/paths/sc-200-configure-azure-sentinel-environment/
- - text: "Build security skills: Download the kit"
- url: https://aka.ms/SecuritySkillingKit?wt.mc_id=lfo_content_webpage_wwl
- - title: March top picks
+ - text: Secure autonomous agentic AI systems
+ url: /security/zero-trust/sfi/secure-agentic-systems
+ - text: "Quickstart: Build agents using MCP tools (Security Copilot)"
+ url: /copilot/security/developer/mcp-quickstart
+ - text: AI Agent Service Security Controls
+ url: /training/modules/intro-ai-agent-service-security-controls/
+ - text: Get In the Loop
+ url: https://aka.ms/SecurityProductDrops_May26
+ - title: April top picks
linkLists:
- linkListType: overview
links:
- text: Secure AI solutions in the cloud
url: /credentials/applied-skills/secure-ai-solutions-in-the-cloud/
- - text: Join Azure Decoded on April 8th
- url: https://developer.microsoft.com/en-us/reactor/events/26862/
- text: Learn about Security Copilot agents
url: /copilot/security/security-copilot-inclusion?wt.mc_id=securityhub_inclusion_webpage_sci
- text: Configure your Microsoft Sentinel Environment
url: /training/paths/sc-200-configure-azure-sentinel-environment/
+ - text: "Build security skills: Download the kit"
+ url: https://aka.ms/SecuritySkillingKit?wt.mc_id=lfo_content_webpage_wwl
# Card
# - title: Discover more
diff --git a/security-docs/zero-trust/TOC.yml b/security-docs/zero-trust/TOC.yml
index ea4de414a..77dcc58d0 100644
--- a/security-docs/zero-trust/TOC.yml
+++ b/security-docs/zero-trust/TOC.yml
@@ -1,124 +1,10 @@
-- name: Zero Trust implementation guidance
+- name: Security Guidance Center
href: index.yml
-- name: What is Zero Trust?
+- name: Zero Trust security
href: zero-trust-overview.md
-- name: Assess Zero Trust posture
- items:
- - name: Overview
- href: assessment/overview.md
- - name: Get started
- href: assessment/get-started.md
- - name: Assessment terminology
- href: assessment/glossary.md
-- name: Zero Trust partner kit
- href: zero-trust-partner-kit.md
-- name: Zero Trust adoption
- expanded: false
- items:
- - name: Overview
- href: adopt/zero-trust-adoption-overview.md
- - name: Rapidly modernize your security posture
- href: adopt/rapidly-modernize-security-posture.md
- - name: Secure remote and hybrid work
- href: adopt/secure-remote-hybrid-work.md
- - name: Identify and protect sensitive business data
- href: adopt/identify-protect-sensitive-business-data.md
- - name: Prevent or reduce business damage from a breach
- items:
- - name: Overview
- href: adopt/prevent-reduce-business-damage-breach.md
- maintainContext: true
- - name: Implement security breach prevention and recovery infrastructure
- href: adopt/prevent-reduce-business-damage-breach-infrastructure.md
- maintainContext: true
- - name: Implement threat protection and XDR
- href: adopt/prevent-reduce-business-damage-breach-threat-protection.md
- maintainContext: true
- - name: Meet regulatory and compliance requirements
- href: adopt/meet-regulatory-compliance-requirements.md
-- name: Secure Future Initiative (SFI)
- items:
- - name: Overview
- href: sfi/secure-future-initiative-overview.md
- - name: What's new in SFI v2.0
- href: sfi/secure-future-initiative-whats-new.md
- - name: Integrate NIST CSF 2.0 governance
- href: sfi/integrate-nist-2-governance.md
- - name: Adopt SFI best practices
- href: sfi/secure-future-initiative-adoption.md
- - name: Protect identities and secrets
- expand: false
- items:
- - name: Overview
- href: sfi/secure-future-initiative-identity-overview.md
- - name: Phishing-resistant MFA
- href: sfi/phishing-resistant-mfa.md
- - name: Adopt standard SDKs for identity
- href: sfi/adopt-standard-sdk-identity.md
- - name: Protect tenants and isolate systems
- expand: false
- items:
- - name: Overview
- href: sfi/secure-future-initiative-tenant-overview.md
- - name: Eliminate identity lateral movement
- href: sfi/eliminate-identity-lateral-movement.md
- - name: Remove legacy systems that risk security
- href: sfi/remove-legacy-systems-that-risk-security.md
- - name: Higher security for Microsoft Entra ID apps
- href: sfi/higher-security-microsoft-entra-id-apps.md
- - name: Secure all tenants and their resources
- href: sfi/secure-all-tenants-resources.md
- - name: Protect networks
- expand: false
- items:
- - name: Overview
- href: sfi/secure-future-initiative-network-overview.md
- - name: Network isolation
- href: sfi/network-isolation.md
- - name: Protect engineering systems
- expand: false
- items:
- - name: Overview
- href: sfi/secure-future-initiative-engineering-overview.md
- - name: Standardize secure development pipelines
- href: sfi/standardize-secure-development-pipelines.md
- - name: Zero Trust for source code access
- href: sfi/zero-trust-source-code-access.md
- - name: Protect the software supply chain
- href: sfi/protect-software-supply-chain.md
- - name: Monitor and detect threats
- expand: false
- items:
- - name: Overview
- href: sfi/secure-future-initiative-threat-overview.md
- - name: Complete AI threat modeling
- href: sfi/threat-modeling-ai.md
- - name: Implement AI observability
- href: sfi/observability-ai-systems.md
- - name: Identify risk for autonomous agentic AI
- href: sfi/manage-agentic-risk.md
- - name: Secure autonomous agentic AI systems
- href: sfi/secure-agentic-systems.md
- - name: Defend against indirect prompt injection attacks
- href: sfi/defend-indirect-prompt-injection.md
- - name: Complete production infrastructure inventory
- href: sfi/complete-production-infrastructure-inventory.md
- - name: Security log retention standards
- href: sfi/security-log-retention-standards.md
- - name: Rapid anomaly detection and response
- href: sfi/rapid-anomaly-detection-response.md
- - name: Centralize access to security logs
- href: sfi/centralize-access-to-security-logs.md
- - name: Accelerate response and remediation
- expand: false
- items:
- - name: Overview
- href: sfi/secure-future-initiative-response-overview.md
- - name: Respond to incidents in AI systems
- href: sfi/incident-response-ai-systems.md
- - name: Accelerate vulnerability mitigation
- href: sfi/accelerate-vulnerability-mitigation.md
-- name: Prioritizing defense
+- name: Microsoft security services
+ href: security-platform.md
+- name: Prioritize defense
expand: false
items:
- name: Overview
@@ -133,376 +19,623 @@
href: prioritizing-defense/minimize-internet-exposure.md
- name: Implement baseline security measures
href: prioritizing-defense/baseline-security-measures.md
-- name: Technology pillars
- expanded: false
+- name: Explore SFI and best practices
items:
+ - name: Overview
+ href: security-best-practices-overview.md
+ - name: SFI patterns
+ items:
- name: Overview
- href: deploy/overview.md
- - name: Identity
- href: deploy/identity.md
- - name: Endpoints
- href: deploy/endpoints.md
- - name: Data
- href: deploy/data.md
- - name: Apps
- href: deploy/applications.md
- - name: Infrastructure
- href: deploy/infrastructure.md
- - name: Network
- href: deploy/networks.md
- - name: Visibility, automation, and orchestration
- href: deploy/visibility-automation-orchestration.md
-- name: Small businesses
- href: guidance-smb-partner.md
-- name: Microsoft Copilots
- expanded: false
- items:
+ href: sfi/secure-future-initiative-overview.md
+ - name: What's new in SFI v2.0
+ href: sfi/secure-future-initiative-whats-new.md
+ - name: Integrate NIST CSF 2.0 governance
+ href: sfi/integrate-nist-2-governance.md
+ - name: Adopt SFI best practices
+ href: sfi/secure-future-initiative-adoption.md
+ - name: Protect identities and secrets
+ expand: false
+ items:
+ - name: Overview
+ href: sfi/secure-future-initiative-identity-overview.md
+ - name: Phishing-resistant MFA
+ href: sfi/phishing-resistant-mfa.md
+ - name: Adopt standard SDKs for identity
+ href: sfi/adopt-standard-sdk-identity.md
+ - name: Protect tenants and isolate systems
+ expand: false
+ items:
+ - name: Overview
+ href: sfi/secure-future-initiative-tenant-overview.md
+ - name: Eliminate identity lateral movement
+ href: sfi/eliminate-identity-lateral-movement.md
+ - name: Remove legacy systems that risk security
+ href: sfi/remove-legacy-systems-that-risk-security.md
+ - name: Higher security for Microsoft Entra ID apps
+ href: sfi/higher-security-microsoft-entra-id-apps.md
+ - name: Secure all tenants and their resources
+ href: sfi/secure-all-tenants-resources.md
+ - name: Protect networks
+ expand: false
+ items:
+ - name: Overview
+ href: sfi/secure-future-initiative-network-overview.md
+ - name: Network isolation
+ href: sfi/network-isolation.md
+ - name: Protect engineering systems
+ expand: false
+ items:
+ - name: Overview
+ href: sfi/secure-future-initiative-engineering-overview.md
+ - name: Standardize secure development pipelines
+ href: sfi/standardize-secure-development-pipelines.md
+ - name: Zero Trust for source code access
+ href: sfi/zero-trust-source-code-access.md
+ - name: Protect the software supply chain
+ href: sfi/protect-software-supply-chain.md
+ - name: Monitor and detect threats
+ expand: false
+ items:
+ - name: Overview
+ href: sfi/secure-future-initiative-threat-overview.md
+ - name: Manage memory safety in agentic systems
+ href: sfi/manage-agentic-memory-safety.md
+ - name: Complete AI threat modeling
+ href: sfi/threat-modeling-ai.md
+ - name: Implement AI observability
+ href: sfi/observability-ai-systems.md
+ - name: Identify risk for autonomous agentic AI
+ href: sfi/manage-agentic-risk.md
+ - name: Secure autonomous agentic AI systems
+ href: sfi/secure-agentic-systems.md
+ - name: Defend against indirect prompt injection attacks
+ href: sfi/defend-indirect-prompt-injection.md
+ - name: Complete production infrastructure inventory
+ href: sfi/complete-production-infrastructure-inventory.md
+ - name: Security log retention standards
+ href: sfi/security-log-retention-standards.md
+ - name: Rapid anomaly detection and response
+ href: sfi/rapid-anomaly-detection-response.md
+ - name: Centralize access to security logs
+ href: sfi/centralize-access-to-security-logs.md
+ - name: Accelerate response and remediation
+ expand: false
+ items:
+ - name: Overview
+ href: sfi/secure-future-initiative-response-overview.md
+ - name: Respond to incidents in AI systems
+ href: sfi/incident-response-ai-systems.md
+ - name: Accelerate vulnerability mitigation
+ href: sfi/accelerate-vulnerability-mitigation.md
+ - name: Microsoft Entra ID best practices
+ href: /entra/fundamentals/configure-security?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+ - name: Microsoft Intune best practices
+ href: /intune/intune-service/protect/zero-trust-configure-security?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+ - name: Azure network best practices
+ href: /azure/networking/security/zero-trust-network-security?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+ - name: Data best practices
+ href: /purview/configure-security?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+ - name: Microsoft cloud security benchmark
+ href: /security/benchmark/azure/overview?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+
+- name: Align with external frameworks
+ items:
+ - name: Align with CISA Zero Trust model
+ items:
- name: Overview
- href: copilots/apply-zero-trust-copilots-overview.md
- - name: Zero Trust for Microsoft 365 Copilot Chat
- href: copilots/zero-trust-microsoft-copilot.md
- - name: Zero Trust for Microsoft 365 Copilot
- href: copilots/zero-trust-microsoft-365-copilot.md
- - name: Zero Trust for Microsoft Security Copilot
- href: copilots/zero-trust-microsoft-copilot-for-security.md
-- name: Microsoft 365
+ href: cisa-zero-trust-maturity-model-intro.md
+ - name: Align identity
+ href: cisa-zero-trust-maturity-model-identity.md
+ - name: Align device security
+ href: cisa-zero-trust-maturity-model-devices.md
+ - name: Align network security
+ href: cisa-zero-trust-maturity-model-networks.md
+ - name: Align application security
+ href: cisa-zero-trust-maturity-model-apps.md
+ - name: Align data security
+ href: cisa-zero-trust-maturity-model-data.md
+ - name: Align with DoD Zero Trust Strategy
+ expanded: false
+ items:
+ - name: Overview
+ href: dod-zero-trust-strategy-intro.md
+ - name: Align identity
+ href: dod-zero-trust-strategy-user.md
+ - name: Align device security
+ href: dod-zero-trust-strategy-device.md
+ - name: Align app/workload security
+ href: dod-zero-trust-strategy-apps.md
+ - name: Align data security
+ href: dod-zero-trust-strategy-data.md
+ - name: Align network security
+ href: dod-zero-trust-strategy-network.md
+ - name: Align SecOps
+ items:
+ - name: Automation/Orchestration
+ href: dod-zero-trust-strategy-automation.md
+ - name: Visibility and analytics
+ href: dod-zero-trust-strategy-visibility.md
+
+- name: Adopt Zero Trust security
expanded: false
items:
+ - name: Follow a security adoption model
+ href: security-adoption-model.md
+ - name: Start a security adoption journey
+ href: security-adoption-journey.md
+ - name: Review security reference architectures
+ href: microsoft-reference-architecture.md
+ - name: Align with Zero Trust frameworks
+ href: security-zero-trust-frameworks.md
+ - name: Review roles and responsibilities
+ href: security-adoption-roles.md
+
+ - name: Adoption (SAF) workshops
+ items:
- name: Overview
- href: microsoft-365-zero-trust.md
- maintainContext: true
- - name: Deploy your identity infrastructure for Microsoft 365
+ href: workshop-business-overview.md
+ - name: CISO workshop
+ href: workshop-business-security-leaders.md
+ - name: CISO workshop videos
+ href: workshop-business-security-leaders-video.md
+
+ - name: Business scenarios
+ items:
+ - name: Overview
+ href: security-adoption-business-scenarios-overview.md
+ - name: Enable scenarios with Microsoft technologies
+ href: security-adoption-business-scenarios-technologies.md
+ - name: Adopt and secure AI
+ href: security-adoption-scenario-secure-ai.md
+ - name: Enable and secure remote work
+ href: security-adoption-scenario-remote-work.md
+ - name: Protect critical business assets
+ items:
+ - name: Overview
+ href: security-adoption-scenario-secure-assets.md
+ - name: Secure and govern privileged access
+ href: security-adoption-scenario-privileged-access.md
+ - name: Strengthen posture and compliance
+ href: security-adoption-scenario-improve-posture.md
+ - name: Minimize damage from security incidents
+ href: security-adoption-scenario-minimize-impact.md
+
+ - name: Security disciplines
+ items:
+ - name: Overview
+ href: security-adoption-discipline-overview.md
+ - name: Strategy, integration and governance
+ items:
+ - name: Overview
+ href: security-adoption-discipline-strategy.md
+ - name: Engage business leaders in security strategy
+ href: security-adoption-discipline-strategy-engage.md
+ - name: Security architecture
+ items:
+ - name: Overview
+ href: security-adoption-discipline-architecture.md
+ - name: Tips for effective security architecture
+ href: security-adoption-discipline-architecture-tips.md
+ - name: Access and identities
+ items:
+ - name: Overview
+ href: security-adoption-discipline-identity-access.md
+ - name: Design an enterprise access architecture
+ href: security-adoption-discipline-identity-access-enterprise-model.md
+ - name: Design a privileged access architecture
+ href: security-adoption-discipline-identity-access-privileged-model.md
+ - name: Data
+ items:
+ - name: Overview
+ href: security-adoption-discipline-data.md
+ - name: SecOps
items:
+ - name: Overview
+ href: security-adoption-discipline-security-operations.md
+ - name: Understand SecOps roles
+ href: security-adoption-discipline-security-operations-roles.md
+ - name: Avoid SecOps antipatterns
+ href: security-adoption-discipline-security-operations-common-issues.md
+ - name: Run a SecOps planning workshop
+ href: workshop-business-security-operations.md
+ - name: Plan incident response
+ items:
- name: Overview
- href: /microsoft-365/enterprise/deploy-identity-solution-overview?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json
- maintainContext: true
- - name: Step 1. Determine your identity model
- href: /microsoft-365/enterprise/deploy-identity-solution-identity-model?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json
- maintainContext: true
- - name: Step 2. Protect your privileged accounts
- href: /microsoft-365/enterprise/protect-your-global-administrator-accounts?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json
- maintainContext: true
- - name: Step 3. Protect your user accounts
- href: /microsoft-365/enterprise/microsoft-365-secure-sign-in?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json
- maintainContext: true
- - name: Step 4. Deploy your identity model
+ href: security-adoption-discipline-security-operations-incidents.md
+ - name: Playbooks
items:
- - name: Cloud-only identity
- href: /microsoft-365/enterprise/cloud-only-identities?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json
- maintainContext: true
- - name: Hybrid identity
- items:
- - name: Prepare for directory synchronization
- href: /microsoft-365/enterprise/prepare-for-directory-synchronization?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json
- maintainContext: true
- - name: Prepare a nonroutable domain for directory synchronization
- href: /microsoft-365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json
- maintainContext: true
- - name: Set up directory synchronization
- href: /microsoft-365/enterprise/set-up-directory-synchronization?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json
- maintainContext: true
- - name: Zero Trust identity and device configurations
- items:
+ - name: Phishing investigation
+ href: security-operations-playbook-phishing.md
+
+ - name: Development
+ items:
- name: Overview
- href: zero-trust-identity-device-access-policies-overview.md
- - name: Prerequisite work
- href: zero-trust-identity-device-access-policies-prerequisite.md
- - name: Common identity and device access policies
- href: zero-trust-identity-device-access-policies-common.md
- - name: Policies for guest and external users
- href: zero-trust-identity-device-access-policies-guest-access.md
- - name: Recommended policies and settings for Microsoft 365 workloads
- href: zero-trust-identity-device-access-policies-workloads.md
- - name: Manage endpoints with Intune and Microsoft 365
+ href: security-adoption-discipline-development.md
+ - name: Shift DevOps to DevSecOps
+ href: security-adoption-discipline-development-security.md
+ - name: Review secure development imperatives
+ href: security-adoption-discipline-development-imperatives.md
+
+ - name: Infrastructure
items:
- name: Overview
- href: manage-devices-with-intune-overview.md
- - name: Step 1. Implement App Protection policies
- href: manage-devices-with-intune-app-protection.md
- - name: Step 2. Enroll devices into management
- href: manage-devices-with-intune-enroll.md
- - name: Step 3. Set up compliance policies
- href: manage-devices-with-intune-compliance-policies.md
- - name: Step 4. Require healthy and compliant devices
- href: manage-devices-with-intune-require-compliance.md
- - name: Step 5. Deploy device profiles
- href: manage-devices-with-intune-configuration-profiles.md
- - name: Step 6. Monitor device risk and compliance
- href: manage-devices-with-intune-monitor-risk.md
- - name: Step 7. Implement data loss prevention (DLP) with information protection capabilities
- href: manage-devices-with-intune-dlp-mip.md
- - name: Deploy a Microsoft information protection solution
- href: /microsoft-365/compliance/information-protection-solution?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json
- maintainContext: true
- - name: Manage data privacy and data protection with Microsoft Priva and Microsoft Purview
- items:
+ href: security-adoption-discipline-infrastructure.md
+
+ - name: OT/IoT
+ items:
- name: Overview
- href: /microsoft-365/solutions/data-privacy-protection?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json
- maintainContext: true
- - name: Step 1. Assess data and risks
- href: /microsoft-365/solutions/data-privacy-protection-assess?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json
- maintainContext: true
- - name: Step 2. Protect and govern data
- href: /microsoft-365/solutions/data-privacy-protection-protect-govern?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json
- maintainContext: true
- - name: Step 3. Stay on track
- href: /microsoft-365/solutions/data-privacy-protection-regulations?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json
- maintainContext: true
- - name: Step 4. Respond to incidents and subject requests
- href: /microsoft-365/solutions/data-privacy-protection-respond-requests?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json
- maintainContext: true
- - name: Integrate SaaS apps for Zero Trust with Microsoft 365
+ href: security-adoption-discipline-iot.md
+
+ - name: Security posture
items:
- name: Overview
- href: integrate-saas-apps.md
- - name: Step 1. Add SaaS apps to Microsoft Entra ID and to the scope of policies
- href: add-saas-apps.md
- - name: Step 2. Create Defender for Cloud Apps policies
- href: create-policies.md
- - name: Step 3. Deploy information protection for SaaS Apps
- href: deploy-information-protection-saas.md
-- name: Microsoft Defender XDR and Microsoft Sentinel
+ href: security-adoption-discipline-posture.md
+ - name: Technology pillars
+ href: deploy/overview.md
+
+- name: Zero Trust workshops
items:
- - name: Incident response with XDR and integrated SIEM
- href: siem-xdr-overview.md
- - name: Zero Trust security with Microsoft Sentinel and Defender XDR
- href: siem-xdr-implement.md
- - name: Pilot and deploy Microsoft Defender XDR
+ - name: Overview
+ href: workshop-zero-trust-overview.md
+ - name: Launch the Zero Trust Workshop
+ href: https://aka.ms/ztworkshop
+ - name: Identity workshop
+ href: workshop-zero-trust-identity.md
+ - name: Devices workshop
+ href: workshop-zero-trust-devices.md
+ - name: Data workshop
+ href: workshop-zero-trust-data.md
+ - name: Networking workshop
+ href: workshop-zero-trust-networking.md
+ - name: Infrastructure workshop
+ href: workshop-zero-trust-infrastructure.md
+ - name: SecOps workshop
+ href: workshop-zero-trust-security-operations.md
+ - name: AI workshop
+ href: workshop-zero-trust-ai-security.md
+ - name: Implementation workshops for partners
+ items:
+ - name: Workshop delivery guide
+ href: https://microsoft.github.io/zerotrustassessment/docs/workshop-guidance/delivery-guide
+ - name: Zero trust partner kit
+ href: zero-trust-partner-kit.md
+ - name: Workshop partner FAQ
+ href: https://microsoft.github.io/zerotrustassessment/docs/zFAQs/partnerFAQs
+
+- name: Zero Trust assessment
+ items:
+ - name: Overview
+ href: assessment/overview.md
+ - name: Get started with the Zero Trust assessment
+ href: assessment/get-started.md
+ - name: Pillar assessment
+ expanded: false
items:
- - name: Overview
- href: /defender-xdr/pilot-deploy-overview?toc=/security/zero-trust/toc.json&bc=/security/breadcrumb/toc.json
- - name: Defender for Identity
- href: /defender-xdr/pilot-deploy-defender-identity?toc=/security/zero-trust/toc.json&bc=/security/breadcrumb/toc.json
- - name: Defender for Office 365
- href: /defender-xdr/pilot-deploy-defender-office-365?toc=/security/zero-trust/toc.json&bc=/security/breadcrumb/toc.json
- - name: Defender for Endpoint
- href: /defender-xdr/pilot-deploy-defender-endpoint?toc=/security/zero-trust/toc.json&bc=/security/breadcrumb/toc.json
- - name: Defender for Cloud Apps
- href: /defender-xdr/pilot-deploy-defender-cloud-apps?toc=/security/zero-trust/toc.json&bc=/security/breadcrumb/toc.json
- - name: Investigate and respond to threats
- href: /defender-xdr/pilot-deploy-investigate-respond?toc=/security/zero-trust/toc.json&bc=/security/breadcrumb/toc.json
- - name: Integrate with Microsoft Sentinel
+ - name: Identity
+ href: /entra/fundamentals/configure-security?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+ - name: Devices
+ href: /intune/intune-service/protect/zero-trust-configure-security?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+ - name: Network
+ href: /azure/networking/security/zero-trust-network-security?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+ - name: Data
+ href: /purview/configure-security?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+ - name: Assessment terminology
+ href: assessment/glossary.md
+- name: Implement Zero Trust solutions
+ items:
+ - name: Overview
+ href: implement-overview.md
+ - name: Technology pillars
+ href: deploy/overview.md
+- name: Secure AI and data
+ items:
+ - name: Adopt and secure AI
+ items:
+ - name: Build a strong AI posture
+ href: /security/security-for-ai/posture
+ - name: Prepare for AI security
+ href: /security/security-for-ai/prepare
+ - name: Discover AI apps/data
+ href: /security/security-for-ai/discover
+ - name: Protect AI apps/data
+ href: /security/security-for-ai/govern
+ - name: Govern AI for compliance
+ href: /security/security-for-ai/govern
+ - name: Take the Zero Trust AI workshop
+ href: workshop-zero-trust-ai-security.md
+ - name: Secure Microsoft Copilot
items:
- - name: Plan your deployment
- href: /unified-secops-platform/overview-plan?toc=/security/zero-trust/toc.json&bc=/security/breadcrumb/toc.json
- - name: Deploy Microsoft Defender XDR and Microsoft Sentinel
- href: /unified-secops-platform/overview-deploy?toc=/security/zero-trust/toc.json&bc=/security/breadcrumb/toc.json
- - name: Connect Microsoft Sentinel to the Defender portal (optional)
- href: /defender-xdr/microsoft-sentinel-onboard?toc=/security/zero-trust/toc.json&bc=/security/breadcrumb/toc.json
- - name: Respond to an incident (Defender portal)
- href: respond-incident-defender.md
- - name: Respond to an incident (Azure portal)
- href: respond-incident-azure.md
- - name: Recommended training for SIEM and XDR (Azure portal)
- href: siem-xdr-training.md
-- name: Microsoft Azure services
- expanded: false
- items:
- name: Overview
- href: apply-zero-trust-azure-services-overview.md
- - name: Azure Platform
- expanded: false
- items:
- - name: Overview and reference architecture
- href: azure-infrastructure-overview.md
- - name: Compute
- expanded: false
+ href: copilots/apply-zero-trust-copilots-overview.md
+ - name: Secure Microsoft 365 Copilot Chat
+ href: copilots/zero-trust-microsoft-copilot.md
+ - name: Secure Microsoft 365 Copilot
+ href: copilots/zero-trust-microsoft-365-copilot.md
+ - name: Secure Microsoft Security Copilot
+ href: copilots/zero-trust-microsoft-copilot-for-security.md
+ - name: Protect endpoints/data access
+ items:
+ - name: Overview
+ href: manage-devices-with-intune-overview.md
+ - name: Step 1. Protect apps
+ href: manage-devices-with-intune-app-protection.md
+ - name: Step 2. Enroll devices
+ href: manage-devices-with-intune-enroll.md
+ - name: Step 3. Set up compliance policies
+ href: manage-devices-with-intune-compliance-policies.md
+ - name: Step 4. Require device compliance
+ href: manage-devices-with-intune-require-compliance.md
+ - name: Step 5. Deploy device profiles
+ href: manage-devices-with-intune-configuration-profiles.md
+ - name: Step 6. Monitor risk/compliance
+ href: manage-devices-with-intune-monitor-risk.md
+ - name: Step 7. Implement DLP
+ href: manage-devices-with-intune-dlp-mip.md
+ - name: Protect sensitive data
+ items:
+ - name: Overview
+ href: /purview/information-protection?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+ - name: Deploy information protection
+ href: /purview/information-protection-solution?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+
+- name: Enable and secure remote work
+ items:
+ - name: Overview
+ href: adopt/secure-remote-hybrid-work.md
+ - name: Deploy identity in Microsoft 365
+ items:
+ - name: Overview
+ href: /microsoft-365/enterprise/deploy-identity-solution-overview?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+ - name: Step 1 - Select an identity model
+ href: /microsoft-365/enterprise/deploy-identity-solution-identity-model?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+ - name: Step 2 - Protect privileged accounts
+ href: /microsoft-365/enterprise//protect-your-global-administrator-accounts?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+ - name: Step 3 - Protect user accounts
+ href: /microsoft-365/enterprise/microsoft-365-secure-sign-in??toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+ - name: Step 4- Deploy cloud/hybrid
items:
- - name: Virtual machines
- href: azure-infrastructure-virtual-machines.md
- - name: Azure Virtual Desktop
- href: azure-infrastructure-avd.md
- - name: Storage
- expanded: false
- items:
- - name: Azure storage
- href: azure-infrastructure-storage.md
- - name: Network
- expanded: false
- items:
- - name: Overview
- href: azure-networking-overview.md
- - name: Azure Virtual WAN
- href: azure-virtual-wan.md
- - name: Segment your network traffic
- href: azure-networking-segmentation.md
- - name: Encrypt your network traffic
- href: azure-networking-encryption.md
- - name: Gain visibility into network traffic
- href: azure-networking-visibility.md
- - name: Discontinue legacy network security technology
- href: azure-networking-legacy.md
- - name: Network Topology
- expanded: false
- items:
- - name: Azure hub virtual networks
- href: azure-infrastructure-networking.md
- - name: Azure spoke virtual networks
- href: azure-infrastructure-iaas.md
- - name: Spoke virtual networks with Azure PaaS services
- href: azure-infrastructure-paas.md
- - name: Multi-cloud
- expanded: false
- items:
- - name: IaaS applications in AWS
- href: secure-iaas-apps.md
- - name: Business Continuity
- expanded: false
- items:
- - name: Protect Azure resources from cyberattacks
- href: azure-protect-resources-cyberattacks.md
-- name: Technology partners
- expanded: false
+ - name: Cloud-only identity
+ href: /microsoft-365/enterprise/cloud-only-identities?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+ - name: Hybrid identity
+ items:
+ - name: Prepare for directory synchronization
+ href: /microsoft-365/enterprise/prepare-for-directory-synchronization?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+ - name: Prepare a non-routable domain
+ href: /microsoft-365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+ - name: Set up directory synchronization
+ href: /microsoft-365/enterprise/set-up-directory-synchronization?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+ - name: Configure secure access in Microsoft 365
+ items:
+ - name: Overview
+ href: zero-trust-identity-device-access-policies-overview.md
+ - name: Review prerequisites
+ href: zero-trust-identity-device-access-policies-prerequisite.md
+ - name: Configure identity/device policy
+ href: zero-trust-identity-device-access-policies-common.md
+ - name: Configure guest/external policy
+ href: zero-trust-identity-device-access-policies-guest-access.md
+ - name: Review policy recommendations for workloads
+ href: zero-trust-identity-device-access-policies-workloads.md
+ - name: Protect SaaS app access
+ items:
+ - name: Overview
+ href: integrate-saas-apps.md
+ - name: Step 1. Add SaaS apps to Microsoft Entra
+ href: add-saas-apps.md
+ - name: Step 2. Create Defender for Cloud Apps policies
+ href: create-policies.md
+ - name: Step 3. Deploy information protection
+ href: deploy-information-protection-saas.md
+
+- name: Protect critical assets
+ items:
+ - name: Protect sensitive data
+ href: adopt/identify-protect-sensitive-business-data.md
+ - name: Secure privileged access
+ items:
+ - name: Overview
+ href: adopt/implement-privileged-access.md
+ - name: Plan a privileged access architecture
+ href: adopt/implement-privileged-access-plan.md
+ - name: Phase 1 - Configure the identity control plane
+ href: adopt/implement-privileged-access-identity.md
+ - name: Phase 2 - Secure privileged devices
+ href: adopt/implement-privileged-access-devices.md
+ - name: Phase 3 - Enforce privileged access policy
+ href: adopt/implement-privileged-access-enforce.md
+ - name: Phase 4 Monitor and protect privileged access
+ href: adopt/implement-privileged-access-monitor.md
+
+- name: Improve posture and compliance
+ items:
+ - name: Modernize security posture
+ href: adopt/rapidly-modernize-security-posture.md
+ - name: Meet regulatory compliance requirements
+ href: adopt/meet-regulatory-compliance-requirements.md
+
+- name: Minimize damage from incidents
items:
+ - name: Overview
+ href: adopt/prevent-reduce-business-damage-breach.md
+ - name: Implement a prevention/recovery infrastructure
+ href: adopt/prevent-reduce-business-damage-breach-infrastructure.md
+ - name: Respond to incidents with Microsoft Defender
+ href: siem-xdr-overview.md
+ - name: Investigate and respond with Defender XDR
+ href: /defender-xdr/investigate-respond-incidents?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+ - name: Protect Azure resources from attack
+ href: azure-protect-resources-cyberattacks.md
+ - name: Monitor Zero Trust with Microsoft Sentinel
+ href: /azure/sentinel/sentinel-solution?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json
+
+- name: Configure Zero Trust for small businesses
+ href: guidance-smb-partner.md
+
+- name: Secure technology pillars
+ items:
+ - name: Overview
+ href: deploy/overview.md
+ - name: Secure identity
+ items:
- name: Overview
- href: integrate/overview.md
- - name: Identity
+ href: deploy/identity.md
+ - name: Take the Zero Trust identity workshop
+ href: workshop-zero-trust-identity.md
+ - name: ISVs-Integrate with Microsoft
href: integrate/identity.md
- - name: Endpoints
+ - name: Secure endpoints
+ items:
+ - name: Overview
+ href: deploy/endpoints.md
+ - name: Take the Zero Trust devices workshop
+ href: workshop-zero-trust-devices.md
+ - name: ISVs-Integrate with Microsoft
href: integrate/endpoints.md
- - name: Applications
- href: integrate/applications.md
- - name: Data
+ - name: Secure data
+ items:
+ - name: Overview
+ href: deploy/data.md
+ - name: Take the Zero Trust data workshop
+ href: workshop-zero-trust-data.md
+ - name: ISVs-Integrate with Microsoft
href: integrate/data.md
- - name: Infrastructure
+ - name: Secure apps
+ items:
+ - name: Overview
+ href: deploy/applications.md
+ - name: ISVs-Integrate with Microsoft
+ href: integrate/applications.md
+ - name: Secure infrastructure
+ items:
+ - name: Overview
+ href: deploy/infrastructure.md
+ - name: Take the Zero Trust infrastructure workshop
+ href: workshop-zero-trust-infrastructure.md
+ - name: Apply Zero Trust principles to Azure IaaS
+ href: azure-infrastructure-overview.md
+ - name: Secure VMs with Zero Trust
+ href: azure-infrastructure-virtual-machines.md
+ - name: Secure AWS VMs with Zero Trust
+ href: secure-iaas-apps.md
+ - name: Deploy Azure Storage with Zero Trust
+ href: azure-infrastructure-storage.md
+ - name: Protect Microsoft 365 workloads with Zero Trust
+ href: microsoft-365-zero-trust.md
+ - name: Integrate with Microsoft solutions
href: integrate/infrastructure.md
- - name: Networks
- href: integrate/networks.md
- - name: Visibility, automation, and orchestration
+ - name: Secure networks
+ items:
+ - name: Overview
+ href: deploy/networks.md
+ - name: Take the Zero Trust network workshop
+ href: workshop-zero-trust-networking.md
+ - name: Apply Zero Trust to hub/spoke networks
items:
- - name: Overview
- href: integrate/visibility-automation-orchestration.md
- - name: Monitor Zero Trust with Microsoft Sentinel
- href: /azure/sentinel/sentinel-solution?toc=/security/zero-trust/integrate/TOC.json&bc=/security/zero-trust/breadcrumb/toc.json
- maintainContext: true
-- name: Developers
- expanded: false
- items:
+ - name: Deploy Azure Virtual WAN with Zero Trust
+ href: azure-virtual-wan.md
+ - name: Deploy a hub network with Zero Trust
+ href: azure-infrastructure-networking.md
+ - name: Deploy a spoke network with Zero Trust
+ href: azure-infrastructure-iaas.md
+ - name: Segment network traffic
+ href: azure-networking-segmentation.md
+ - name: Encrypt network traffic
+ href: azure-networking-encryption.md
+ - name: Monitor network traffic
+ href: azure-networking-encryption.md
+ - name: Discontinue legacy technologies
+ href: azure-networking-legacy.md
+ - name: Integrate with Microsoft solution
+ href: integrate/networks.md
+
+ - name: Secure SecOps
+ items:
- name: Overview
+ href: deploy/visibility-automation-orchestration.md
+ - name: Take the Zero Trust SecOps workshop
+ href: workshop-zero-trust-security-operations.md
+ - name: ISVs-Integrate with Microsoft solutions
+ href: integrate/visibility-automation-orchestration.md
+
+ - name: Secure development/DevOps
+ expanded: false
+ items:
+ - name: Zero trust development
+ href: develop/overview.md
+ - name: Standards-based development
+ href: develop/identity-standards-based-development-methodologies.md
+ - name: Secure the developer environment
+ href: develop/secure-dev-environment-zero-trust.md
+ - name: Secure the DevOps environment
+ href: develop/secure-devops-environments-zero-trust.md
+ - name: Secure the DevOps platform
+ href: develop/secure-devops-platform-environment-zero-trust.md
+ - name: Embed Zero Trust in developer workflow
+ href: develop/embed-zero-trust-dev-workflow.md
+ - name: Secure app development
items:
- - name: Zero Trust development
- href: develop/overview.md
- - name: Application security and Zero Trust
+ - name: Secure applications
href: develop/identity-zero-trust-compliance.md
- - name: IAM development best practices
- href: develop/identity-iam-development-best-practices.md
- - name: Standards-based development
- href: develop/identity-standards-based-development-methodologies.md
- - name: Developer and IT Pro responsibilities
+ - name: App registration, authorization, access
href: develop/identity-developer-administrator-responsibilities.md
- - name: Permissions and access
- items:
- - name: Overview
- href: develop/identity.md
- - name: App integration
- href: develop/integrate-apps-microsoft-identity-platform.md
- - name: App registration
- href: develop/app-registration.md
- - name: Identity and account types for apps
- href: develop/identity-supported-account-types.md
- - name: User authentication
- href: develop/user-authentication.md
- - name: Resource access authorization
- href: develop/acquire-application-authorization-to-access-resources.md
- - name: Delegated permissions
- href: develop/developer-strategy-delegated-permission.md
- - name: Application permissions
- href: develop/developer-strategy-application-permissions.md
- - name: Permissions that require admin consent
- href: develop/permissions-require-admin-consent.md
- - name: Overprivileged permissions
- href: develop/overprivileged-permissions.md
- - name: Application identity
- href: develop/identity-non-user-applications.md
- - name: Token management
- href: develop/token-management.md
- - name: Token customization
- href: develop/zero-trust-token-customization.md
- - name: Secure apps with Continuous Access Evaluation
- href: develop/secure-with-cae.md
- - name: Group claims and app roles in tokens
- href: develop/configure-tokens-group-claims-app-roles.md
- - name: API protection
- href: develop/protect-api.md
- - name: Protected API example
- href: develop/protected-api-example.md
- - name: API call to another API
- href: develop/api-calls-api.md
- - name: Authorization best practices
- href: develop/developer-strategy-authorization-best-practices.md
- - name: Zero Trust DevSecOps
- items:
- - name: Overview
- href: develop/secure-devops-environments-zero-trust.md
- - name: Secure DevOps platform environment
- href: develop/secure-devops-platform-environment-zero-trust.md
- - name: Secure development environment
- href: develop/secure-dev-environment-zero-trust.md
- - name: Embed Zero Trust into developer workflow
- href: develop/embed-zero-trust-dev-workflow.md
-- name: Illustrations for IT architects and implementers
- href: zero-trust-tech-illus.md
+ - name: App identitiy/access best practices
+ href: develop/identity-iam-development-best-practices.md
+ - name: Secure identity in apps
+ items:
+ - name: Overview
+ href: develop/identity.md
+ - name: App integration
+ href: develop/integrate-apps-microsoft-identity-platform.md
+ - name: App registration
+ href: develop/app-registration.md
+ - name: Identity and account types for apps
+ href: develop/identity-supported-account-types.md
+ - name: User authentication
+ href: develop/user-authentication.md
+ - name: Resource access authorization
+ href: develop/acquire-application-authorization-to-access-resources.md
+ - name: Delegated permissions
+ href: develop/developer-strategy-delegated-permission.md
+ - name: Application permissions
+ href: develop/developer-strategy-application-permissions.md
+ - name: Permissions that require admin consent
+ href: develop/permissions-require-admin-consent.md
+ - name: Overprivileged permissions
+ href: develop/overprivileged-permissions.md
+ - name: Application identity
+ href: develop/identity-non-user-applications.md
+ - name: Token management
+ href: develop/token-management.md
+ - name: Token customization
+ href: develop/zero-trust-token-customization.md
+ - name: Secure apps with Continuous Access Evaluation
+ href: develop/secure-with-cae.md
+ - name: Group claims and app roles in tokens
+ href: develop/configure-tokens-group-claims-app-roles.md
+ - name: API protection
+ href: develop/protect-api.md
+ - name: Protected API example
+ href: develop/protected-api-example.md
+ - name: API call to another API
+ href: develop/api-calls-api.md
+ - name: Authorization best practices
+ href: develop/developer-strategy-authorization-best-practices.md
+
- name: Resources
expanded: false
items:
- - name: US Federal Zero Trust memo 22-09
- href: /azure/active-directory/standards/memo-22-09-meet-identity-requirements
- maintainContext: true
- - name: Zero Trust Essentials Video Series
- href: https://www.youtube.com/watch?v=LE52xoYlFvs&list=PLXtHYVsvn_b_P09Jqw65XvV0zp6HP2liu
- - name: Resources for your Zero Trust journey
- href: https://www.microsoft.com/security/blog/2021/05/24/resources-for-accelerating-your-zero-trust-journey/
- - name: Zero Trust Assessment
- href: https://info.microsoft.com/ww-landing-Zero-Trust-Assessment.html
- - name: Microsoft Zero Trust Security Blog
- href: https://www.microsoft.com/security/blog/zero-trust/
- - name: Microsoft Intelligent Security Association
- href: https://www.microsoft.com/security/business/intelligent-security-association
-- name: Best practices resources
- expanded: false
- items:
-
- - name: US Government guidance
- items:
- - name: CISA Zero Trust Maturity Model
- expanded: false
- items:
- - name: Introduction
- href: cisa-zero-trust-maturity-model-intro.md
- - name: Identity
- href: cisa-zero-trust-maturity-model-identity.md
- - name: Devices
- href: cisa-zero-trust-maturity-model-devices.md
- - name: Networks
- href: cisa-zero-trust-maturity-model-networks.md
- - name: Applications and workloads
- href: cisa-zero-trust-maturity-model-apps.md
- - name: Data
- href: cisa-zero-trust-maturity-model-data.md
- - name: DoD Zero Trust Strategy
- expanded: false
- items:
- - name: Introduction
- href: dod-zero-trust-strategy-intro.md
- - name: User
- href: dod-zero-trust-strategy-user.md
- - name: Device
- href: dod-zero-trust-strategy-device.md
- - name: Applications and workloads
- href: dod-zero-trust-strategy-apps.md
- - name: Data
- href: dod-zero-trust-strategy-data.md
- - name: Network
- href: dod-zero-trust-strategy-network.md
- - name: Automation and orchestration
- href: dod-zero-trust-strategy-automation.md
- - name: Visibility and analytics
- href: dod-zero-trust-strategy-visibility.md
- - name: More best practices
- items:
- - name: The immutable laws of security
- href: ten-laws-of-security.md
-
+ - name: Zero Trust illustrations
+ href: zero-trust-tech-illus.md
+ - name: Zero Trust Essentials Video Series
+ href: https://www.youtube.com/watch?v=LE52xoYlFvs&list=PLXtHYVsvn_b_P09Jqw65XvV0zp6HP2liu
+ - name: Zero Trust Workshop
+ href: https://microsoft.github.io/zerotrustassessment/
+ - name: Microsoft Zero Trust Security Blog
+ href: https://www.microsoft.com/security/blog/zero-trust/
+ - name: US Federal Zero Trust memo 22-09
+ href: /azure/active-directory/standards/memo-22-09-meet-identity-requirements
+
+
diff --git a/security-docs/zero-trust/adopt/identify-protect-sensitive-business-data.md b/security-docs/zero-trust/adopt/identify-protect-sensitive-business-data.md
index b4a4490f1..fa089d4ef 100644
--- a/security-docs/zero-trust/adopt/identify-protect-sensitive-business-data.md
+++ b/security-docs/zero-trust/adopt/identify-protect-sensitive-business-data.md
@@ -1,60 +1,24 @@
---
title: Identify and protect sensitive business data with Zero Trust
description: Learn how to identify and protect sensitive business data with Zero Trust.
-ms.date: 05/05/2025
+ms.date: 05/24/2025
ms.service: security
ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
ms.topic: how-to
-ms.collection:
- - zerotrust-adopt
----
-
-
# Identify and protect sensitive business data
As part of Zero Trust adoption guidance, this article describes the business scenario of safeguarding your most critical data assets. This scenario focuses on how to identify and protect sensitive business data.
-Digital transformation has led organizations to deal with increasing volumes of data. However, external collaborators such as partners, vendors, and customers access much of that shared data outside the corporate network. This shift has created a complex data landscape, especially when you consider the proliferation of hybrid workforces and cloud migrations, growing cyberthreats, evolving security, and changing regulatory requirements around how data is governed and protected.
+With digital transformation organizations deal with increasing volumes of data. However, external collaborators such as partners, vendors, and customers access much of that shared data outside the corporate network. This shift has created a complex data landscape, especially when you consider the proliferation of hybrid workforces and cloud migrations, growing cyberthreats, evolving security, and changing regulatory requirements around how data is governed and protected.
-With hybrid work models, corporate assets and data are on the move. Your organization needs to control wherever the data is stored and transferred on devices, inside apps, and with partners. For modern-day security, however, you can no longer rely on traditional network protection controls.
+With hybrid work models, corporate assets and data are on the move. Your organization needs to control wherever the data is stored and transferred on devices, inside apps, and with partners. For modern-day security you can no longer rely on traditional network protection controls.
| Traditional data protection with network controls | Modern data protection with Zero Trust |
| --- | --- |
@@ -78,8 +42,8 @@ The following table provides reasons why business leaders across an organization
| Chief Marketing Officer (CMO) | Product planning, messaging, branding, and upcoming product announcements must be released at the right time and in the right way to maximize impact. Untimely leakage can reduce investment returns and tip off competitors to upcoming plans. |
| Chief Information Officer (CIO) | While traditional approaches for protecting information relied on limiting access to it, protecting sensitive data adequately by using modern technologies enables more flexible collaboration with external parties, as needed, without increasing risk. Your IT departments can fulfill their mandate to ensure productivity while minimizing risk. |
| Chief Information Security Officer (CISO) | As the primary function of this role, securing sensitive business data is an integral part of information security. This outcome directly affects the organization’s larger cybersecurity strategy. Advanced security technology and tools provide the ability to monitor data and prevent leakage and loss. |
-| Chief Technology Officer (CTO) | Intellectual property can differentiate a successful business from a failing one. Protecting this data from oversharing, unauthorized access, and theft is key to ensure future growth of the organization. |
-|Chief Operations Officer (COO) | Operations data, procedures, and production plans are a key strategic advantage to an organization. These plans can also reveal strategic vulnerabilities that can be exploited by competitors. Protecting this data from theft, oversharing, and misuse is critical to the continued success of the business. |
+| Chief Technology Officer (CTO) | Intellectual property can differentiate a successful business from a failing one. A key to future growth is to protect this data from oversharing, unauthorized access, and theft. |
+|Chief Operations Officer (COO) | Operations data, procedures, and production plans are a key strategic advantage to an organization. These plans can also reveal strategic vulnerabilities that can be exploited by competitors. Data protection from theft, oversharing, and misuse is critical to the continued success of the business. |
| Chief Financial Officer (CFO) | Publicly traded companies have a duty to protect specific financial data before it's made public. Other financial data can reveal plans and strategic strengths or weaknesses. This data must all be protected to both ensure compliance with existing regulations and maintain strategic advantages. |
| Chief Compliance Officer (CCO) | Regulations across the world mandate protection of PII of customers or employees and other sensitive data. The CCO is responsible for ensuring the organization abides by such regulations. A comprehensive information protection strategy is key to achieving that goal. |
| Chief Privacy Officer (CPO) | A CPO is typically responsible for ensuring protection of personal data. In organizations that deal with large amounts of customer personal data and organizations operating in regions with strict privacy regulations, failure to protect sensitive data can result in steep fines. These organizations also risk losing customer trust as a consequence. CPOs must also prevent personal data from being misused in ways that violate customer agreements or laws, which can include improper sharing of the data within the organization and with partners. |
@@ -163,11 +127,11 @@ If this staged approach works for your organization, you can use:
- This [downloadable PowerPoint slide deck](https://download.microsoft.com/download/a/b/5/ab51ac2a-e9de-4c8f-8323-6bc7c2f78c1f/ZeroTrust-Adoption-Resources.pptx) to present and track your progress through these stages and objectives for business leaders and other stakeholders. Here's the slide for this business scenario.
- :::image type="content" source="../media/adoption-guide/zero-trust-protect-data-progress-tracking.png" alt-text="The PowerPoint slide for the stages of your identify and protect sensitive business data deployment." lightbox="../media/adoption-guide/zero-trust-protect-data-progress-tracking.png":::
+ :::image type="content" source="../media/adoption-guide/zero-trust-protect-data-progress-tracking.png" alt-text="The PowerPoint slide for the stages of identifying and protecting sensitive business data." lightbox="../media/adoption-guide/zero-trust-protect-data-progress-tracking.png":::
- This [Excel workbook](https://download.microsoft.com/download/d/0/3/d030e1d6-ea3d-45a1-9672-938e1b01db0d/zero-trust-business-scenario-objectives-tracking-workbook.xlsx) to assign owners and track your progress for these stages, objectives, and their tasks. Here's the worksheet for this business scenario.
- :::image type="content" source="../media/adoption-guide/adoption-tracking-worksheet-identify-protect-sensitive-data.png" alt-text="The progress tracking worksheet for your identify and protect sensitive business data deployment." lightbox="../media/adoption-guide/adoption-tracking-worksheet-identify-protect-sensitive-data.png":::
+ :::image type="content" source="../media/adoption-guide/adoption-tracking-worksheet-identify-protect-sensitive-data.png" alt-text="Progress tracking worksheet for identity and sensitive data protection." lightbox="../media/adoption-guide/adoption-tracking-worksheet-identify-protect-sensitive-data.png":::
### Understand your organization
@@ -179,7 +143,7 @@ The following actions apply:
- Inventory your data.
- First, take stock of where all your data resides, which can be as simple as listing the apps and repositories with your data. After technologies like sensitivity labeling have been deployed, you may discover other locations where sensitive data is being stored. These locations are sometimes referred to as dark or grey IT.
+ First, take stock of where all your data resides, which can be as simple as listing the apps and repositories with your data. After technologies like sensitivity labeling have been deployed, you might discover other locations where sensitive data is being stored. These locations are sometimes referred to as dark or grey IT.
It’s also helpful to estimate how much data you plan to inventory (the volume). Throughout the recommended technical process, you use the tool set to discover and identify business data. You’ll learn what kinds of data you have and where this data resides across services and cloud apps, enabling you to correlate the sensitivity of the data with the level of exposure of the locations in which it's present.
@@ -189,7 +153,7 @@ The following actions apply:
The four stages recommended represent an incremental adoption plan. Adjust this plan based on your organization’s priorities and the composition of your digital estate. Be sure to take account of any timeline milestones or obligations for completing this work.
-- Inventory any data sets or dedicated projects that require compartmentalized protection (for example, tented or special projects).
+- Inventory any data sets or dedicated projects that require compartmentalized protection.
Not every organization requires compartmentalized protection.
@@ -220,7 +184,7 @@ This table summarizes roles that are recommended when building a sponsorship pro
The [PowerPoint deck of resources](https://download.microsoft.com/download/a/b/5/ab51ac2a-e9de-4c8f-8323-6bc7c2f78c1f/ZeroTrust-Adoption-Resources.pptx) for this adoption content includes the following slide with a stakeholder view that you can customize for your own organization.
-:::image type="content" source="../media/adoption-guide/zero-trust-protect-data-stakeholders.png" alt-text="The PowerPoint slide to identify key stakeholders for your identify and protect sensitive business data deployment." lightbox="../media/adoption-guide/zero-trust-protect-data-stakeholders.png":::
+:::image type="content" source="../media/adoption-guide/zero-trust-protect-data-stakeholders.png" alt-text="The PowerPoint slide to identify key stakeholders for identity and protect sensitive data deployment." lightbox="../media/adoption-guide/zero-trust-protect-data-stakeholders.png":::
### Technical planning and skills readiness
@@ -241,7 +205,7 @@ The Stage 1 deployment objectives include the process of taking inventory of you
##### Discover and identify sensitive business data
-Starting with Microsoft 365, some of the primary tools you use to identify sensitive information that needs to be protected are sensitive information types (SITs) and other classifiers, including trainable classifiers and fingerprints. These identifiers help find common sensitive data types, such as credit card numbers or governmental identification numbers, and identifying sensitive documents and emails using machine learning and other methods. You can also create custom SITs to identify data that is unique to your environment, including using exact data matching to differentiate data pertaining to specific people—for example, customer PII—that needs special protection.
+Starting with Microsoft 365, some of the primary tools you use to identify sensitive information that needs to be protected are sensitive information types (SITs) and other classifiers, including trainable classifiers and fingerprints. These identifiers help find common sensitive data types, such as credit card numbers or governmental identification numbers. They also help you to identify sensitive documents and emails using machine learning and other techniques. You can also create custom SITs to identify data that is unique to your environment, including using exact data matching to differentiate data pertaining to specific people—for example, customer PII—that needs special protection.
When data is added to your Microsoft 365 environment or modified, it's automatically analyzed for sensitive content using any SITs that are presently defined in your tenant.
@@ -255,10 +219,10 @@ The following table lists resources for discovering sensitive business data.
| Resource | Description |
| --- | --- |
-| [Deploy an information protection solution with Microsoft 365 Purview](/microsoft-365/compliance/information-protection-solution) | Introduces a framework, process, and capabilities you can use to accomplish your specific business objectives for information protection. |
+| [Deploy an information protection solution with Microsoft Purview](/microsoft-365/compliance/information-protection-solution) | Introduces a framework, process, and capabilities you can use to accomplish your specific business objectives for information protection. |
| [Sensitive information types](/microsoft-365/compliance/sensitive-information-type-learn-about) | Start here to get started with sensitive information types. This library includes many articles for experimenting with and optimizing SITs. |
| [Content explorer](/microsoft-365/compliance/data-classification-content-explorer) | Scan your Microsoft 365 environment for the occurrence of SITs and view the results in the content explorer tool. |
-| [Trainable classifiers](/microsoft-365/compliance/classifier-learn-about) | Trainable classifiers allow you to bring samples of the type of content you want to discover (seeding) and then let the machine learning engine learn how to discover more of this data. You participate in the classifier training by validating the results until the accuracy is improved. |
+| [Trainable classifiers](/microsoft-365/compliance/classifier-learn-about) | Trainable classifiers allow you to bring samples of the type of content you want to discover (seeding) so that the engine for machine learning can learn how to discover more of this data. You participate in the classifier training by validating the results until the accuracy is improved. |
| [Exact data matching](/microsoft-365/compliance/sit-get-started-exact-data-match-based-sits-overview) | Exact data matching allows you to find sensitive data that matches existing records—for example, your customers’ PII as recorded in your line of business apps—which enables you to precisely target such data with information protection policies, virtually eliminating false positives. |
| [Content search](/microsoft-365/compliance/search-for-content) | Use Content search for advanced searches, including custom filters. You can use keywords and Boolean search operators. You can also build search queries using Keyword Query Language (KQL). |
| RaMP checklist: [Data protection: Know your data](/security/zero-trust/data-compliance-gov-data#1-know-your-data) | A checklist of implementation steps with step owners and links to documentation. |
@@ -395,7 +359,7 @@ In this stage, you extend the protections you developed in Microsoft 365 to data
| Resource | Description |
| --- | --- |
-| [Microsoft Purview data governance documentation](/azure/purview/) | Learn how to use the Microsoft Purview governance portal so your organization can find, understand, govern, and consume data sources. Tutorials, REST API reference, and other documentation show you how to plan and configure your data repository where you can discover available data sources and manage rights use. |
+| [Microsoft Purview data governance documentation](/azure/purview/) | Learn how to use the Microsoft Purview portal to help your organization find, understand, govern, and consume data sources. Tutorials, REST API reference, and other documentation show you how to plan and configure your data repository where you can discover available data sources and manage rights use. |
### Cloud adoption plan
@@ -426,7 +390,7 @@ This list summarizes the high-level methodical process for doing this work:
- Introduce classification into Office apps.
- Move on to protection of data on devices by experimenting with and then rolling out endpoint DLP.
- Extend the capabilities you’ve refined within your Microsoft 365 estate to data in cloud apps by using Defender for Cloud Apps.
-- Discover and apply protection to data on-premises using Microsoft Purview Information Protection scanner
+- Discover and apply protection to data on-premises using Microsoft Purview Information Protection scanner.
- Use Microsoft Purview data governance to discover and protect data in cloud data storage services, including Azure Blobs, Cosmos DB, SQL databases, and Amazon Web Services S3 repositories.
This diagram shows the process.
diff --git a/security-docs/zero-trust/adopt/implement-privileged-access-devices.md b/security-docs/zero-trust/adopt/implement-privileged-access-devices.md
new file mode 100644
index 000000000..72022e9ef
--- /dev/null
+++ b/security-docs/zero-trust/adopt/implement-privileged-access-devices.md
@@ -0,0 +1,279 @@
+---
+title: Secure devices and workstations
+description: Learn how to secure devices and workstations in a privileged access architecture
+ms.date: 05/25/2025
+ms.service: security
+author: rayne-wiselman
+ms.author: raynew
+ms.subservice: zero-trust
+ms.topic: conceptual
+ms.custom: sfi-image-nochange
+
+# Customer intent: As a security implementer, I want to understand how to configure privileged workstations in our privileged access architecture.
+---
+
+# Phase 2: Configure and secure privileged workstations
+
+This article is part of the [Implement a privileged access architecture](implement-privileged-access.md) solution guide.
+
+Privileged access presents a critical security risk in most organizations because it enables direct control over identity systems, cloud control planes, and business‑critical assets.
+
+Learn how a [secure privileged access architecture](../security-adoption-scenario-privileged-access.md) plays a critical role in your business scenario - *[Protect critical business assets](../security-adoption-scenario-secure-assets.md)* - by reducing this risk and strengthening control over sensitive systems.
+
+This article describes Phase 2 of the solution. It deploys and hardens Privileged Access Workstations (PAWs) so privileged activity originates only from trusted devices. It builds on Phase 1 and produces the device trust signals (Intune compliance and Microsoft Defender for Endpoint risk) used for enforcement in Phase 3.
+
+## Protection goals
+
+Phase 2 ensures that privileged access:
+
+- Originates only from trusted, hardened devices.
+- Is isolated from high‑risk productivity activities.
+- Produces a clean, reliable device signal for later enforcement.
+- Reduces credential theft, token replay, and session hijacking risk.
+- Limits blast radius if a device is compromised.
+
+## Protection scope
+
+Privileged access is only as trustworthy as the device from which it originates. Identity protections—such as MFA, approvals, and role activation—can't compensate for a compromised workstation.
+If an attacker controls the device used for privileged access, they can:
+
+- Steal authentication tokens after MFA is completed.
+- Inject malicious processes into administrative sessions.
+- Replay credentials or tokens from memory.
+- Bypass approval workflows by operating as the legitimate user.
+
+For privileged roles, a single compromised workstation can enable rapid escalation to tenant‑wide or enterprise‑wide control. As a result, device security defines the upper bound of trust for privileged access.
+Privileged access policies therefore assume that administrative sessions originate from devices that meet the highest security bar. These devices form the trust boundary for privileged operations.
+
+### Privileged access workstations (PAWs)
+
+A PAW is a hardened, managed Windows workstation designed exclusively for privileged tasks. PAWs define the device trust boundary for privileged access, and are isolated from common attack vectors.
+
+- Are isolated from email, general web browsing, and productivity workloads.
+- Are enrolled and managed via Microsoft Intune.
+- Use Microsoft Entra ID for identity integration.
+- Are monitored by Microsoft Defender for Endpoint.
+- Provide a strong hardware-based root of trust.
+
+Here's how PAWs fit in from a security level/profile perspective.
+
+**Security level** | **Device profile**
+--- | ---
+Enterprise users | Standard managed device
+Specialized operators | Hardened managed device
+Privileged (control plane administrators) | PAW
+
+
+## Risks mitigated
+
+**Risk** | **Why it matters** | **Phase 1 mitigation**
+--- | --- | ---
+**Attacker steals authentication tokens after MFA** |MFA protects authentication, not the execution environment. If a workstation is compromised, attackers can steal tokens post‑authentication and reuse them to impersonate privileged users. | PAWs isolate privileged work on hardened devices with reduced attack surface, credential protection (Credential Guard), and continuous monitoring, preventing token theft from compromised productivity devices.
+**Malicious process injection into administrative sessions** | Attackers can inject code into admin tools or browser sessions on compromised devices, gaining control of privileged operations even when identities are protected. | Application control, removal of local admin rights, and restricted application execution on PAWs prevent unauthorized code execution during administrative sessions.
+**Credential replay from memory** | Attackers can extract credentials or tokens from memory on compromised workstations and replay them to escalate privileges or move laterally. | PAWs enforce credential isolation using virtualization‑based security and hardened OS configurations, reducing exposure of credentials in memory and limiting replay opportunities.
+**Approval workflows bypassed from compromised devices** |Even with approval‑based role activation, attackers controlling a workstation can hijack approved sessions and rapidly escalate privileges. |Device trust becomes a prerequisite for privileged work. PAWs ensure approvals and administrative actions occur only from devices designed to resist compromise.
+**Rapid escalation from compromised workstation** |A single compromised admin workstation can allow attackers to pivot quickly to identity systems, control planes, and enterprise‑wide administration.| Device security sets an upper bound on trust. PAWs provide the highest security bar, reducing the likelihood that a compromised endpoint can be used to escalate into privileged roles.
+
+
+## Phase outcomes
+
+After completing Phase 2:
+
+- One or more dedicated PAW devices are set up.
+- Privileged administrative work originates only from PAWs.
+- PAWs are isolated from productivity usage.
+- Devices are centrally managed, monitored, and recoverable.
+- Device trust assumptions are explicit and enforceable.
+- Later phases can safely apply Conditional Access and monitoring.
+
+
+## Prerequisites
+
+Before configuring procedures in this article:
+
+- Make sure that [Phase 1 instructions](implement-privileged-access-identity.md) are complete.
+- Learn about [device security in the privileged access story](../security-concept-privileged-access.md).
+- The following services should be available:
+ - Microsoft Entra ID as the identity provider.
+ - Microsoft Intune for device management.
+ - Microsoft Defender for Endpoint for threat protection.
+- You need at least one supported Windows device per administrator, with modern Windows hardware that supports:
+ - TPM 2.0
+ - UEFI Secure Boot
+ - BitLocker
+ - Virtualization-based security (VBS/HVCI)
+ - Firmware and drivers serviced through Windows Update.
+
+Devices that don't meet this bar must not be used for privileged access.
+
+
+## Step 1: Define PAW provisioning/lifecycle
+
+Define which devices are PAWs, how they are created, enrolled, managed, and prevented from being used before they are ready.
+
+### Create a PAW device group
+
+This group will contain PAW devices, and is used for:
+
+- Enrollment targeting
+- Hardening profiles
+- Compliance evaluation
+- Conditional Access enforcement in a later phase.
+
+Create as follows:
+
+1. In the [Microsoft Entra Admin Center](https://entra.microsoft.com), navigate to **Microsoft Entra ID** > **Groups** > **New group**.
+1. Configure the group settings, and then select **Create**.
+ - **Group type**: Security
+ - **Group name**: Secure Workstation Devices
+ - **Membership type**: Dynamic Devices
+
+1. Select **Add dynamic query** and add a rule with this syntax: *device.devicePhysicalIds -any _ -contains "[OrderID]: PAW"*
+
+1. Select **Save** > **Create**.
+
+Devices enrolled with the PAW Autopilot group tag are identified by the PAW dynamic device rule and treated as privileged access workstations.
+
+### Control who can create PAWs
+
+Ensure PAWs are enrolled intentionally and securely.
+
+- Restrict who can join devices to Microsoft Entra ID.
+- Require MFA to join devices.
+- Remove automatic local administrator rights on join.
+
+
+1. In the Entra Admin Center, navigate to **Devices** > **Device settings**.
+1. In **Users may join devices to Microsoft Entra ID** > **Selected**, select **Secure Workstation Users**.
+1. In **Require Multi-Factor Auth to join devices**, select **Yes**.
+1. In **Additional local administrator on Microsoft Entra joined devices**, select **None**.
+1. Save the settings.
+
+With this in place, only PAW users can enroll PAWs, MFA is required, and no PAW user becomes a local administrator by default.
+
+### Manage PAWs from first boot
+
+PAWs must be managed from first boot. Unmanaged devices cannot be trusted for privileged access.
+
+- Configure Microsoft Entra ID to automatically enroll devices into Intune.
+- Ensure all PAWs are MDM‑managed immediately after join.
+- Restrict device enrollment to approved platforms.
+
+1. Open **Microsoft Entra ID** > **Mobility (MDM and MAM)** > **Microsoft Intune**.
+1. Set **MDM user scope** to **All** and save.
+1. Configure **Enrollment restrictions**:
+ - Allow Windows device enrollment.
+ - Block or restrict personally owned devices.
+
+PAWs are always managed, never unmanaged.
+
+
+### Provision PAWs consistently
+
+Use Windows Autopilot to enforce consistent, repeatable PAW provisioning that ensures PAWs start in a known-good state.
+
+Create a dedicated Autopilot deployment profile, and assign it to the PAW device group.
+
+
+1. In the Microsoft Intune Admin Center, go to **Devices** > **Windows** > **Windows enrollment** > **Deployment profiles**.
+1. Select **Create profile** and create a profile with the following settings:
+ - **Name**: Secure workstation deployment profile
+ - **Convert all targeted devices to Autopilot**: Yes
+ - **Deployment mode**: Self‑deploying
+ - **User account type**: Standard
+1. Select **Create**.
+
+
+### Prevent PAWs from use before hardening
+
+Prevent PAWs from being used before they’re fully hardened. This prevents early exposure during setup.
+
+- Configure an Enrollment Status Page (ESP)
+- Block device use until all required profiles and applications install
+- Assign ESP to PAW devices
+
+1. In the Microsoft Intune Admin Center, go to **Devices** > **Windows** > **Windows enrollment** > **Enrollment status**.
+1. Select **Create profile** and create a profile with the following settings:
+ - **Show app and profile installation progress**: Yes
+ - **Block device use until all apps and profiles are installed**: Yes
+
+1. Assign to **Secure Workstation Devices** and select **Create**.
+
+### Ongoing lifecycle operations
+
+1. To recover and rebuild PAWs:
+ - Reset / reprovision PAWs via Autopilot when compromised.
+ - Treat PAWs as replaceable, not manually repaired.
+1. To identity and track PAWs use:
+
+ - Device group membership
+ - Autopilot registration
+
+With these processes in place, PAWs are explicitly identifiable, centrally managed devices that can be inventoried, reviewed, and safely wiped and re‑provisioned through Autopilot if compromised.
+
+## Step 2: Harden PAWs
+
+Harden Privileged Access Workstations (PAWs) to present a clean, low‑risk device signal. Hardening controls include reducing the attack surface, enforcing patching, and producing Defender risk/compliance signals.
+
+Conditional Access and monitoring controls rely on this posture to enforce privileged access decisions.
+
+These controls assume PAWs meet the required hardware security prerequisites defined earlier.
+
+### Configure Windows Update rings
+
+PAWs must be patched quickly and predictably. Delays or user‑controlled deferrals undermine device trust.
+
+
+1. In the Microsoft Intune Admin Center, go to **Devices** > **Windows** > **Software updates** > **Windows Update rings**.
+1. Select **Create profile**.
+1. Configure the following settings:
+ - Name: PAW – Windows Update Ring
+ - Quality update deferral (days): 3
+ - Feature update deferral (days): 3
+ - Automatic update behavior: Auto install and reboot without end‑user control
+ - Block user from pausing updates: Block
+ - Set deadline for pending restarts: 3 days
+
+1. In **Assignments**, assign to secure workstation devices.
+1. Create the profile.
+
+After you complete this procedure, PAWs stay patched with minimal exposure window and no user bypass.
+
+### Onboard to Defender for Endpoint
+
+Conditional Access and compliance depend on Defender risk signals. Without Defender for Endpoint, device trust is incomplete.
+
+1. In the Microsoft Intune Admin Center, go to **Endpoint security** > **Microsoft Defender for Endpoint**.
+1. Set **Connect Microsoft Defender for Endpoint to Intune** to **On**.
+1. Select **Save**.
+1. Refresh in Intune to confirm the connection.
+
+
+### Create an onboarding profile
+
+1. In the Microsoft Intune Admin Center, go to **Endpoint security** > **Endpoint detection and response**.
+1. Select **Create profile** and configure the following settings:
+ - Platform: Windows 10 and later
+ - Profile type: Endpoint detection and response
+ - Name: PAW - Defender for Endpoint
+
+1. In **Configuration settings** enable **Sample sharing for all files**.
+1. Assign to the **Secure Workstation Devices** group.
+1. Create the profile.
+
+After you configure the procedure, PAWs emit device risk, malware, and EDR telemetry used by Conditional Access and SecOps.
+
+### Enforce firewall and network restrictions
+
+Most PAW compromise paths are outbound. Restricting egress is critical.
+
+1. In the Microsoft Intune Admin Center, go to **Endpoint security** > **Firewall**.
+1. Create an **Endpoint protection** profile.
+1. Configure outbound firewall rules to allow only required services such as DNS, DHCP, NTP, and approved administrative and management endpoints. Block unnecessary outbound traffic by default.
+1. Assign to**Secure Workstation Devices**.
+
+After you configure the procedure, PAWs can reach only administrative endpoints required for management tasks.
+
+## Next steps
+
+With PAWs configured and hardened, the next step is to [enforce privileged access using Conditional Access and policy](implement-privileged-access-enforce.md).
\ No newline at end of file
diff --git a/security-docs/zero-trust/adopt/implement-privileged-access-enforce.md b/security-docs/zero-trust/adopt/implement-privileged-access-enforce.md
new file mode 100644
index 000000000..03d4fff27
--- /dev/null
+++ b/security-docs/zero-trust/adopt/implement-privileged-access-enforce.md
@@ -0,0 +1,170 @@
+---
+title: Phase 3-Enforce privileged access policies
+description: Learn how to configure Conditional Access to control privileged access
+ms.date: 05/18/2025
+ms.service: security
+author: rayne-wiselman
+ms.author: raynew
+ms.subservice: zero-trust
+ms.topic: conceptual
+ms.custom: sfi-image-nochange
+
+# Customer intent: As a security implementer, I want to understand how to enforce access policies in our privileged access architecture.
+---
+
+
+# Phase 3 - Enforce privileged access policies
+
+This article is part of the [Implement a privileged access architecture](implement-privileged-access.md) solution guide.
+
+Privileged access presents a critical security risk in most organizations because it enables direct control over identity systems, cloud control planes, and business‑critical assets.
+
+Learn how a [secure privileged access architecture](../security-adoption-scenario-privileged-access.md) plays a critical role in your business scenario - *[Protect critical business assets](../security-adoption-scenario-secure-assets.md)* - by reducing this risk and strengthening control over sensitive systems.
+
+This article describes Phase 3 of the implementation. It enforces privileged access policies to restrict where privileged identities can be used.
+
+Using the trusted device signals established in Phase 2, you configure Conditional Access so privileged roles, portals, and management interfaces can be used only from approved, low-risk privileged access workstations (PAWs).
+
+## Protection goals
+
+Phase 3 enforces the following protection goals:
+
+- Ensure privileged credentials can't be used from non-PAW devices.
+- Admin portals and interfaces are only reachable from compliant, low-risk devices.
+- Privileged access requires strong user authentication and verified device trust.
+- Restrict access to administrative interfaces (portals, APIs, PowerShell) to approved PAWs.
+- Stolen credentials can't be reused from standard or unmanaged endpoints.
+- Privileged access paths are explicit, auditable, and enforceable.
+
+## Protection scope
+
+Phase 3 protects privileged access interfaces and workflows through which privileged actions occur, including:
+
+- Cloud management portals (Azure portal, Microsoft Entra admin center, Microsoft 365 admin center)
+- Security management portals (Microsoft Defender portals)
+- Privileged role usage and activation (including PIM-controlled roles)
+- Administrative browser sessions
+- Network egress paths used by privileged devices
+
+Phase 3 doesn't reconfigure devices or identities. It enforces policy using the outputs of Phases 1 and 2.
+
+## Risks mitigated
+
+
+| **Risk** | **Why it matters** | **Phase 3 mitigation** |
+|------|----------------|--------------------|
+| **Privileged credentials reused from non‑PAW devices** | MFA and approvals do not prevent attackers from reusing stolen tokens or credentials on compromised standard workstations. | Conditional Access requires privileged roles to authenticate from compliant, low‑risk PAWs only. |
+| **Privileged access from high‑risk or unpatched devices** | A vulnerable device allows attackers to immediately exercise administrative control. | Access decisions evaluate Intune compliance and Microsoft Defender for Endpoint risk level before granting privileged access. |
+| **Administrative portals accessible** from unmanaged or BYOD devices | Cloud control planes become reachable from devices outside organizational control. | Conditional Access restricts administrative portals to PAWs, blocking access from non‑PAW devices. |
+| **Bypass of protected portals using alternate interfaces** | Attackers can avoid controls by using PowerShell, APIs, or alternative admin endpoints. | Enforcement applies consistently across administrative interfaces, not just primary portals. |
+| **Privileged role activation from compromised workstations** | Approval workflows can be hijacked if role activation occurs on an unsafe device. | PIM role activation and role usage are enforced through the same Conditional Access device trust requirements. |
+| **Credentials alone grant privileged access** | Identity‑only protections assume a trustworthy execution environment. | Phase 3 binds identity, device, and interface conditions so credentials alone are insufficient. |
+| **Lack of visibility into enforcement** | Without policy enforcement, it’s difficult to prove privileged access is constrained. | Conditional Access decisions and Defender telemetry provide auditable, observable enforcement evidence. |
+| **Rapid escalation after workstation compromise** | Attackers pivot quickly from a compromised device to enterprise‑wide control. | Phase 3 ensures stolen credentials are unusable outside PAWs, breaking common escalation paths. |
+
+
+
+## Phase outcomes
+
+After completing Phase 3:
+
+- Privileged roles and admin portals are only accessible from compliant, low‑risk PAWs.
+- Conditional Access blocks privileged access from non‑PAW devices.
+- Device compliance and Microsoft Defender for Endpoint risk signals are required inputs to access decisions.
+- Privileged access is enforced across identity, device, and interface layers.
+- Access attempts are logged, observable, and auditable.
+
+
+## Prerequisites
+
+Before configuring procedures in this article:
+
+- Complete [Phase 1 instructions](implement-privileged-access-identity.md) to secure the identity control plane.
+- Complete [Phase 2](implement-privileged-access-devices.md) to deploy and harden PAWs.
+- Make sure that device compliance and Defender for Endpoint integration is active.
+
+## Step 1 — Require MFA and device trust for privileged access
+
+Ensure privileged access requires strong user authentication and trusted devices.
+
+1. In the [Microsoft Entra Admin Center](https://entra.microsoft.com), navigate to **Protection** > **Conditional Access** > **Policies**.
+1. Select **Create new policy**.
+1. In **Assignments** > **Users** configure these settings:
+ - Include privileged directory roles such as Global Administrator, Security Administrator.
+ - Exclude the emergency break glass group.
+1. In **Assignments** > **Cloud apps** include cloud management applications such as the Azure portal, Microsoft Entra admin center, Microsoft 365 admin center, and Defender portals.
+1. In **Access controls**, grant access with these settings:
+ - Require multifactor authentication
+ - Require device to be marked as compliant
+ - Require Microsoft Defender for Endpoint device risk = Low
+1. Enable the policy.
+
+## Step 2 - Restrict administrative portals to PAWs
+
+Ensure that administrative portals are reachable only from compliant PAWs.
+
+1. In the [Microsoft Entra Admin Center](https://entra.microsoft.com), navigate to **Protection** > **Conditional Access** > **Policies**.
+1. Select **Create new policy** to create an additional policy.
+1. In **Assignments** > **Users** configure these settings:
+ - Include privileged directory roles such as Global Administrator, Security Administrator.
+ - Exclude the emergency break glass group.
+1. In **Assignments** > **Cloud apps** include the administrative applications used for privileged access in your environment.
+1. In **Access controls**, grant access with these settings:
+ - Require device to be marked as compliant
+ - Require Microsoft Defender for Endpoint device risk = Low
+1. Enable the policy.
+
+
+## Step 3 - Block privileged access from non-PAW devices
+
+Ensure that privileged access to administrative portals is blocked from non‑PAW devices, even if those devices meet general compliance requirements.
+
+1. In the [Microsoft Entra Admin Center](https://entra.microsoft.com), navigate to **Protection** > **Conditional Access** > **Policies**.
+1. Select **Create new policy** to create a third policy.
+1. In **Assignments** > **Users** configure these settings:
+ - Include privileged directory roles such as Global Administrator, Security Administrator.
+ - Exclude designated emergency access accounts.
+1. In **Assignments** > **Cloud apps** include the same administrative portals.
+1. Under **Conditions**, select **Filter for devices**.
+1. Configure the device filter to target non‑PAW devices:
+ - Select **Include filtered devices**:
+ - Configure a device filter that identifies non-PAW devices based on the attribute or rule your organization uses to distinguish PAWs. Make sure this matches the identification method established in [Phase 2](implement-privileged-access-devices.md).
+1. Select **Done** to apply the device filter condition.
+1. Under **Access controls**, select **Block access**.
+1. Select **Create** to enable the policy.
+
+## Step 4 - Restrict PAW network access
+
+Limit PAW network access to only required administrative and management endpoints. This configuration relies on explicit firewall rules to allow required endpoints, rather than broad protocol-based allowances.
+
+1. In the Microsoft Intune admin center, navigate to **Endpoint security** > **Firewall**.
+1. Select **Create Policy**.
+1. Configure the policy:
+ - **Platform**: Windows 10 and later.
+1. Configure the firewall profile settings:
+ - **Inbound connections**: Block
+ - **Outbound connections**: Allow (default, controlled by rules below)
+1. Under **Settings**, configure **Firewall** rules. Use firewall rules to define the traffic required for privileged administration.
+1. Create **outbound allow rules** for required services, such as:
+ - DNS
+ - DHCP
+ - NTP
+ - Required Microsoft cloud management endpoints such as Intune and Microsoft Entra ID.
+ - Required administrative endpoints.
+
+ Each rule should:
+
+ - Specify **Direction**: **Outbound**.
+ - Specify **Action**: **Allow**
+ - Define **destination endpoints** (IP ranges, FQDNs, or service tags where supported)
+
+1. Ensure no broad allow rules such as unrestricted HTTP/HTTPS are configured.
+1. Assign the policy to **Secure Workstation Devices (PAWs)**.
+1. Select **Create** to deploy the policy.
+
+This completes the privileged access enforcement layer.
+The next article can build on this to cover measurement, monitoring, and success criteria.
+
+## Next steps
+
+With the privileged access enforcement layer in place, the final step is to [configure monitoring](implement-privileged-access-monitor.md).
\ No newline at end of file
diff --git a/security-docs/zero-trust/adopt/implement-privileged-access-identity.md b/security-docs/zero-trust/adopt/implement-privileged-access-identity.md
new file mode 100644
index 000000000..b98f4efee
--- /dev/null
+++ b/security-docs/zero-trust/adopt/implement-privileged-access-identity.md
@@ -0,0 +1,395 @@
+---
+title: Phase 1-Secure the identity control plane
+description: Learn how to configure the identity control plane in a privileged access architecture
+ms.date: 05/24/2025
+ms.service: security
+author: rayne-wiselman
+ms.author: raynew
+ms.subservice: zero-trust
+ms.topic: conceptual
+
+# Customer intent: As a security implementer, I want to understand how to secure the identity control plane in our privileged access architecture.
+---
+
+
+
+# Phase 1 - Secure the identity control plane
+
+This article is part of the [Implement a privileged access architecture](implement-privileged-access.md) solution guide.
+
+Privileged access presents a critical security risk in most organizations because it enables direct control over identity systems, cloud control planes, and business‑critical assets.
+
+Learn how a [secure privileged access architecture](../security-adoption-scenario-privileged-access.md) plays a critical role in your business scenario - *[Protect critical business assets](../security-adoption-scenario-secure-assets.md)* - by reducing this risk and strengthening control over sensitive systems.
+
+This article helps you implement Phase 1 of the [Implement a privileged access architecture](implement-privileged-access.md) solution. This phase secures the identity control plane by defining and protecting privileged identities, role assignments, and authorized elevation paths.
+
+It's important to implement Phase 1 first. Later phases that secure privileged access devices, enforce Conditional Access policies, and monitor privileged access depend on having a clean, well-governed identity control plane.
+
+## Protection goals
+
+Phase 1 ensures that privileged access is:
+
+- **Explicit**: Grant privilege only through defined elevation paths. Never make it implicit or accidental.
+- **Temporary**: Privilege expires automatically.
+- **Strongly authenticated**: Require strong authentication for elevation.
+- **Auditable**: Log all privilege changes and elevations.
+- **Recoverable**: Provide emergency access without weakening controls.
+
+### Protection scope
+
+Phase 1 focuses on two foundational components of privileged access:
+
+- **Privileged identities**: Identities that can perform privileged actions, including:
+
+ - Dedicated administrative user accounts
+ - Administrative groups
+ - Service principals and managed identities
+ - Azure RBAC role assignments
+ - Emergency (break‑glass) access accounts (if they don't exist).
+- **Authorized elevation paths**: Mechanisms that allow users to move from non‑privileged to privileged states, such as:
+
+ - Time‑bound role activation using - Privileged Identity Management (PIM)
+ - Approval workflows for sensitive roles
+ - Explicit administrative sessions
+- **Emergency recovery access**: Configuring break-glass accounts if they don't already exist.
+
+
+These components operate in the control plane. If they're compromised, attackers can grant themselves privileged access without touching devices or access policies.
+
+## Risks mitigated
+
+**Risk** | **Why it matters** | **Phase 1 mitigation**
+--- | --- | ---
+**Uncontrolled creation of privileged identities** | Attackers create new admins or role assignments silently. | Establish authoritative privileged identities and roles.
Restrict who can manage identity systems.
Treat identity systems as privileged assets.
+**Silent privilege escalation** | Privilege gained through groups, RBAC, or nested assignments. | Rationalize roles, use group‑based assignments, remove standing access.
+**Persistent (standing) administrative access** | Stolen credentials retain permanent privilege. | Replace standing privilege with time‑bound elevation.
+**Weak or implicit elevation paths** | Attackers use same paths as admins. | Define secure, explicit, auditable elevation workflows
+**Bypassing downstream protections** | Privilege gained before device or policy enforcement.| Identity control plane secured first.
+**Irrecoverable identity compromise** | No safe way to regain control. | Create protected emergency access accounts.
+**Low identity security posture** | Weak identity controls undermine all later phases.| Raise identity systems to highest security level.
+
+
+## Phase outcomes
+
+After completing this phase:
+
+- All privileged access is tied to known and explicit identities and roles.
+- All privilege is temporary, auditable, and intentional.
+- Standing administrative access is removed.
+- Identity systems are treated as privileged assets.
+- Recovery from identity compromise is possible without weakening controls.
+- No new privileged risk is introduced during modernization.
+
+This phase also stops the creation of new privileged risk while auditing and modernization continue.
+
+## Prerequisites
+
+Before you start configuring Phase 1, note the following prerequisites:
+
+Review the documentation:
+
+- [Review the overview article](implement-privileged-access.md) for this solution.
+- Work through the [planning article](implement-privileged-access-plan.md) to agree on which roles and identities perform privileged work.
+
+Within your organization:
+
+- Make sure you have an active, owned Microsoft Entra ID tenant. We recommended Microsoft Entra ID P2 (for privileged identity governance).
+- This solution assumes you have Microsoft 365 Enterprise E5. For more information, see [Microsoft 365 Enterprise licensing](https://www.microsoft.com/licensing/product-licensing/microsoft-365-enterprise).
+- Make sure you have at least two [emergency access accounts](/entra/identity/role-based-access-control/security-emergency-access) defined.
+- Clear ownership for identity governance and role management.
+- Creating secure admin accounts exposes them to the workstation used during setup. Make sure that initial configuration is performed from a known‑safe device.
+
+
+## Step 1: Audit privileged access
+
+Establish a complete inventory of privileged identities and access paths. Audit the following sources.
+
+**Source** | **Details**
+--- | ---
+**Microsoft Entra directory roles** | Identify [privileged roles](/entra/identity/role-based-access-control/permissions-reference) that can directly or indirectly lead to tenant dominance by altering identity, access, or trust boundaries in the identity control plane.
For each role:
- Identify direct versus group‑based assignments.
- Identify permanent versus PIM‑eligible assignments
- Capture current activation state.
+**Group-based privilege** | Find out who is privileged indirectly and would be missed if you only look at users.
- Review nested group membership
- Identify users, service principals, and managed identities
- Record how privilege is inherited.
+**Azure RBAC roles** | Find out what these privileged identities can do outside the directory itself.
Audit assignments at management group, subscription, and resource scopes.
Identify identities with broad or cascading permissions.
+**Non-human identities** | Find out which non-human identities are part of the privileged access path, including:
Service principals and managed identities
Automation accounts and scripts
Application permissions with tenant or resource control.
+
+The result is an authoritative privileged identity inventory.
+
+
+### Identify directory roles
+
+Audit who can change identity, authentication, or tenant-wide configuration.
+
+1. In the [Microsoft Entra Admin Center](https://entra.microsoft.com), navigate to **Entra ID** > **Roles & Admins**.
+1. Select **All roles**. This page lists all built-in and custom Microsoft Entra directory roles, including tenant-wide admin roles such as Global Administrator and Privileged Role Administrator.
+
+ - Privileged roles are any that can assign roles, modify security/authentication, or manage apps, devices, or security policies.
+ - A full list of privileged built-in roles is also available [in the documentation](/entra/identity/role-based-access-control/permissions-reference).
+
+
+1. For each privileged role, first check direct assignments. For each directly assigned principal (user, group, or service principal (app/managed identity)), check how the role is granted and current state.
+ - A permanent assignment means that the role is always on. An identity signs in and is already privileged with an **Active (permanent)** status. This is obviously high-risk.
+ - A PIM eligible assignment means that the role is available but not active until it's activated. The user must activate the role. It's usually time-limited and often requires justification. Status can be **Active** or **Eligible** if the user can become privileged but isn't currently activated.
+
+1. Now switch to group assignments. This is important since it checks privilege that is indirectly assigned via groups.
+1. Open each group that has the privileged role assigned.
+1. Expand group members, expand nested groups, and record users, service principals and managed identities.
+1. For each identity confirm how the privilege is held:
+ - Is the role assigned via group or nested group?
+ - Is the role permanent or PIM eligible?
+ - What's the current state?
+
+
+After completing this step, you've captured the identity control plane, and have an authoritative privileged identity inventory for Microsoft Entra.
+
+
+### Identify Azure RBAC roles
+
+Now that you know which identities are privileged, let's check what they can do outside of the Microsoft Entra Directory. Where else do they have control, and at what scope?
+
+1. For each privileged principal that you've identified, determine roles.
+1. Start at the highest scope (management groups).
+ 1. In the Azure portal > **Management groups**, go to **Access control (IAM) > **Role assignments**.
+ 1. Use **Filter** > **Assigned to** and search for the principal name.
+ 1. Record any results, including role name and scope.
+
+ If you find identities here, it indicates that they have broad Azure control, since Azure RBAC roles assigned at the management group scope cascade down to all child subscriptions and resources.
+1. Now follow the same procedures for Azure portal > **Subscriptions**.
+
+ Identities with Azure RBAC roles assigned at the subscription level are privileged and can grant or delegate access.
+1. If identities weren't found at the management group or subscription level, you can check at the resource groups level with the same procedure in Azure portal > **Resource groups**.
+1. You might also want to check whether principals have control on strategic individual resources such as Key Vaults, storage accounts, virtual machines, or automation accounts. To do that, check **Access control (IAM)** > **Assigned to** for each individual resource.
+
+### Record results
+
+1. For each account you identified, capture audit details in a mapping table.
+1. Identify high-risk accounts with broad privileges, and create a mapping table that will provide information about role scope (blast radius) and type of work.
+
+ **Account** | **Entra role** | **Azure RBAC role** | **Scope** | **Privileged work**
+ --- | --- | --- | --- | ---
+ alice@contoso.com | Global Admin | Owner | Sub1, Sub2 | Manage users, roles, subscriptions.
+
+1. If you want to add more about observed behavior for an account you can:
+ 1. Review sign-in logs for information about apps, client endpoints, and authentication flows.
+ 1. Correlate information with audit and activity logs to check whether an account is used, and whether it changed policy, modified resources/subscriptions, or performed some other activity.
+
+## Step 2: Assess your existing configuration
+
+With your inventory in place, you can use the [Zero Trust Assessment tool](../assessment/overview.md) to evaluate how privileged access is configured across your environment and identify gaps in control.
+
+While the Assessment tool doesn't replace a full inventory, it uses role and policy data as input to help you understand whether:
+
+- Privileged roles are protected (MFA, Conditional Access).
+- Privileged access is governed (PIM, JIT/JEA patterns).
+- Policies are consistently applied.
+- Gaps exist across identities, devices, and access policies.
+
+[Learn more](/entra/fundamentals/configure-security?toc=/security/zero-trust/toc.json&bc=/security/zero-trust/toc.json) about assessing identity with the tool.
+
+
+## Step 3: Establish dedicated administrative identities
+
+Remove privileged roles from standard user accounts.
+
+Create dedicated administrative accounts that:
+
+- Are used only for privileged tasks
+- Have no productivity access (email, Teams, browsing)
+- Are eligible for privilege via PIM, not permanently assigned
+
+Remove all privileged role assignments from standard user identities.
+
+
+### Create admin accounts
+
+1. In the [Microsoft Entra Admin Center](https://entra.microsoft.com), navigate to **Microsoft Entra ID** > **Users**.
+1. Select **New user** and configure the user settings. then select **Create**.
+ - Name: Secure Workstation Administrator.
+ - User principal name: secure-ws-admin@contoso.com
+ - Authentication method: Password (temporary).
+ - Directory roles: Don't assign.
+ - Usage location: Set to operational location.
+
+This provides you with a clean admin identity with no privilege.
+
+
+
+## Step 4: Create identities for PAWs
+
+In later procedures you set up a privileged admin workstation (PAW).
+
+If you want to define identities that can access PAWs but that can't perform privileged actions, you can:
+
+- Create an identity that can only sign into PAWs.
+- Create a security group that controls who is allowed to sign into the PAWs.
+ - This group never grants admin rights. It's used for:
+ - Conditional Access, including *allow only Secure Workstation Users to sign in to PAWs*, and *block other users*.
+ - Applying specific group-based PAW licensing.
+ - Typical members of this group include SOC analysts, operators, and auditors.
+
+
+### Create a sign-in identity
+
+1. In the [Microsoft Entra Admin Center](https://entra.microsoft.com), navigate to **Microsoft Entra ID** > **Users**.
+1. Select **New user** and configure the user settings. Then select **Create**.
+ - Name: Secure Workstation User
+ - User principal name: secure-ws-user@contoso.com
+ - Directory roles: Don't assign
+
+### Create a PAW access security group
+
+Configure a group that controls who can sign in to the PAWs
+
+1. In the [Microsoft Entra Admin Center](https://entra.microsoft.com), navigate to **Microsoft Entra ID** > **Groups** > **New group**.
+1. Configure the group settings, and then select **Create**.
+ - Group type: Security
+ - Group name: Secure Workstation Users
+ - Membership: Assigned
+
+
+1. Add only PAW sign-in identities to the group, not admins by default.
+
+
+## Step 5: Create administrative control groups
+
+Create security groups that define who is eligible for privileged roles.
+These groups:
+
+- Are marked as role‑assignable
+- Are managed through PIM
+- Do not grant privilege by membership alone
+- Serve as authorization boundaries for elevation
+
+Membership changes are treated as privileged actions and reviewed regularly
+
+1. In the [Microsoft Entra Admin Center](https://entra.microsoft.com), navigate to **Microsoft Entra ID** > **Groups** > **New group**.
+1. Configure the group settings, and then select **Create**.
+ - **Group type**: Security
+ - **Name**: Secure Workstation Admins
+ - **Membership type**: Assigned
+
+1. Add dedicated admin identities. Don't use standard accounts and treat membership changes as sensitive. Review regularly.
+
+This group will later be:
+
+- Marked as *role-assignable*
+- Assigned directory roles via PIM as **eligible** (not active)
+- Use as the primary targeting mechanism for privileged access policies
+
+## Step 6: Configure PIM
+
+If Privileged Identity Management isn't already enabled, do that now.
+
+Ensure you're signed in as a Global Administrator or Privileged Role Administrator.
+
+
+### Enable PIM for directory roles
+
+1. In the [Microsoft Entra Admin Center](https://entra.microsoft.com), navigate to **Identity governance** > **Privileged Identity Management**.
+1. Select **Microsoft Entra roles**.
+
+## Remove permanent roles
+
+1. In **Microsoft Entra roles**, select **Roles**.
+1. Open privileged access roles identified for your organization.
+
+ The minimum set recommended by Microsoft is as follows:
+ - Global Administrator
+ - Privileged Role Administrator
+ - Security Administrator
+ - Exchange Administrator
+ - SharePoint Administrator
+1. Select **Assignments**.
+1. For each **Active** (permanent) assignment:
+ - Remove the permanent assignment
+ - Re-add the user or group as **Eligible**.
+
+After this, users do not have admin privileges unless they activate them.
+
+### Configure activation settings
+
+For each privileged role, do the following:
+
+1. In **PIM** > **Microsoft Entra roles**, select **Settings**.
+1. Select the role > **Edit**.
+1. Configure settings:
+ - Require activation
+ - Require MFA on activation
+ - Require justification
+ - Set maximum activation duration (for example: 1–4 hours for high‑impact roles)
+ - Require approval (for Global Administrator, Privileged Role Administrator, Security Administrator)
+ - Select one or more approvers
+
+1. Select **Update**.
+
+### Use group-based role assignments
+
+We recommend assigning roles to groups, not individual users, for scale and governance.
+
+Create a role-assignable security group and assign it to an Entra role (e.g., Exchange Admin). Then manage membership (who can get the role) via your governance process, and optionally via PIM for Groups.
+
+1. Create a security group with the setting **Microsoft Entra roles can be assigned to this group** enabled.
+1. In PIM > **Microsoft Entra roles**, select **Add assignments**.
+1. Assign the group as **Eligible** for the role.
+1. Add or remove users from the group instead of modifying role assignments directly.
+
+This group becomes the authorization boundary for privileged access.
+
+
+At the completion of Step 6, The following is configured:
+
+- No standing administrative access
+- Privilege is requested, approved, time‑bound, logged
+- Elevation paths are explicit and reviewable
+
+## Step 7: Configure emergency accounts
+
+If you don't already have emergency access accounts in place, configure them now. They're required to recover from identity lockout scenarios caused by Conditional Access, MFA outages, or misconfiguration.
+
+Ensure you're signed in as a Global Administrator or Privileged Role Administrator to create at least two emergency access accounts.
+
+1. In the [Microsoft Entra Admin Center](https://entra.microsoft.com), navigate to **Users** > **All users**.
+1. Select **New user**, and create a cloud-only user.
+
+- Use the *.onmicrosoft.com domain
+- Use a non‑obvious name (not “break glass”)
+
+1. Assign the Global Administrator role.
+- Do not make this role PIM‑eligible — it must be permanent.
+- Use a strong, long password, stored securely offline.
+- Configure phishing‑resistant authentication (for example, FIDO2 / passkey or certificate‑based auth)
+- Do not tie MFA to a personal phone or email address.
+
+Repeat to create a second emergency account.
+
+### Exclude emergency accounts from Conditional Access
+
+This ensures recovery is always possible.
+
+1. In the [Microsoft Entra Admin Center](https://entra.microsoft.com), navigate to **Protection** > **Conditional Access**.
+1. For every policy:
+
+ - Edit **Assignments**.
+ - Exclude at least one emergency access account.
+
+Make sure not to exclude regular admin accounts — only the emergency accounts.
+
+### Monitor emergency account usage
+
+1. Enable alerts on:
+ - Sign‑ins by emergency accounts
+ - Role changes involving these accounts
+
+1. Treat any use as a security incident unless pre-approved.
+1. Review usage periodically.
+
+
+At the completion of Step 7, The following is configured:
+
+- The identity control plane is recoverable
+- Later phases (PAWs, Conditional Access) won’t risk permanent lockout
+- Emergency access is isolated, monitored, and rarely used
+
+
+## Next steps
+
+After securing the identity control plane, restrict where privilege can be exercised with [secure Privileged Access Workstations (PAWs)](implement-privileged-access-devices.md).
+
diff --git a/security-docs/zero-trust/adopt/implement-privileged-access-monitor.md b/security-docs/zero-trust/adopt/implement-privileged-access-monitor.md
new file mode 100644
index 000000000..ac3b74570
--- /dev/null
+++ b/security-docs/zero-trust/adopt/implement-privileged-access-monitor.md
@@ -0,0 +1,221 @@
+---
+title: Phase 4 - Monitor privileged access
+description: Learn how to monitor privileged access and protect against threats
+ms.date: 05/24/2026
+ms.service: security
+author: rayne-wiselman
+ms.author: raynew
+ms.subservice: zero-trust
+ms.topic: conceptual
+
+# Customer intent: As a security implementer, I want to understand how to monitor my privileged access architecture over time.
+---
+
+
+
+
+# Phase 4 - Monitor and protect privileged access against threats
+
+This article is part of the [Implement a privileged access architecture](implement-privileged-access.md) solution guide.
+
+Privileged access presents a critical security risk in most organizations because it enables direct control over identity systems, cloud control planes, and business‑critical assets.
+
+Learn how a [secure privileged access architecture](../security-adoption-scenario-privileged-access.md) plays a critical role in the business scenario - *[Protect critical business assets](../security-adoption-scenario-secure-assets.md)*, by reducing risk and strengthening control over sensitive systems.
+
+This article describes Phase 4, which establishes monitoring and response for privileged access. It focuses on detecting compromise attempts, validating ongoing compliance and enforcement, and enabling rapid containment when indicators of attack or misconfiguration appear.
+
+This phase operationalizes Zero Trust's assume breach principle by continuously monitoring device behavior, application execution, and privileged workflows, and by enabling rapid response when indicators of attack or misconfiguration appear.
+
+
+
+## Protection goals
+
+Phase 4 is designed to:
+
+- Detect compromise of PAWs.
+- Detect misuse of privileged devices and identities.
+- Detect drift that weakens device signals.
+- Enable rapid containment before the blast radius expands.
+- Provide evidence that privileged access controls are working as designed.
+
+## Protection scope
+
+Phase 4 monitors the same privileged access elements enforced earlier:
+
+- **Privileged devices**: Monitor PAWs for:
+ - Defender for Endpoint risk level changes.
+ - Vulnerabilities and misconfigurations.
+ - Integrity issues and configuration drift (Intune compliance).
+- **Privileged workflows**: Monitor for:
+ - Role activation and admin portal usage (correlation of Entra sign-in logs, Conditional Access decisions, and PIM usage)
+ - Application execution related to PAWs:
+ - Application control and execution telemetry on PAWs is monitored using Microsoft Defender for Endpoint.
+ - The goal is detecting unexpected execution on privileged devices.
+ - Network behavior. PAW firewall posture, outbound attempts, and Defender telemetry are monitored to detect abuse or misconfiguration.
+- **Privileged access paths**: Monitor interfaces and execution paths attackers would abuse after credential theft.
+ - Interfaces (admin portals, APIs, PowerShell)
+ - Access paths enforced by Conditional Access.
+ - Abuse detection after credential theft.
+
+
+## Risks mitigated
+
+**Risk** | **Why it matters** | **Phase 4 mitigation**
+--- | --- | ---
+**Undetected PAW compromise** | A compromised PAW undermines the entire privileged access strategy by becoming a trusted launch point for attacker activity. | Microsoft Defender for Endpoint continuously monitors PAWs for malware, exploit behavior, and persistence techniques; changes in device risk are surfaced immediately for investigation and response.
+**PAW configuration drift weakening posture** | Over time, misconfiguration or failed policy application can silently erode device trust assumptions used in Phase 3 enforcement.| Intune compliance reporting and Defender posture signals surface drift from hardened baselines, enabling remediation before access controls are weakened.
+**Malicious or unexpected app execution on PAWs** | Execution of unauthorized tools, scripts, or binaries can indicate attacker activity or misuse of privileged access. | AppLocker telemetry collected by Defender for Endpoint makes application execution on PAWs observable and auditable, enabling detection of suspicious activity.
+**Abuse of privileged roles after credential theft** | Attackers may delay or disguise use of stolen credentials to evade initial detection. | Phase 4 correlates privileged role activation, admin portal access, and device risk changes to identify suspicious privileged workflows.
+**Blind spots in privileged access enforcement** | If there's no monitoring, you can't verify that Conditional Access and PAW restrictions are working as intended. | Entra sign‑in logs, Conditional Access insights, and Defender telemetry provide visibility into allowed and blocked privileged access attempts.
+**Delayed response to active privileged access threats** | Slow containment increases blast radius and business impact. | Defender for Endpoint enables investigation, device isolation, and remediation actions using high‑confidence signals from privileged devices and workflows.
+
+
+
+## Phase outcomes
+
+When Phase 4 is implemented:
+
+- PAWs are continuously monitored for threats, integrity issues, and configuration drift.
+- Application execution on PAWs is observable and auditable.
+- Suspicious activity involving privileged access is detected quickly.
+- Security teams can contain and remediate incidents using endpoint and identity signals.
+- Monitoring data feeds measurement and success criteria for the privileged access strategy.
+
+## Prerequisites
+
+Before you start configuring Phase 4:
+
+- Complete [Phase 1 instructions](implement-privileged-access-identity.md) to secure the identity control plane.
+- Complete [Phase 2](implement-privileged-access-devices.md) to deploy and harden PAWs.
+- Complete [Phase 3](implement-privileged-access-enforce.md) so that Conditional Acess enforcement in active.
+- Make sure that device compliance and Defender for Endpoint integration is active.
+
+
+## Step 1: Monitor PAW security posture
+
+Use Microsoft Defender for Endpoint to monitor PAWs for threats, vulnerabilities, and configuration drift. Regular monitoring ensures that changes in PAW risk or posture are visible as soon as they occur.
+
+### Review PAW risk and exposure
+
+1. In the Microsoft Defender portal, select **Endpoints** > **Device inventory**.
+1. Filter incidents to those involving PAW devices, using the same identifiers or grouping method established for PAWs in earlier phases.
+1. For each PAW review:
+ - Device risk level
+ - Exposure score
+ - Active alerts
+ - Sensor health status
+
+### Review vulnerabilities and misconfiguration
+
+1. In the Microsoft Defender portal, select **Vulnerability management**.
+1. Review exposure score trends for PAWs.
+1. Review security recommendations affecting credential protection and exploit mitigation.
+1. Prioritize remediation for:
+ - Disabled credential protections
+ - Missing security updates
+ - Defender sensor health issues
+
+
+## Step 2: Detect and investigate PAW threats
+
+Use Defender for Endpoint alerts and device timelines to investigate suspicious activity targeting privileged devices.
+
+### Investigate PAW security alerts
+
+1. In the Microsoft Defender portal, select **Incidents & alerts**.
+1. Filter incidents to those involving PAW devices, using device names, tags, or other identifiers that distinguish PAWs in your environment.
+1. Open an incident and review:
+ - Device timeline
+ - Process execution
+ - Credential access attempts
+ - Persistence techniques
+ - Network connections
+ - Missing security updates
+ - Defender sensor health issues
+
+
+### Enable automated response
+
+1. In the Microsoft Defender portal, select **Settings** > **Endpoints** > **Advanced features**.
+1. Confirm that **Live response** is set to **On**.
+
+## Step 3: Monitor apps on PAWs
+
+Application execution on PAWs must be observable and auditable. AppLocker policies deployed earlier generate telemetry that is automatically collected by Defender for Endpoint.
+
+1. In the Microsoft Defender portal, select **Advanced hunting**.
+1. Run a query to review application control activity (for example, AppLocker events).
+1. After running the query, investigate:
+
+ - Blocked executables
+ - Unexpected scripts or binaries
+ - Repeated execution attempts
+1. Pivot to the **Device timeline** and review:
+ - File hashes
+ - User context
+ - Parent processes
+
+## Step 4: Monitor usage and enforcement
+
+Verify that privileged access is occurring only from PAWs and that enforcement behaves as expected.
+
+1. In the [Microsoft Entra Admin Center](https://entra.microsoft.com), navigate to **Protection** > **Sign-in logs**.
+1. Filter for:
+ - Privileged roles
+ - Conditional access policies protecting privileged access
+ - Device platform = Windows
+1. Validate that:
+ - Privileged access succeeds from compliant PAWs.
+ - Access is blocked when device risk increases.
+ - Emergency access accounts are excluded as intended.
+
+### Review conditional access insights
+
+1. In the [Microsoft Entra Admin Center](https://entra.microsoft.com) > **Conditional Access**, review Conditional Access insights and reporting for privileged access policies, including:
+ - Blocked attempts from non‑PAW devices.
+ - Policy impact for privileged access policies.
+
+
+
+## Step 5: Detect configuration drift on PAWs
+
+Use Intune compliance reporting to detect posture drift from hardened PAW baselines.
+
+1. In the Intune admin center navigate to **Devices** > **Compliance policies**.
+1. Review compliance status for the PAW device group.
+1. Investigate:
+ - Non-compliant devices
+ - Update failures
+ - Missing or misapplied policies
+1. Correlate compliance failures with Defender risk changes.
+
+## Step 6: Contain and remediate incidents
+
+1. In the Microsoft Defender portal, select the affected PAW.
+1. Use response actions to:
+ - Isolate the device.
+ - Collect an investigation package
+ - Initiate remediation
+1. Review recent privileged activity:
+ - Role activations
+ - Administrative portal access
+ - Token usage
+1. Take corrective actions as required:
+ - Reset privileged credentials
+ - Invalidate sessions
+ - Rebuild or reimage the PAW
+
+## Summary
+
+Phase 4 is the final stage in the solution guide.
+
+- PAWs are continuously monitored for threats and misconfiguration.
+- Application execution on PAWs is observable and auditable.
+- Suspicious privileged access activity is detected quickly.
+- Security teams can investigate, contain, and remediate incidents effectively.
+- Monitoring data feeds directly into measuring the success of the privileged access strategy.
+
+
+## Next steps
+
+Check out our [other solution guides](../security-adoption-business-scenarios-overview.md).
\ No newline at end of file
diff --git a/security-docs/zero-trust/adopt/implement-privileged-access-plan.md b/security-docs/zero-trust/adopt/implement-privileged-access-plan.md
new file mode 100644
index 000000000..3a7aff801
--- /dev/null
+++ b/security-docs/zero-trust/adopt/implement-privileged-access-plan.md
@@ -0,0 +1,133 @@
+---
+title: Plan a privileged access architecture
+description: Learn how to plan a privileged access architecture
+ms.date: 05/24/2026
+ms.service: security
+author: rayne-wiselman
+ms.author: raynew
+ms.subservice: zero-trust
+ms.topic: conceptual
+ms.collection:
+ - zerotrust-adopt
+ms.custom: sfi-image-nochange
+
+# Customer intent: As a security architect, I want to understand best practices for planning a privileged access architecture, before we start implementing.
+---
+
+
+
+# Plan a privileged access implementation
+
+This article is part of the [Implement a privileged access architecture](implement-privileged-access.md) solution guide.
+
+Privileged access presents a critical security risk in most organizations because it enables direct control over identity systems, cloud control planes, and business‑critical assets.
+
+Learn how a [secure privileged access architecture](../security-adoption-scenario-privileged-access.md) plays a critical role in your business scenario - *[Protect critical business assets](../security-adoption-scenario-secure-assets.md)* - by reducing this risk and strengthening control over sensitive systems.
+
+Planning is the first step. This article is aimed at implementers and security architects who translate the privileged access architecture into a practical rollout plan (scope, prerequisites, sequencing, and ownership).
+
+During planning you identify which privileged access paths matter most, decide which paths are allowed and which are blocked, and map those decisions directly to the phased implementation to follow.
+
+## Before you start
+
+- Our adoption model defines a set of critical business scenarios aimed at business leaders and decision makers. Learn more about the business outcome [securing and governing privileged access to critical systems](../security-adoption-scenario-privileged-access.md).
+- We use [security disciplines](../security-adoption-discipline-overview.md) to help teams deliver security outcomes across the business. Learn about the [disciplines associated with privileged access architecture](../security-adoption-discipline-identity-access-privileged-model.md)
+
+
+## Planning outcomes
+
+You should finish planning with:
+
+- A shared understanding of which privileged access paths matter most in your environment.
+- Agreement on which access paths are allowed, restricted, or eliminated.
+- A defined implementation sequence for reducing risk without breaking operations.
+- Clear ownership for approving, changing, and reviewing privileged access decisions.
+- Direct mapping from planning decisions to implementation phases.
+
+## Implementation goals
+
+Implementation planning translates design goals into enforceable decisions.
+
+Multiple security disciplines and technologies drive outcomes for this solution. The table below shows how planning goals relate to disciplines and downstream implementation.
+
+**Implementation goal** | **Disciplines involved** | **Planning outcome**
+--- | --- | ---
+**Limit exposure of privileged credentials**
Minimize when, where, and how privileged credentials can be used. | Strategy and Governance
Access and Identities
Security Architecture | A documented list of roles, actions, and systems that constitute privileged access.
Clear rules for when elevation is allowed, how long, and with what approval.
Aids enforcement of just‑in‑time access and eliminates standing privilege.
+**Isolate and monitor privilege access paths**
Enforce strong authentication and device trust.
Continuously monitor for anomalous behavior.
Prioritize detection and response because of high impact. | Security Architecture
Access and Identities
SecOps | Explicitly defined privileged access paths that are allowed, restricted, or eliminated.
For example, PAWs only, approved portals and APIs, no legacy protocols, no direct admin access from personal devices.
Provides a solid allow/block model for Conditional Access, interface security, and monitoring.
+**Reduce the privileged attack surface**
Reduce the attack surface by minimizing the number of privileged identities, roles, and assignments. | Strategy, Integration, Governance
Access and Identities
Security Posture Management. | Complete privileged role rationalization.
Which roles are required or can be removed, and which workflows must change to avoid standing privilege.
Agreement on which roles to remove from permanent assignment.
Success measurements. For example, reduction in standing privileged roles.
+**Separate productivity and administrative workflows**
Separate workflows to eliminate the bridge between common attack vectors and enterprise-wide control. | Security Architecture
Infrastructure
Access and Identities. | Decisions on where privileged work can occur.
Whether dedicated admin accounts and devices are required.
Which activities are prohibited from standard productivity environments.
Which workflows must move to privileged devices or sessions.
These decisions enable device deployment and access enforcement phases without ambiguity.
+
+
+## Use security levels for planning
+
+Security levels are used during planning to classify privileged access paths, not just accounts or devices. For planning purposes we use three security levels when reviewing access paths. Note that this implementation guide only focuses on the privileged level.
+
+
+**Security level** | **Purpose**
+--- | ---
+**Enterprise** | Baseline security for all users and devices.
+**Specialized** | Increased protection for elevated, high business‑impact roles.
+**Privileged** | Maximum protection for control plane and tenant‑wide administration.
+
+When planning privileged access, use security levels to answer:
+
+- Which access paths require the strongest protections?
+- Which paths can remain at a lower level temporarily during modernization?
+- Where must protections be mandatory before any privileged work is allowed?
+
+Key planning principles:
+
+- Security levels apply to access paths, not just identities.
+- If work is performed through a privileged access path, that path must meet the required security level.
+- Security levels guide:
+ - Enforcement patterns
+ - Configuration profiles
+ - Conditional Access decisions
+ - Implementation sequencing
+
+This allows you to modernize privileged access incrementally while ensuring the highest‑risk paths are addressed first.
+
+
+:::image type="content" source="../media/implement-privileged-access-user.png" alt-text="Diagram showing classifications for privileged identities." lightbox="../media/implement-privileged-access-user.png":::
+
+
+## Sequence implementation to reduce risk
+
+Privileged access modernization must reduce risk without disrupting operations. Planning establishes the sequencing that implementation follows.
+
+A typical planning sequence:
+
+
+1. **Stop creating new privileged risk**. Prevent privileged activity from continuing on insecure paths while planning and auditing are underway.
+ - No new standing privileged role assignments.
+ - No new insecure access paths.
+1. **Secure the highest-impact access paths first**: Start with the identity control plane (tenant and subscription administrators). Move on to core infrastructure and production systems.
+1. **Establish safe foundations**. Defined privileged identities, then configure dedicated privileged devices, and approved access paths.
+1. **Expand coverage incrementally**. Tighten enforcement as monitoring and validation mature. Use detection to identify and remediate new or unapproved paths.
+
+This sequencing ensures audits, enforcement, and remediation are valid because protections exist before controls are tightened.
+
+## Map planning to implementation
+
+Implementation enforces the decisions produced during design and planning.
+
+**Planning output** | **Implementation enforcement**
+--- | ---
+**Privileged role definitions and scope** |[Phase 1: Secure the identity control plane](implement-privileged-access-identity.md). Secure role assignments, PIM configuration, approval workflows, and auditing.
+**Privileged device requirements** | [Phase 2: Secure devices](implement-privileged-access-devices.md). Deploy and enforce use of hardened privileged access workstations (PAWs)
+**Approved and blocked access paths** | [Phase 3: Configure policy](implement-privileged-access-enforce.md). Configure Conditional Access, interface restrictions, protocol blocking.
+**Accepted trade-offs and exceptions** | [Phase 1: Secure the identity control plane](implement-privileged-access-identity.md) and [Phase 3: Configure policy](implement-privileged-access-enforce.md). Logging, review workflows, break-glass accounts.
+**Monitoring for privileged access** | [Phase 4: Monitoring and threat detection](implement-privileged-access-monitor.md). Detection rules, alert prioritization, validation of approved paths.
+
+Before implementing each phase, make sure you've completed the corresponding planning actions.
+
+## Next steps
+
+Begin implementation with [Phase 1 - Configure the identity control plane ](implement-privileged-access-identity.md). This phase establishes the foundation where privileged identities, role assignments, and authorized elevation paths are defined and protected.
+
+All subsequent device, policy, and monitoring controls depend on this phase.
+
+
+
+
+
diff --git a/security-docs/zero-trust/adopt/implement-privileged-access.md b/security-docs/zero-trust/adopt/implement-privileged-access.md
new file mode 100644
index 000000000..5ee274754
--- /dev/null
+++ b/security-docs/zero-trust/adopt/implement-privileged-access.md
@@ -0,0 +1,177 @@
+---
+title: Implement a privileged access architecture
+description: Learn how to deploy a privileged access architecture
+ms.date: 05/05/2025
+ms.service: security
+author: rayne-wiselman
+ms.author: raynew
+ms.subservice: zero-trust
+ms.topic: conceptual
+ms.custom: sfi-image-nochange
+
+# Customer intent: As a security architect or implementer, I want to understand high level steps and best practices for planning a privileged access architecture,.
+---
+
+
+# Overview - Implement a privileged access architecture
+
+This article introduces an end-to-end solution for implementing a privileged access architecture. It's aimed at security and identity planners and implementers.
+
+In the Microsoft security adoption model:
+
+- Implementation solutions provide prescriptive deployment guidance.
+- Solutions align to [business scenarios](../security-adoption-business-scenarios-overview.md) that define high priority security outcomes.
+
+Before you begin implementation, learn how a [secure privileged access architecture](../security-adoption-scenario-privileged-access.md) plays a critical role in the business scenario - *[Protect critical business assets](../security-adoption-scenario-secure-assets.md)* - by reducing this risk and strengthening control over sensitive systems.
+
+## Solution goals
+
+Privileged access represents one of the highest-impact risks in any organization because it provides direct control over identity systems, cloud control planes, and critical business resources.
+
+This guide defines a Zero Trust approach to privileged access by treating it as an end-to-end access path, spanning identity, device, interface, target resource, and monitoring. Instead of securing individual components in isolation, this model ensures the entire access pathway is governed and continuously validated.
+
+The objective is to reduce risk by:
+
+- Limiting who can perform privileged actions.
+- Controlling where and how those actions can occur.
+- Continuously monitoring and responding to privileged activity.
+
+Implement this architecture using Microsoft Entra ID, Microsoft Intune, and Microsoft Defender for Endpoint.
+
+Deploy the solution in phases. Start by establishing a secure foundation (identity control plane and trusted devices), enforce policy controls, and then set up monitoring and response operations.
+
+
+## Privileged access risk
+
+Privileged identities (human and non‑human) control high‑value assets and security enforcement mechanisms. When compromised, the resulting business impact is severe. With privileged access attackers can:
+
+
+- Exfiltrate, encrypt, or destroy data.
+- Shut down or disrupt business operations.
+- Disable detection and enforcement controls.
+- Subvert identity systems and create persistent access.
+
+### Common attacks
+
+Attacks follow two common patterns:
+
+- **Targeted data theft**: Cyberattackers locate and exfiltrate sensitive intellectual property, financial data, or strategic plans. Stolen data is sold, leaked, or used for competitive advantage.
+- **Human-operated ransomware**: Cyberattackers leverage privileged access to encrypt systems, halt operations, and extort the organization - forcing executive decisions under extreme time pressure.
+
+:::image type="content" source="../media/implement-privileged-assets-attacks.png" alt-text="Diagram showing classifications for privileged identities." lightbox="../media/implement-privileged-assets-attacks.png":::
+
+## Why privileged access is risky
+
+Privileged access risk is unique and systemic for a number of reasons.
+
+
+**Risk** | **Details**
+--- | ---
+**Operates in the control plane** | Privileged accounts operate in the control plane, not just the workload plane.
Privileged identities can modify identity, change security configurations, disable or bypass enforcement controls, and tamper with business-critical data.
Once attackers obtain privileged access, they can undermine the very mechanisms designed to detect and stop them. This makes traditional containment strategies far less effective and allows compromise to persist undetected.
+**High business impact by design** | Privileged access exists to manage critical systems, so abuse of that access has immediate and severe consequences.
With privileged access, attackers can:
- Exfiltrate or destroy sensitive data
- Shut down or manipulate business operations
- Encrypt entire environments for extortion (human‑operated ransomware)
- Subvert systems in ways that can cause real‑world harm.
These outcomes aren't theoretical. They're observed repeatedly across industries, making privileged access one of the most reliable ways for attackers to achieve maximum impact.
+**Loud and disruptive** | Unlike stealthy data theft, many privileged access attacks—especially human‑operated ransomware—are intentionally disruptive. They halt operations, break customer‑facing services, and force executive‑level decision‑making under extreme time pressure.
Because all organizations are financially and operationally motivated to restore service quickly, these attacks are universally applicable and highly effective, regardless of industry or size.
+**Risk growing, not shrinking** | Attackers are flexible and technology‑agnostic. They don't target a single product or control, but exploit whatever privileged access path is weakest in the moment.
The privileged access attack surface is broad and interconnected, spanning:
- Accounts and identity systems
- Workstations and devices
- Intermediary systems such as remote access tools and PAM/PIM solutions.
- Management interfaces, portals, APIs, and elevation paths.
Compromise of any one of these elements can provide a path to full enterprise control, and new access paths are continuously introduced as environments evolve.
+**Single‑solution approaches fail** | Deployment of only one class of control such as PAM/PIM, network restrictions, or detection tooling, does not sufficiently reduce risk. These controls address parts of the problem, not the system.
If privileged access is not protected end‑to‑end, attackers simply route around isolated defenses and exploit an unprotected link in the access path.
This is why privileged access must be treated as a complete system—from identity and device trust, through elevation and execution, to monitoring and response—rather than as a collection of independent tools.
+
+
+
+
+## Architectural principles and outcomes
+
+Microsoft’s recommended approach is to build a closed‑loop privileged access system that:
+
+- Delivers immediate risk reduction
+- Supports incremental, sustainable progress
+- Avoids unnecessary complexity
+- Enables clear outcomes and success criteria
+
+### Architectural outcomes
+
+Implementing the strategy based on these principles creates a number of clear outcomes and success criteria.
+
+**Outcome** | **Architecture** | **Success criteria**
+--- | --- | ---
+**Privileged access is enforced as an end‑to‑end system** | Privileged risk is controlled across the entire access path: identity, role assignment, device, execution environment, elevation workflow, intermediary systems, management interfaces, monitoring, and response. Privileged work occurs only through explicit, authorized elevation paths with Zero Trust validation (identity assurance, device trust, session context). | Each session validates that the user account and device are trusted at a sufficient level before allowing access.
Measure examples: % of privileged sign-ins meet requirements such as MFA and required device trust,
% of privileged actions performed via approval elevation workflow vs standing privilege.
+**Protect and monitor identity systems** | Protect identity systems that host or confer privilege (directories, identity management, admin accounts etc.).
Governance, policy enforcement, logging, and analytics are centralized to reduce drift and improve visibility. | Each of these systems is protected at a level appropriate for the potential business impact of accounts hosted in it.
Measure examples: % of privileged identities covered by regular access review
Completion rate of periodic privileged access reviews (who reviewed, who revoked).
+**Mitigate lateral traversal** | Isolate privileged work from high‑exposure environments. Protect local administrator credentials, service account secrets, and elevation mechanisms so that compromise of a single device, account, or credential doesn't enable broader administrative control. | Compromising a single device doesn't immediately lead to control of many or all other devices in the environment.
Measure example: % of privileged actions from admin workstations only.
+**Respond quickly to threats** | Privileged activity is a priority signal for detection and response. Design monitoring and incident response to disrupt multistage attacks and limit adversary dwell time targeting privileged access. | Your incident response can reliably stop multistage attacks before they reach privileged access and can contain privileged misuse fast when it occurs.
Measure example: Mean time to remediate (MTTR) privileged incidents is reduced to minutes rather than hours or days. Unexpected or new privileged access paths are quickly identified and closed.
+
+Track these measures monthly for progress, and review quarterly as part of privileged access governance.
+
+## Understand privileged access paths
+
+Privileged access paths are access paths that form a complete chain from identity to execution, as illustrated in the following diagram.
+
+:::image type="content" source="../media/security-adoption-discipline-access-enterprise-privileged-path.png" alt-text="Diagram showing how privileged access pathways are limited and protected." lightbox="../media/security-adoption-discipline-access-enterprise-privileged-path.png":::
+
+If any link in the chain is weak, the entire path is vulnerable.
+
+**Path** | **Components** | **Risk**
+--- | --- | ---
+**User access paths**
User access paths support standard productivity and business operations, such as email, collaboration, web browsing, and line‑of‑business applications. | A user access path typically involves:
- **Identity**: A standard user account
- **Device**: A general‑purpose workstation
- **Intermediary**: Optional intermediaries such as a VPN or remote access.
- **Interface**: Interaction with enterprise applications and services. | While compromise of a user access path can cause harm, the potential impact is limited compared to privileged access.
+**Privileged access paths**
Privileged access paths manage identities, infrastructure, security controls, and business‑critical systems. | Privileged access paths typically consist of:
- **Identity**: An account performing privileged work.
- **Device**: The endpoint workstation or device used by the privileged session.
- **Intermediary**: Any system or service brokering or hosting the privileged session, such as remote access or management tools.
- **Interface**: The management surface where privileged control is exercised. For example, portals, APIs, command-line tools, or automation. | Although the technical components appear similar to a user access path, the potential damage from compromise is dramatically higher. Privileged access paths must therefore be:
- Fewer in number
- Explicitly defined
- Isolated from user access paths
- Protected with the strongest available controls.
+
+### Example path
+
+In a typical privileged access path:
+
+1. A dedicated admin identity signs in.
+1. The sign-in is from a hardened Privileged Access Workstation (PAW).
+1. The sign-in activates a role through Privileged Identity Management (PIM).
+1. The sign-in uses a specific administrative interface, such as a portal, API, or CLI.
+1. The signed-in identity performs a privileged action.
+
+
+## Solution components
+
+The privileged access solution is built on three tightly coupled elements that ensure - **privileged actions by the right identities, from trusted devices, under enforced conditions**.
+
+1. **Privileged identities**
+ - Dedicated admin accounts that are allowed to perform privileged actions.
+ - Identities protected with strong authentication and, where possible, passwordless authentication.
+ - Limited privileged role assignment.
+ - Just-in-time privileged elevation with approval.
+
+1. **Privileged Access Workstations (PAWs)**
+ - Hardened, restrictive devices.
+ - Reduced attack surface on devices.
+ - Protection against credential threat and malware.
+ - Isolated from high-risk user activity.
+1. **Policy enforcement and monitoring**
+ - Conditional Access validates identity, device, and session context.
+ - Privileged elevation paths are explicitly defined.
+ - All privileged activity is logged, monitored, and reviewable.
+
+
+### Identity systems and elevation paths
+
+Identity systems and elevation paths are foundational components of every privileged access path. They define where privileged identities are created, how administrative roles are assigned, and how users transition from a non‑privileged state to performing privileged actions.
+
+This implementation guidance treats identity systems and elevation paths as part of the privileged attack surface and identity control plane.
+
+**Area** | **Details** | **Risk mitigation**
+--- | --- | ---
+**Identity systems** | Where privileged identities, roles, and administrative permissions are defined and managed.
This definition includes directories, role assignments, administrative groups, and tenant‑level configuration. | Privileged identities operate in the control plane. If identity systems are compromised, attackers can create, modify, or persist privileged access—bypassing device controls, access conditions, and monitoring.
Securing the identity control plane is the highest implementation priority.
+**Authorized elevation paths** | How a user transitions from a non‑privileged state to perform privileged actions.
For example, time‑bound role activation, approval workflows, and scoped administrative sessions. | Ensures elevation requires strong authentication, and that privileged elevation is intentional, temporary, monitored, and only happens from approved devices and interfaces.
By forcing elevation through approved workflows, devices, and interfaces, you prevent standing privilege and reduce abuse, lateral movement, and silent persistence.
+
+
+## Solution phases
+
+Implement the privileged access architecture by using a phased adoption model aligned to Microsoft best practices.
+
+1. Kick off adoption by using the [structured adoption model](../security-adoption-model.md). Adoption guidance helps business leaders identify critical business-level outcomes for secure identity, and understand the access and identity discipline, including the teams and efforts needed to drive identity initiatives such as privileged access.
+1. Plan the solution. Planning helps you to identify design goals, assign security levels to determine privileged access strategy, and plan for implementation.
+1. Follow the implementation phases summarized in the following table. Each phase has a specific objective and is implemented by using concrete configuration steps in the corresponding articles.
+
+### Implementation phases
+
+**Phase** | **Mitigate Risk** | **Apply Zero Trust principles**
+--- | --- | ---
+**Phase 1. Secure the identity control plane**
Create:
- Dedicated admin identities.
Security groups for role assignment.
- Emergency break-glass accounts if you don't have them. | Reduces the risk of credential theft, privilege misuse, and unauthorized elevation. | **Verify explicitly**
Use strong authentication.
**Use least privilege**
Restrict admin roles/enable just-in-time privilege.
**Assume breach**.
Use break-glass accounts for recovery.
+**Phase 2. Deploy and harden privileged access devices**
Provision dedicated privileged access workstations (PAWs).
Apply OS hardening and security baselines.
Enforce patching, endpoint protection, and disk encryption.
Minimize installs of apps and services. | Reduces the risk of credential compromise and device-based attacks. | **Verify explicitly**
Ensure devices are enrolled, trusted, and compliant before granting access.
**Assume breach**
Minimize potential compromise paths by hardening devices and isolating administrative credentials.
**Use least-privileged access**.
Restrict what administrators can do on these dedicated devices.
+**Phase 3. Enforce privileged access policies**
Configure Conditional Access for privileged roles.
Require compliant devices and strong authentication.
Enforce context‑aware access conditions. Restrict access to approved interfaces. | Prevents unauthorized access and credential replay. | **Assume breach**. Prevent misuse of credentials if accounts are stolen by restricting where and how access is granted.
**Use least privilege**. Enforce role-based and context-aware permissions.
+**Phase 4. Monitor and continually validate**
Investigate incidents and remediate quickly.
Continuously reassess trust and coverage. | Detect, investigate, and respond to privileged threats.
Monitor privileged role activations and sessions.
Detect anomalies and suspicious patterns.
Reduce the impact of undetected compromise and prolonged attacker dwell time. | **Assume breach**.Continuously monitor for attacker activity and anomalous behavior.
**Verify explicitly**.Evaluate trust continuously and investigate suspicious access patterns.
+
+## Next steps
+
+Now, start [planning an implementation strategy](implement-privileged-access-plan.md).
\ No newline at end of file
diff --git a/security-docs/zero-trust/apply-zero-trust-azure-services-overview.md b/security-docs/zero-trust/apply-zero-trust-azure-services-overview.md
index 70ae91a47..440b3a90e 100644
--- a/security-docs/zero-trust/apply-zero-trust-azure-services-overview.md
+++ b/security-docs/zero-trust/apply-zero-trust-azure-services-overview.md
@@ -110,7 +110,7 @@ Refer to the links below to learn about the various services and technologies me
- [Overview of the Microsoft cloud security benchmark](/security/benchmark/azure/overview)
- [Security baselines for Azure overview](/security/benchmark/azure/security-baselines-overview)
- [Building the first layer of defense with Azure security services](/azure/architecture/solution-ideas/articles/azure-security-build-first-layer-defense)
-- [Microsoft Cybersecurity Reference Architectures](/security/cybersecurity-reference-architecture/mcra)
+- [Microsoft Cybersecurity Reference Architectures](microsoft-reference-architecture.md)
## Additional Zero Trust documentation
diff --git a/security-docs/zero-trust/assessment/TOC.yml b/security-docs/zero-trust/assessment/TOC.yml
index ef61c1b2f..275a55327 100644
--- a/security-docs/zero-trust/assessment/TOC.yml
+++ b/security-docs/zero-trust/assessment/TOC.yml
@@ -21,6 +21,8 @@
href: /azure/networking/security/zero-trust-network-security?toc=/security/zero-trust/assessment/toc.json&bc=/security/zero-trust/assessment/toc.json
- name: Data
href: /purview/configure-security?toc=/security/zero-trust/assessment/toc.json&bc=/security/zero-trust/assessment/toc.json
+ - name: AI
+ href: /entra/fundamentals/zero-trust-ai
- name: Reference
items:
- name: Assessment terminology
diff --git a/security-docs/zero-trust/assessment/index.yml b/security-docs/zero-trust/assessment/index.yml
index 4390b4a21..b3b6145f3 100644
--- a/security-docs/zero-trust/assessment/index.yml
+++ b/security-docs/zero-trust/assessment/index.yml
@@ -11,7 +11,7 @@ metadata:
ms.topic: landing-page
author: MicrosoftGuyJFlo
ms.author: joflore
- ms.date: 09/03/2025
+ ms.date: 05/31/2026
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new
diff --git a/security-docs/zero-trust/azure-infrastructure-avd.md b/security-docs/zero-trust/azure-infrastructure-avd.md
index 6e0e43106..24b76f1d3 100644
--- a/security-docs/zero-trust/azure-infrastructure-avd.md
+++ b/security-docs/zero-trust/azure-infrastructure-avd.md
@@ -44,7 +44,7 @@ This article provides steps to apply the [principles of Zero Trust](zero-trust-o
| Zero Trust principle | Definition | Met by |
| --- | --- | --- |
| Verify explicitly |Always authenticate and authorize based on all available data points. | Verify the identities and endpoints of Azure Virtual Desktop users and secure access to session hosts. |
-| Use least privileged access | Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. | - Confine access to session hosts and their data.
- Storage: Protect data in all three modes: data at rest, data in transit, data in use.
- Virtual networks (VNets): Specify allowed network traffic flows between hub and spoke VNets with Azure Firewall.
- Virtual machines: Use Role Based Access Control (RBAC).
|
+| Use least privileged access | Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. | - Confine access to session hosts and their data.
- Storage: Protect data in all three modes: data at rest, data in transit, data in use.
- Virtual networks (VNets): Specify allowed network traffic flows between hub and spoke VNets with Azure Firewall.
- Virtual machines: Use role-based access control (RBAC).
|
| Assume breach | Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses. | - Isolate the components of an Azure Virtual Desktop deployment.
- Storage: Use Defender for Storage for automated threat detection and protection.
- VNets: Prevent traffic flows between workloads with Azure Firewall.
- Virtual machines: Use double encryption for end-to-end encryption, enable encryption at host, secure maintenance for virtual machines, and Microsoft Defender for Servers for threat detection.
- Azure Virtual Desktop: Use Azure Virtual Desktop security, governance, management, and monitoring features to improve defenses and collect session host analytics.
|
For more information about how to apply the principles of Zero Trust across an Azure IaaS environment, see the [Apply Zero Trust principles to Azure IaaS overview](azure-infrastructure-overview.md).
@@ -60,7 +60,7 @@ The Azure environment for Azure Virtual Desktop includes:
| Component | Description |
| --- | --- |
| A | Azure Storage Services for Azure Virtual Desktop user profiles. |
-| B | A connectivity hub VNet. |
+| B | A connectivity hub virtual network (VNet). |
| C | A spoke VNet with Azure Virtual Desktop session host virtual machine-based workloads. |
| D | An Azure Virtual Desktop Control Plane. |
| E | An Azure Virtual Desktop Management Plane. |
@@ -81,7 +81,7 @@ The elements of the logical architecture are:
- Azure subscription for your Azure Virtual Desktop
- You can distribute the resources in more than one subscription, where each subscription may hold different roles, such as network subscription, or security subscription. This is described in [Cloud Adoption Framework and Azure Landing Zone](/azure/cloud-adoption-framework/scenarios/wvd/enterprise-scale-landing-zone). The different subscriptions may also hold different environments, such as production, development, and tests environments. It depends on how you want to separate your environment and the number of resources you have in each. One or more subscriptions can be managed together using a Management Group. This gives you the ability to apply permissions with RBAC and Azure policies to a group of subscriptions instead of setting up each subscription individually.
+ You can distribute the resources in more than one subscription, where each subscription might hold different roles, such as network subscription, or security subscription. This is described in [Cloud Adoption Framework and Azure Landing Zone](/azure/cloud-adoption-framework/scenarios/wvd/enterprise-scale-landing-zone). The different subscriptions might also hold different environments, such as production, development, and tests environments. It depends on how you want to separate your environment and the number of resources you have in each. One or more subscriptions can be managed together using a Management Group. This gives you the ability to apply permissions with RBAC and Azure policies to a group of subscriptions instead of setting up each subscription individually.
- Azure Virtual Desktop resource group
@@ -110,7 +110,7 @@ This article walks through the steps to apply the principles of Zero Trust acros
| 3 | Apply Zero Trust principles to Azure Virtual Desktop storage resources. | Verify explicitly
Use least privileged access
Assume breach |
| 4 | Apply Zero Trust principles to hub and spoke Azure Virtual Desktop VNets. | Verify explicitly
Use least privileged access
Assume breach |
| 5 | Apply Zero Trust principles to Azure Virtual Desktop session host. | Verify explicitly
Use least privileged access
Assume breach |
-| 6 | Deploy security, governance, and compliance to Azure Virtual Desktop. | Assume breach |
+| 6 | Deploy security, governance, and compliance with Azure Virtual Desktop. | Assume breach |
| 7 | Deploy secure management and monitoring to Azure Virtual Desktop. | Assume breach |
## Step 1: Secure your identities with Zero Trust
@@ -156,7 +156,7 @@ Session hosts are virtual machines that run inside a spoke VNet. Implement the s
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. You can use Microsoft Defender for Endpoint for session hosts. For more information, see [virtual desktop infrastructure (VDI) devices](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi).
-## Step 6: Deploy security, governance, and compliance to Azure Virtual Desktop
+## Step 6: Deploy security, governance, and compliance with Azure Virtual Desktop
Azure Virtual Desktop service allows you to use [Azure Private Link](/azure/virtual-desktop/private-link-overview) to privately connect to your resources by [creating private endpoints](/azure/virtual-desktop/private-link-setup).
@@ -234,7 +234,7 @@ You can download the illustrations used in this article. Use the Visio file to m
[PDF](https://download.microsoft.com/download/4/e/f/4efdcc13-1a62-4f11-9f79-d4a7201d28f9/apply-zero-trust-to-Azure-Virtual-Desktop-diagrams.pdf) | [Visio](https://download.microsoft.com/download/4/e/f/4efdcc13-1a62-4f11-9f79-d4a7201d28f9/apply-zero-trust-to-Azure-Virtual-Desktop-diagrams.vsdx)
-For additional technical illustrations, click [here](zero-trust-tech-illus.md).
+Review [additional technical illustrations](zero-trust-tech-illus.md).
## References
@@ -250,4 +250,4 @@ Refer to the links below to learn about the various services and technologies me
- [Overview of the Microsoft cloud security benchmark](/security/benchmark/azure/overview)
- [Security baselines for Azure overview](/security/benchmark/azure/security-baselines-overview)
- [Building the first layer of defense with Azure security services - Azure Architecture Center](/azure/architecture/solution-ideas/articles/azure-security-build-first-layer-defense)
-- [Microsoft Cybersecurity Reference Architectures - Security documentation](/security/cybersecurity-reference-architecture/mcra)
+- [Microsoft Cybersecurity Reference Architectures - Security documentation](microsoft-reference-architecture.md)
diff --git a/security-docs/zero-trust/azure-infrastructure-iaas.md b/security-docs/zero-trust/azure-infrastructure-iaas.md
index 484ae643d..2cb84c63b 100644
--- a/security-docs/zero-trust/azure-infrastructure-iaas.md
+++ b/security-docs/zero-trust/azure-infrastructure-iaas.md
@@ -153,7 +153,7 @@ For a multi-tier virtual-machine based application, the recommendation is to cre
In the diagram:
-- Each tier of the application is hosted in a dedicated subnet such as, front end tier, app tier, and data tier.
+- Each tier of the application is hosted in a dedicated subnet such as front end tier, app tier, and data tier.
- A network security group is configured for each of these subnets.
Configuring network security groups in a different way than shown in the figure can result in incorrect configuration of some or all of the network security groups and can create issues in troubleshooting. It can also make it difficult to monitor and log.
@@ -225,9 +225,9 @@ This message gives the following two warnings:
- Azure Load Balancers won't, by default, be able to access resources using this network security group.
- Other resources on this VNet won't, by default, be able to access resources using this network security group.
-For our purpose in Zero Trust, this is how it should be. It means that just because something is on this VNet, doesn't mean that it has immediate access to your resources. For each traffic pattern, you'll need to create a rule explicitly allowing it and you should do so with the least amount of permissions. Therefore, if you've specific outbound connections for management–such as to Active Directory Domain Services (AD DS) domain controllers, private DNS virtual machines, or to specific external websites–they need to be controlled here.
+For our purpose in Zero Trust, this is how it should be. It means that just because something is on this VNet, doesn't mean that it has immediate access to your resources. For each traffic pattern, you'll need to create a rule explicitly allowing it and you should do so with the least number of permissions. Therefore, if you've specific outbound connections for management–such as to Active Directory Domain Services (AD DS) domain controllers, private DNS virtual machines, or to specific external websites–they need to be controlled here.
-### Alternative Deny Rules
+### Other Deny rules
If you're using Azure Firewall to manage your outbound connections, then instead of performing a deny outbound all, you can leave all outbound open. As a part of the Azure Firewall implementation, you'll set up a route table that sends the default route (0.0.0.0/0) to the firewall, which handles traffic outside of the VNet.
@@ -237,7 +237,7 @@ Read more about [Azure Firewall](/azure/firewall/overview) and [Route Tables](/a
### Virtual machine management rules
-To configure virtual machines with Microsoft Entra Login, Anti-Malware, and automatic updates enabled, you'll need to allow the following outbound connections. Many of these are by FQDN, meaning that either Azure Firewall is needed for FQDN rules, or you'll make a more complex plan. Azure Firewall is recommended.
+To configure virtual machines with Microsoft Entra Login, anti-malware, and automatic updates enabled, you'll need to allow the following outbound connections. Many of these are by FQDN, meaning that either Azure Firewall is needed for FQDN rules, or you'll make a more complex plan. Azure Firewall is recommended.
The outbound connections are:
@@ -259,7 +259,7 @@ The outbound connections are:
### Deploy application specific rules for application security groups
-Define traffic patterns with the least amount of permissions and only following explicitly allowed paths. Here's an example diagram of using application security groups to define network traffic patterns in the network security groups for a spoke VNet that is used along with a hub VNet. This is the recommended configuration.
+Define traffic patterns with the least number of permissions and only following explicitly allowed paths. Here's an example diagram of using application security groups to define network traffic patterns in the network security groups for a spoke VNet that is used along with a hub VNet. This is the recommended configuration.
:::image type="content" source="media/spoke/azure-infra-spoke-tiers-7.svg" alt-text="Diagram of the recommended configuration of networking patterns for a three-tier web application in a hub-spoke configuration." lightbox="media/spoke/azure-infra-spoke-tiers-7.svg":::
@@ -372,7 +372,7 @@ To enable Network Security Group Flow Logging, you can follow the [Tutorial: Log
### Protect inbound web traffic with IDPS
-In addition to the controls in your spoke virtual network, you can also use an Azure Firewall in order to apply additional inspection. While the Web Application Firewall function for Azure Front Door and Application Gateway inspects traffic for common web attacks, using Azure Firewall can provide a deeper level of inspection.
+In addition to the controls in the spoke virtual network, you can also use an Azure Firewall in order to apply additional inspection. While the Web Application Firewall function for Azure Front Door and Application Gateway inspects traffic for common web attacks, using Azure Firewall can provide a deeper level of inspection.
To use every signal available and maintain central visibility into network traffic, routing traffic from your Application Gateway to Azure Firewall is recommended. It can then inspect the traffic for additional signals, and capture the behavior in its logs. You can read more about this configuration in the article [Zero-trust network for web applications with Azure Firewall and Application Gateway](/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall). For more information on how to set up this behavior, see [Configure Azure Firewall Premium for Zero Trust](./azure-infrastructure-networking.md#configure-azure-firewall-premium-for-zero-trust).
@@ -409,9 +409,9 @@ The following diagram shows the recommended policies for Zero Trust.
## Step 7: Enable advanced threat detection and protection
-Your spoke VNet built on Azure may already be protected by Microsoft Defender for Cloud (MDC) as other resources from your IT business environment running on Azure or on-premises may also be protected.
+The spoke VNet built on Azure may already be protected by Microsoft Defender for Cloud (MDC) as other resources from your IT business environment running on Azure or on-premises may also be protected.
-As mentioned in the other articles from this series, Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) tool that offers Security Recommendations, Alerts, and advanced features such as [Adaptive Network Hardening](/azure/defender-for-cloud/adaptive-network-hardening) to assist you as you progress in your Cloud Security journey. To better visualize where Defender for Cloud fits into the greater Microsoft security landscape, see [Microsoft Cybersecurity Reference Architectures](/security/cybersecurity-reference-architecture/mcra).
+As mentioned in the other articles from this series, Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) tool that offers Security Recommendations, Alerts, and advanced features such as [Adaptive Network Hardening](/azure/defender-for-cloud/adaptive-network-hardening) to assist you as you progress in your Cloud Security journey. To better visualize where Defender for Cloud fits into the greater Microsoft security landscape, see [Microsoft Cybersecurity Reference Architectures](microsoft-reference-architecture.md).
This article doesn't discuss Microsoft Defender for Cloud in detail, but it's important to understand that Microsoft Defender for Cloud works based on Azure Policies and logs ingested in a Log Analytics workspace. Once enabled on the subscription(s) with your spoke VNet and associated resources, you'll be able to see recommendations to improve their Security Posture. You can filter these Recommendations further by MITRE tactic, Resource Group, etc. Consider prioritizing the resolution of Recommendations that have a greater impact on your organization's Secure score.
@@ -419,7 +419,7 @@ Here's an example in the Microsoft Defender for Cloud portal.
:::image type="content" source="media/spoke/dfc-recs.png" alt-text="Screenshot of example Microsoft Defender for Cloud recommendations." lightbox="media/spoke/dfc-recs.png":::
-If you choose to onboard one of the Defender for Cloud plans that offer Advanced Workload Protections, it includes Adaptive Network Hardening Recommendations to improve your existing network security group rules. Here's an example.
+If you choose to deploy a Defender for Cloud plan that offers Advanced Workload Protections, it includes Adaptive Network Hardening Recommendations to improve your existing network security group rules. Here's an example.
:::image type="content" source="media/spoke/network-hardening.png" alt-text="Screenshot of example network hardening recommendations." lightbox="media/spoke/network-hardening.png":::
diff --git a/security-docs/zero-trust/azure-infrastructure-networking.md b/security-docs/zero-trust/azure-infrastructure-networking.md
index 0fa2aff5f..8526ad797 100644
--- a/security-docs/zero-trust/azure-infrastructure-networking.md
+++ b/security-docs/zero-trust/azure-infrastructure-networking.md
@@ -15,87 +15,63 @@ ms.custom: sfi-image-nochange
# Apply Zero Trust principles to a hub virtual network in Azure
-
**Summary:** To apply Zero Trust principles to a hub virtual network in Azure, you must secure Azure Firewall Premium, deploy Azure DDoS Protection Standard, configure network gateway routing to the firewall, and configure threat protection.
-The best way to deploy an Azure-based hub virtual network (VNet) for Zero Trust is to use the Azure Landing Zone materials to deploy a feature-complete hub VNet, and then tailor it to your specific configuration expectations.
+The best way to deploy an Azure-based hub virtual network (virtual network) for Zero Trust is to use the Azure Landing Zone materials to deploy a feature-complete hub virtual network, and then tailor it to your specific configuration expectations.
-This article provides steps for how to take an existing hub VNet and ensure you're ready for a Zero Trust methodology. It assumes that you used the ALZ-Bicep [hubNetworking](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/hubNetworking) module to rapidly deploy a hub VNet, or deployed some other hub VNet with similar resources. Using a separate connectivity hub connected to isolated workplace spokes is an anchor pattern in Azure secure networking and helps support the Zero Trust principles.
+This article provides steps for how to take an existing hub virtual network and ensure you're ready for a Zero Trust methodology. It assumes that you used the ALZ-Bicep [hubNetworking](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/hubNetworking) module to rapidly deploy a hub virtual network, or deployed some other hub virtual network with similar resources. Using a separate connectivity hub connected to isolated workplace spokes is an anchor pattern in Azure secure networking and helps support the Zero Trust principles.
-This article describes how to deploy a hub VNet for Zero Trust by mapping the [principles of Zero Trust](zero-trust-overview.md) in the following ways.
+This article describes how to deploy a hub virtual network for Zero Trust by mapping the [principles of Zero Trust](zero-trust-overview.md) in the following ways.
| Zero Trust principle | Definition | Met by |
| --- | --- | --- |
| Verify explicitly | Always authenticate and authorize based on all available data points. | Use Azure Firewall with Transport Layer Security (TLS) inspection to verify risk and threats based on all available data. |
-| Use least privileged access | Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. | Each spoke VNet has no access to other spoke VNets unless the traffic gets routed through the firewall. The firewall is set to deny by default, allowing only traffic allowed by specified rules. |
+| Use least privileged access | Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. | Each spoke virtual network has no access to other spoke VNets unless the traffic gets routed through the firewall. The firewall is set to deny by default, allowing only traffic allowed by specified rules. |
| Assume breach | Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses. | In the event of a compromise or breach of one application/workload, it has limited ability to spread due to the Azure Firewall performing traffic inspection and only forwarding allowed traffic. Only resources in the same workload would be exposed to the breach in the same application. |
-This article is a part of a series of articles that demonstrate how to apply the principles of Zero Trust across an environment in Azure. This article provides information for configuring a hub VNet to support an IaaS workload in a spoke Vnet. For more information, see the [Apply Zero Trust principles to Azure IaaS overview](azure-infrastructure-overview.md).
+This article is a part of a series of articles that demonstrate how to apply the principles of Zero Trust across an environment in Azure. This article provides information for configuring a hub virtual network to support an IaaS workload in a spoke Vnet. For more information, see the [Apply Zero Trust principles to Azure IaaS overview](azure-infrastructure-overview.md).
## Reference architecture
-The following diagram shows the reference architecture. The hub VNet is highlighted in red. For more information about this architecture, see the [Apply Zero Trust principles to Azure IaaS overview](azure-infrastructure-overview.md).
+The following diagram shows the reference architecture. The hub virtual network is highlighted in red. For more information about this architecture, see the [Apply Zero Trust principles to Azure IaaS overview](azure-infrastructure-overview.md).
:::image type="content" source="media/hub/azure-infra-hub-architecture-1.svg" alt-text="Diagram of the reference architecture for the components of a hub virtual network with Zero Trust principles applied." lightbox="media/hub/azure-infra-hub-architecture-1.svg":::
-For this reference architecture, there are many ways you can deploy the resources across the Azure subscription. The reference architecture shows the recommendation of isolating all resources for the hub VNet within a dedicated resource group. The resources for the spoke VNet are also shown for comparison. This model works well if different teams are given responsibility for these different areas.
+For this reference architecture, there are many ways you can deploy the resources across the Azure subscription. The reference architecture shows the recommendation of isolating all resources for the hub virtual network within a dedicated resource group. The resources for the spoke virtual network are also shown for comparison. This model works well if different teams are given responsibility for these different areas.
-In the diagram, a hub VNet includes components to support access to other apps and services within the Azure environment. These resources include:
+In the diagram, a hub virtual network includes components to support access to other apps and services within the Azure environment. These resources include:
- Azure Firewall Premium
- Azure Bastion
- VPN Gateway
- DDOS Protection, which should also be deployed to spoke virtual networks.
-The hub VNet provides access from these components to an IaaS-based app hosted on virtual machines in a spoke VNet.
+The hub virtual network provides access from these components to an IaaS-based app hosted on virtual machines in a spoke virtual network.
For guidance on organizing for cloud adoption, see [Manage organization alignment](/azure/cloud-adoption-framework/organize/) in the Cloud Adoption Framework.
-The resources that are deployed for the hub VNet are:
+The resources that are deployed for the hub virtual network are:
-- An Azure VNet
+- An Azure virtual network
- Azure Firewall with Azure Firewall policy and a public IP address
- Bastion
- VPN gateway with a public IP address and route table
-The following diagram shows the components of a resource group for a hub VNet in an Azure subscription separate from the subscription for the spoke VNet. This is one way of organizing these elements within the subscription. Your organization might choose to organize these in a different way.
+The following diagram shows the components of a resource group for a hub virtual network in an Azure subscription separate from the subscription for the spoke virtual network. This is one way of organizing these elements within the subscription. Your organization might choose to organize these in a different way.
-:::image type="content" source="media/hub/azure-infra-hub-subscription-architecture-2.svg" alt-text="Diagram of the logical architecture for applying Zero Trust to an Azure hub VNet showing subscriptions, resource groups, and Azure components within a Microsoft Entra ID tenant." lightbox="media/hub/azure-infra-hub-subscription-architecture-2.svg":::
+:::image type="content" source="media/hub/azure-infra-hub-subscription-architecture-2.svg" alt-text="Diagram of the logical architecture for applying Zero Trust to an Azure hub virtual network showing subscriptions, resource groups, and Azure components within a Microsoft Entra ID tenant." lightbox="media/hub/azure-infra-hub-subscription-architecture-2.svg":::
In the diagram:
-- The resources for the hub VNet are contained within a dedicated resource group. If you're deploying Azure DDoS Plan a part of the resources, you need to include that in the resource group.
-- The resources within a spoke VNet are contained within a separate dedicated resource group.
+- The resources for the hub virtual network are contained within a dedicated resource group. If you're deploying Azure DDoS Plan a part of the resources, you need to include that in the resource group.
+- The resources within a spoke virtual network are contained within a separate dedicated resource group.
-Depending on your deployment, you may also note that there can be a deployment of an array for Private DNS Zones used for Private Link DNS resolution. These are used to secure PaaS resources with Private Endpoints, which are detailed in a future section. Note that it deploys both a VPN Gateway and an ExpressRoute Gateway. You may not need both, so you can remove whichever one isn't needed for your scenario or turn it off during deployment.
+Depending on your deployment, you might also note that there can be a deployment of an array for Private DNS Zones used for Private Link DNS resolution. These are used to secure PaaS resources with Private Endpoints, which are detailed in a future section. Note that it deploys both a VPN Gateway and an ExpressRoute Gateway. You might not need both, so you can remove whichever one isn't needed for your scenario or turn it off during deployment.
## What's in this article?
-This article provides recommendations for securing the components of a hub VNet for Zero Trust principles. The following table describes the recommendations for securing this architecture.
+This article provides recommendations for securing the components of a hub virtual network for Zero Trust principles. The following table describes the recommendations for securing this architecture.
| Step | Task | Zero Trust principle(s) applied |
| --- | --- | --- |
@@ -124,7 +100,7 @@ Azure Firewall Premium provides [advanced features](/azure/firewall/premium-fe
You should use the Inbound TLS Inspection for resources whenever possible. Azure Application Gateway only provides protection for HTTP and HTTPS traffic. It can't be used for some scenarios, such as those that use SQL or RDP traffic. Other services often have their own threat protection options that could be used to provide _explicit verification_ controls for those services. You can review [Security baselines for Azure overview](/security/benchmark/azure/security-baselines-overview) to understand the threat protection options for these services.
-Azure Application Gateway isn't recommended for the hub VNet. It should instead reside in a spoke VNet or a dedicated VNet. For more information, see [Apply Zero Trust principles to spoke virtual network in Azure](azure-infrastructure-iaas.md) for guidance on the spoke VNet or [Zero-trust network for web applications](/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall).
+Azure Application Gateway isn't recommended for the hub virtual network. It should instead reside in a spoke virtual network or a dedicated virtual network. For more information, see [Apply Zero Trust principles to spoke virtual network in Azure](azure-infrastructure-iaas.md) for guidance on the spoke virtual network or [Zero-trust network for web applications](/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall).
These scenarios have specific digital certificate considerations. For more information, see [Azure Firewall Premium certificates](/azure/firewall/premium-certificates).
@@ -179,7 +155,7 @@ To configure Azure Firewall Premium to a Zero Trust configuration, make the foll
### Additional configuration
-With the Azure Firewall Premium configured, you can now perform the following configuration:
+After Azure Firewall Premium is configured, you can now perform the following configuration:
- Configure Application Gateways to route traffic to your Azure Firewall by assigning the appropriate route tables and [following this guidance](/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall#hub-and-spoke-example).
- Create alerts for firewall events and metrics by [following these instructions](/azure/firewall/firewall-diagnostics).
@@ -211,7 +187,7 @@ Because there are no Zero Trust-specific configurations for DDoS Protection Stan
- [Configure Diagnostic Logging](/azure/ddos-protection/diagnostic-logging)
- [Configure Telemetry](/azure/ddos-protection/telemetry)
-In the current version of Azure DDoS Protection, you must apply Azure DDoS Protection per VNet. See additional instructions in [DDoS Quickstart](/azure/ddos-protection/manage-ddos-protection).
+In the current version of Azure DDoS Protection, you must apply Azure DDoS Protection per virtual network. See additional instructions in [DDoS Quickstart](/azure/ddos-protection/manage-ddos-protection).
In addition, protect the following public IP addresses:
@@ -236,8 +212,8 @@ By routing the traffic to the firewall, you increase the level of inspection and
There are two main ways to ensure that gateway traffic is being routed to the Azure firewall:
-- Deploy the Azure Network Gateway (either for VPN or ExpressRoute connections) in a dedicated VNet (often called a Transit or Gateway VNet), peer it to the hub VNet, and then create a broad routing rule that covers your planned Azure networking address spaces routing to the firewall.
-- Deploy the Azure Network Gateway in the hub VNet, configure routing on the gateway subnet, and then configure routing on the spoke VNet subnets.
+- Deploy the Azure Network Gateway (either for VPN or ExpressRoute connections) in a dedicated virtual network (often called a Transit or Gateway virtual network), peer it to the hub virtual network, and then create a broad routing rule that covers your planned Azure networking address spaces routing to the firewall.
+- Deploy the Azure Network Gateway in the hub virtual network, configure routing on the gateway subnet, and then configure routing on the spoke virtual network subnets.
This guide details the second option because it's more compatible with the reference architecture.
@@ -262,7 +238,7 @@ To configure the Gateway Subnet route table to forward internal traffic to the A
1. In **Route name**, specify the name of the route field.
1. Select **IP Addresses** in the **Address prefix destination** drop-down.
- 1. Provide the spoke VNet's address space in the **Destination IP addresses/CIDR ranges** field.
+ 1. Provide the spoke virtual network's address space in the **Destination IP addresses/CIDR ranges** field.
1. Select **Virtual appliance** in the **Next hop type** drop-down box.
1. Provide the Azure Firewall's private IP address in the **Next hop address** field.
1. Select **Add**.
@@ -270,7 +246,7 @@ To configure the Gateway Subnet route table to forward internal traffic to the A
#### Associate the route table to the gateway subnet
1. Navigate to **Subnets**, and select **Associate**.
-1. Select the Hub VNet in the **Virtual network** drop-down list.
+1. Select the Hub virtual network in the **Virtual network** drop-down list.
1. Select the GatewaySubnet in the **Subnet** drop-down.
1. Select **OK**.
@@ -282,7 +258,7 @@ The gateway now forwards traffic intended for spoke VNets to the Azure Firewall.
### Configure spoke subnet routing
-This process assumes that you already have a route table attached to your spoke VNet subnets, with a default route to forward traffic to the Azure Firewall. This is most often accomplished by a rule that forwards traffic for CIDR range 0.0.0.0/0, often called a quad-zero route.
+This process assumes that you already have a route table attached to your spoke virtual network subnets, with a default route to forward traffic to the Azure Firewall. This is most often accomplished by a rule that forwards traffic for CIDR range 0.0.0.0/0, often called a quad-zero route.
Here's an example.
@@ -305,7 +281,7 @@ Your default route now forwards traffic intended for the gateway to the Azure Fi
## Step 4: Configure threat protection
-Microsoft Defender for Cloud can protect your hub VNet built on Azure, just like other resources from your IT business environment running on Azure or on-premises.
+Microsoft Defender for Cloud can protect your hub virtual network built on Azure, just like other resources from your IT business environment running on Azure or on-premises.
Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) that offers a secure score system to help your company build an IT environment with a better security posture. It also includes features to protect your network environment against threats.
@@ -327,7 +303,7 @@ To view all the Azure policies that provide network recommendations used by Micr
1. If you select in the ASC Default, you'll be able to review all the policies available, including the policies that evaluate network resources.
-1. Additionally, there are network resources evaluated by other regulatory compliances including PCI, ISO and the Microsoft cloud security benchmark. You can enable any of them and track for network recommendations.
+1. Additionally, there are network resources evaluated by other regulatory compliance standards including PCI, ISO and the Microsoft cloud security benchmark. You can enable any of them and track for network recommendations.
### Network recommendations
@@ -343,9 +319,9 @@ Follow these steps to view some of the network recommendations, based on the Mic
1. Expand **NS. Network Security** to review the recommended network control.
-It's important to understand that Microsoft Defender for Cloud provides other network recommendations for different Azure resources such as virtual machines and storage. You may review those recommendations in the left menu, under **Recommendations**.
+It's important to understand that Microsoft Defender for Cloud provides other network recommendations for different Azure resources such as virtual machines and storage. You can review those recommendations in the left menu, under **Recommendations**.
-On the left menu of the **Microsoft Defender for Cloud** portal, select **Security Alerts** to review alerts based on network resources so you may avoid some types of threats. Those alerts are generated automatically by Microsoft Defender for Cloud based on logs ingested in the **Log Analytics** workspace and monitored by Microsoft Defender for Cloud.
+On the left menu of the **Microsoft Defender for Cloud** portal, select **Security Alerts** to review alerts based on network resources so you might avoid some types of threats. Those alerts are generated automatically by Microsoft Defender for Cloud based on logs ingested in the **Log Analytics** workspace and monitored by Microsoft Defender for Cloud.
### Mapping and hardening your Azure network environment through Microsoft Defender for Cloud
@@ -355,7 +331,7 @@ You can also check options to get a better security posture by hardening your ne
### Managing Azure Firewall policies through Microsoft Defender for Cloud
-Azure Firewall is recommended for a hub VNet, as described in this article. Microsoft Defender for Cloud can manage multiple Azure Firewall policies centrally. In addition to Azure Firewall policies, you'll be able to manage other features related to Azure Firewall, as shown here.
+Azure Firewall is recommended for a hub virtual network, as described in this article. Microsoft Defender for Cloud can manage multiple Azure Firewall policies centrally. In addition to Azure Firewall policies, you'll be able to manage other features related to Azure Firewall, as shown here.
:::image type="content" source="media/hub/firewall-manager-mdc.jpg" alt-text="Screenshot example of managing Azure firewall policies through Microsoft Defender for Cloud.":::
@@ -422,4 +398,4 @@ Refer to these links to learn about the various services and technologies mentio
- [Building the first layer of defense with Azure security services](/azure/architecture/solution-ideas/articles/azure-security-build-first-layer-defense)
-- [Microsoft Cybersecurity Reference Architectures](/security/cybersecurity-reference-architecture/mcra)
+- [Microsoft Cybersecurity Reference Architectures](microsoft-reference-architecture.md)
diff --git a/security-docs/zero-trust/azure-infrastructure-overview.md b/security-docs/zero-trust/azure-infrastructure-overview.md
index 87f0b2481..8aefa2dfb 100644
--- a/security-docs/zero-trust/azure-infrastructure-overview.md
+++ b/security-docs/zero-trust/azure-infrastructure-overview.md
@@ -21,7 +21,7 @@ For updates to product names, please also update the appropriate figures.
To update figures that are not screen shots, your options are:
- Locate the source Visio file in internal storage (ask your publishing contacts about the Illustration-locations.docx document) (highly recommended).
-- Use a published Visio file in the Microsoft Download Center (see the https://learn.microsoft.com/security/zero-trust/zero-trust-tech-illus article for all the downloads).
+- Use a published Visio file in the Microsoft Download Center (see the https://learn.microsoft.com/security/zero-trust/zero-trust-tech-illus article for the downloads).
- For figures that are published in Scalable Vector Graphics (SVG) format, save the SVG file from the article web page, insert into Visio, modify, and then save it as a new version of the SVG file (last resort).
For updates to figures that are included in download files (see the https://learn.microsoft.com/security/zero-trust/zero-trust-tech-illus article for all the downloads), please:
@@ -67,9 +67,9 @@ For more information, see [Apply Zero Trust principles to Azure Virtual Desktop]
> - [Microsoft Cloud Security Benchmark](/security/benchmark/azure/introduction)
> - [Microsoft Cloud Security Baseline](/security/benchmark/azure/security-baselines-overview)
-To describe how to apply a Zero Trust approach, this guidance targets a common pattern used in production by many organizations: a virtual-machine-based application hosted in a VNet (and IaaS application). This is a common pattern for organizations migrating on-premises applications to Azure, which is sometimes referred to as "lift-and-shift." The reference architecture includes all components necessary to support this application, including storage services and a hub VNet.
+To describe how to apply a Zero Trust approach, this guidance targets a common pattern used in production by many organizations: a virtual-machine-based application hosted in a virtual network (and IaaS application). This is a common pattern for organizations migrating on-premises applications to Azure, which is sometimes referred to as "lift-and-shift." The reference architecture includes all components necessary to support this application, including storage services and a hub virtual network.
-The reference architecture reflects a common deployment pattern in production environments. It isn't based on the enterprise-scale landing zones recommended in the Cloud Adoption Framework (CAF), although many of the best practices in CAF are included in the reference architecture, such as using a dedicated VNet to host components that broker access to the application (hub VNet).
+The reference architecture reflects a common deployment pattern in production environments. It isn't based on the enterprise-scale landing zones recommended in the Cloud Adoption Framework (CAF), although many of the best practices in CAF are included in the reference architecture, such as using a dedicated virtual network to host components that broker access to the application (hub virtual network).
If you're interested in learning about the guidance recommended in the Cloud Adoption Framework Azure landing zones, see these resources:
@@ -85,7 +85,7 @@ The following figure shows the reference architecture for this Zero Trust guidan
This architecture contains:
- Multiple IaaS components and elements, including different types of users and IT consumers accessing the app from different sites. such as Azure, the internet, on-premises, and branch offices.
-- A common three-tier application containing a front end tier, application tier, and data tier. All tiers run on virtual machines within a VNet named SPOKE. Access to the app is protected by another VNet named HUB that contains additional security services.
+- A common three-tier application containing a front end tier, application tier, and data tier. All tiers run on virtual machines within a virtual network named SPOKE. Access to the app is protected by another virtual network named HUB that contains additional security services.
- Some of the most used PaaS services on Azure that support IaaS applications, including role-based access control (RBAC) and Microsoft Entra ID, which contribute to the Zero Trust security approach.
- Storage Blobs and Storage Files that provide object storage for the applications and files shared by users.
@@ -112,11 +112,11 @@ In this diagram, the Azure infrastructure is contained within a Microsoft Entra
- Azure subscriptions
- You can distribute the resources in more than one subscription, where each subscription may hold different roles, such as network subscription, or security subscription. This is described in the Cloud Adoption Framework and Azure Landing Zone documentation previously referenced. The different subscriptions may also hold different environments, such as production, development, and tests environments. It depends on how you want to separate your environment and the number of resources you'll have in each. One or more subscriptions can be managed together using a Management Group. This gives you the ability to apply permissions with role based access control (RBAC) and Azure policies to a group of subscriptions instead of setting up each subscription individually.
+ You can distribute the resources in more than one subscription, where each subscription might hold different roles, such as network subscription, or security subscription. This is described in the Cloud Adoption Framework and Azure Landing Zone documentation previously referenced. The different subscriptions can also hold different environments, such as production, development, and tests environments. It depends on how you want to separate your environment and the number of resources you'll have in each. One or more subscriptions can be managed together using a Management Group. This gives you the ability to apply permissions with role based access control (RBAC) and Azure policies to a group of subscriptions instead of setting up each subscription individually.
- Microsoft Defender for Cloud and Azure Monitor
- For each Azure subscription, a set of Azure Monitor solutions and Defender for Cloud is available. If you manage these subscriptions through a Management Group, you're able to consolidate in a single portal for all the functionality of Azure Monitor and Defender for Cloud. For example, Secure Score, provided by Defender for Cloud, are consolidated for all your subscriptions, using a Management Group as the scope.
+ For each Azure subscription, a set of Azure Monitor solutions and Defender for Cloud is available. If you manage these subscriptions through a Management Group, you can consolidate in a single portal for Azure Monitor and Defender for Cloud functionality. For example, Secure Score, provided by Defender for Cloud, are consolidated for all your subscriptions, using a Management Group as the scope.
- Storage resource group (1)
@@ -126,7 +126,7 @@ In this diagram, the Azure infrastructure is contained within a Microsoft Entra
Virtual machines are contained in one resource group. You can also have each virtual machine type for workload tiers such as front end, application, and data in different resource groups to further isolate access control.
-- Spoke (3) and hub (4) VNet resource groups in separate subscriptions
+- Spoke (3) and hub (4) virtual network resource groups in separate subscriptions
The network and other resources for each of the VNets in the reference architecture are isolated within dedicated resource groups for spoke and hub VNets. This organization works well when responsibility for these live on different teams. Another option is to organize these components by putting all network resources in one resource group and security resources in another. It depends on how your organization is set up to manage these resources.
@@ -174,8 +174,8 @@ Zero Trust involves applying multiple disciplines of security and information pr
1. Isolate infrastructure into its own resource group
1. Create a network security group for each subnet
1. Create an application security group for each virtual machine role
-1. Secure traffic and resources within the VNet
-1. Secure access to the VNet and application
+1. Secure traffic and resources within the virtual network
+1. Secure access to the virtual network and application
1. Enable advanced threat detection and protection
**[Apply Zero Trust principles to a hub VNet in Azure](azure-infrastructure-networking.md)**
@@ -212,7 +212,7 @@ The following are the recommended training modules for Zero Trust.
|Training |[Configure Azure Policy](/training/modules/configure-azure-policy/)|
|---------|---------|
-|:::image type="icon" source="media/azure-policy-configure.png" border="false"::: | Learn how to configure Azure Policy to implement compliance requirements.
In this module, you learn how to: Create management groups to target policies and spending budgets. Implement Azure Policy with policy and initiative definitions. Scope Azure policies and determine compliance.|
+|:::image type="icon" source="media/azure-policy-configure.png" border="false"::: | Learn how to configure Azure Policy to implement compliance requirements.
In this module, you learn how to: Create management groups to target policies and spending budgets. Implement Azure Policy with policy and initiative definitions. Scope Azure policies, and determine compliance.|
> [!div class="nextstepaction"]
> [Start >](/training/modules/configure-azure-policy/1-introduction)
@@ -281,4 +281,4 @@ Refer to the following links to learn about the various services and technologie
- [Overview of the Microsoft cloud security benchmark](/security/benchmark/azure/overview)
- [Security baselines for Azure overview](/security/benchmark/azure/security-baselines-overview)
- [Building the first layer of defense with Azure security services](/azure/architecture/solution-ideas/articles/azure-security-build-first-layer-defense)
-- [Microsoft Cybersecurity Reference Architectures](/security/cybersecurity-reference-architecture/mcra)
+- [Microsoft Cybersecurity Reference Architectures](microsoft-reference-architecture.md)
diff --git a/security-docs/zero-trust/azure-infrastructure-storage.md b/security-docs/zero-trust/azure-infrastructure-storage.md
index 8a33c3bc7..a00d18b67 100644
--- a/security-docs/zero-trust/azure-infrastructure-storage.md
+++ b/security-docs/zero-trust/azure-infrastructure-storage.md
@@ -170,7 +170,7 @@ The following diagram highlights the network connections to the Azure Storage se
|Task | Description |
| --- | --- |
-| Prevent public access, create network segmentation with [Private Endpoint](/azure/private-link/private-endpoint-overview) and Private Link. | Private endpoint allows you to connect to services with the use of a single private IP address on the VNet using Azure Private Link. Enabling private endpoints allows the Azure platform to validate network connections and allow only the connection with explicit access to the private-link resource to gain access to subsequent resources. You'll need a separate private endpoint for each service on the Azure Storage Account.
+| Prevent public access, create network segmentation with [Private Endpoint](/azure/private-link/private-endpoint-overview) and Private Link. | Private endpoint allows you to connect to services with the use of a single private IP address on the VNet using Azure Private Link.
Enabling private endpoints allows the Azure platform to validate network connections and allow only the connection with explicit access to the private-link resource to gain access to subsequent resources.
You'll need a separate private endpoint for each service on the Azure Storage Account. |
| Use [Azure Private Link](/azure/private-link/private-link-overview) | Use Azure Private Link to access Azure Storage over a private endpoint in your VNet. Use the [approval workflow](/azure/private-link/private-endpoint-overview) to automatically approve or manually request, as appropriate. |
| Prevent public access to your data sources using [Service Endpoints](/azure/virtual-network/virtual-network-service-endpoints-overview) | You can do network segmentation using Service Endpoints by enabling private IP addresses in a VNet to reach an endpoint without using public IP addresses. |
diff --git a/security-docs/zero-trust/azure-networking-visibility.md b/security-docs/zero-trust/azure-networking-visibility.md
index 4ec6eb098..edbb2f355 100644
--- a/security-docs/zero-trust/azure-networking-visibility.md
+++ b/security-docs/zero-trust/azure-networking-visibility.md
@@ -58,7 +58,7 @@ This article is a part of a [series of articles](azure-networking-overview.md) t
The types of network traffic covered in this article are:
- Centralized
-- East-west traffic, which are traffic flows between your Azure virtual networks (VNets) and your Azure services and on-premises network
+- East-west traffic, which is traffic flows between your Azure virtual networks (VNets) and your Azure services and on-premises network
- North-south, which are traffic flows between your Azure environment and the Internet
## Reference architecture
diff --git a/security-docs/zero-trust/azure-protect-resources-cyberattacks.md b/security-docs/zero-trust/azure-protect-resources-cyberattacks.md
index a7eb29192..ce21d6398 100644
--- a/security-docs/zero-trust/azure-protect-resources-cyberattacks.md
+++ b/security-docs/zero-trust/azure-protect-resources-cyberattacks.md
@@ -163,7 +163,7 @@ For step-by-step replication guidance for encrypted virtual machines, see the fo
Configuration-based services are Azure services that don't have data aside from their configuration in the management plane. These resources are generally infrastructure-based and are foundational services that support workloads. Examples include VNets, load balancers, network gateways, and application gateways.
-Because these services are stateless, there's no operating data to protect. The best option for protecting these services is to have [infrastructure as code (IaC) deployment](/devops/deliver/what-is-infrastructure-as-code) templates such as [Bicep](/azure/azure-resource-manager/bicep/), that can restore the state of these services after a destructive attack. You can also use scripts for deployments, but IaC deployments work better to restore functionality in an existing environment where only a few services are impacted.
+Because these services are stateless, there's no operating data to protect. The best option for protecting these services is to have [infrastructure as code (IaC) deployment](/devops/deliver/what-is-infrastructure-as-code) templates such as [Bicep](/azure/azure-resource-manager/bicep/) that can restore the state of these services after a destructive attack. You can also use scripts for deployments, but IaC deployments work better to restore functionality in an existing environment where only a few services are impacted.
As long as a resource configured the same way can be deployed, services can continue to operate. Rather than try to back up and maintain copies of these resources, you can use the programmatic deployment to recover from an attack.
diff --git a/security-docs/zero-trust/azure-virtual-wan.md b/security-docs/zero-trust/azure-virtual-wan.md
index b6a35dbff..7b472b14b 100644
--- a/security-docs/zero-trust/azure-virtual-wan.md
+++ b/security-docs/zero-trust/azure-virtual-wan.md
@@ -41,7 +41,7 @@ For new articles in this content set, please:
-With the modern cloud, mobile devices, and other endpoints evolution, relying only on corporate firewalls and perimeter networks is no longer sufficient. An end-to-end Zero Trust strategy assumes that security breaches are inevitable. That means you must verify each request as if it originates from an uncontrolled network. Networking still plays an important role in Zero Trust to connect and protect infrastructure, applications, and data. In the Zero Trust model, there are three key objectives when it comes to securing your networks:
+With the modern cloud, mobile devices, and other endpoints evolution, relying only on corporate firewalls and perimeter networks is no longer sufficient. An end-to-end Zero Trust strategy assumes that security breaches are inevitable. That means you must verify each request as if it originates from an uncontrolled network. Networking still plays an important role in Zero Trust to connect and protect infrastructure, applications, and data. In the Zero Trust model, there are three key objectives to secure your networks:
- Be ready to handle attacks before they happen.
- Minimize the extent of the damage and how fast it spreads.
@@ -54,8 +54,8 @@ This article provides steps to apply the [principles of Zero Trust](zero-trust-o
| Zero Trust principle | Definition | Met by |
| --- | --- | --- |
| Verify explicitly |Always authenticate and authorize based on all available data points. | Use Azure Firewall with Transport Layer Security (TLS) inspection to verify risk and threats based on all available data. Conditional Access controls are intended to provide authentication and authorization by diverse data points and the Azure Firewall doesn't perform user authentication. |
-| Use least privileged access | Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. | User access is beyond the scope of Azure network infrastructure deployments. Using Identity solutions like Privileged Access Management, Conditional Access, and other controls are the way to deliver on this principle. |
-| Assume breach | Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses. | Each spoke VNet has no access to other spoke VNets unless the traffic gets routed through the firewall integrated inside each Azure Virtual WAN hub. The firewall is set to deny by default, allowing only traffic allowed by specified rules. In the event of a compromise or breach of one application/workload, it has limited ability to spread due to the Azure Firewall performing traffic inspection and only forwarding allowed traffic. Only resources in the same workload are exposed to the breach in the same application. |
+| Use least privileged access | Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. | User access is beyond the scope of Azure network infrastructure deployments. Use identity solutions such as Privileged Access Management, Conditional Access, and other controls to deliver on this principle. |
+| Assume breach | Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses. | Each spoke virtual network has no access to other spoke VNets unless the traffic gets routed through the firewall integrated inside each Azure Virtual WAN hub. The firewall is set to deny by default, allowing only traffic allowed by specified rules. In the event of a compromise or breach of one application/workload, it has limited ability to spread due to the Azure Firewall performing traffic inspection and only forwarding allowed traffic. Only resources in the same workload are exposed to the breach in the same application. |
For more information about how to apply the principles of Zero Trust across an Azure IaaS environment, see the [Apply Zero Trust principles to Azure infrastructure overview](azure-infrastructure-overview.md).
@@ -93,7 +93,7 @@ The Azure Virtual WAN with secured hubs reference architecture includes:
- At least one Azure Firewall [Premium policy](/azure/firewall-manager/policy-overview#basic-standard-and-premium-policies).
- Point-to-site (P2S) and site-to-site (S2S) VPN and ExpressRoute gateways.
- P2S, S2S, and ExpressRoute-connected branches.
-- A shared services VNet containing core infrastructure resources that can't be deployed into a Virtual WAN hub, such as custom DNS VMs or Azure DNS Private Resolver, Active Directory Domain Services [AD DS] domain controllers, Azure Bastion, and other shared resources.
+- A shared services virtual network containing core infrastructure resources that can't be deployed into a Virtual WAN hub, such as custom DNS VMs or Azure DNS Private Resolver, Active Directory Domain Services [AD DS] domain controllers, Azure Bastion, and other shared resources.
- Workload VNets with Azure Application Gateway, Azure web application firewall (WAF), and Private Endpoints if needed.
Azure Virtual WAN supports the integration of a limited set of [third party firewalls](/azure/virtual-wan/about-nva-hub) inside its hubs as an alternative to native Azure Firewall. This article only describes Azure Firewall. What is included in the **VNet-Shared Services** spoke in the reference architecture is just an example of what you could deploy. Microsoft manages Azure Virtual WAN hubs and you can't install anything else within them except what Azure Firewall and supported NVAs explicitly allow.
@@ -132,7 +132,7 @@ The following diagram shows the logical architecture of Azure infrastructure for
:::image type="content" source="media/vwan/logical-arch-vwan.svg" alt-text="Diagram of the components of Azure Virtual WAN topology and Azure subscriptions." lightbox="media/vwan/logical-arch-vwan.svg":::
-The majority of resources are contained inside the connectivity subscription. You deploy all Virtual WAN resources into a single resource group in the connectivity subscription, including when you're deploying across multiple regions. Azure VNet spokes are in the landing zone subscriptions. If you use [inheritance and hierarchy](/azure/firewall-manager/rule-hierarchy) Azure Firewall policy, the parent policy and the child policy must be located in the same region. You can still apply a policy that you created in one region on a secured hub from another region.
+The majority of resources are contained inside the connectivity subscription. You deploy all Virtual WAN resources into a single resource group in the connectivity subscription, including when you're deploying across multiple regions. Azure virtual network spokes are in the landing zone subscriptions. If you use [inheritance and hierarchy](/azure/firewall-manager/rule-hierarchy) Azure Firewall policy, the parent policy and the child policy must be located in the same region. You can still apply a policy that you created in one region on a secured hub from another region.
## What’s in this article?
@@ -190,7 +190,7 @@ Once you've upgraded all your Azure Virtual WAN hubs to secure hubs, you must co
:::image type="content" source="media/vwan/example-routing-policy-configuration.png" alt-text="Example of the Azure Firewall routing policy." lightbox="media/vwan/example-routing-policy-configuration.png":::
-When the "Private Traffic" routing policy is enabled, VNet traffic in and out of the Virtual WAN Hub, including inter-hub traffic, is forwarded to the next-hop Azure Firewall or NVA that was specified in the policy. Users with [Role-Based Access Control (RBAC)](/azure/role-based-access-control/overview) privileges could override Virtual WAN route programming for spoke VNets and associate a custom [User Defined Route (UDR)](/azure/virtual-network/virtual-networks-udr-overview#user-defined) to bypass the hub firewall. To prevent this vulnerability, [RBAC permissions](/azure/virtual-network/manage-route-table#permissions) to assign UDRs to spoke VNet subnets should be restricted to central network administrators and not delegated to the landing zone owners of the spoke VNets. To associate a UDR with a VNet or subnet, a user must have the **Network Contributor** role or a custom role with the "Microsoft.Network/routeTables/join/action" action or permission.
+When the "Private Traffic" routing policy is enabled, virtual network traffic in and out of the Virtual WAN Hub, including inter-hub traffic, is forwarded to the next-hop Azure Firewall or NVA that was specified in the policy. Users with [Role-Based Access Control (RBAC)](/azure/role-based-access-control/overview) privileges could override Virtual WAN route programming for spoke VNets and associate a custom [User Defined Route (UDR)](/azure/virtual-network/virtual-networks-udr-overview#user-defined) to bypass the hub firewall. To prevent this vulnerability, [RBAC permissions](/azure/virtual-network/manage-route-table#permissions) to assign UDRs to spoke virtual network subnets should be restricted to central network administrators and not delegated to the landing zone owners of the spoke VNets. To associate a UDR with a virtual network or subnet, a user must have the **Network Contributor** role or a custom role with the "Microsoft.Network/routeTables/join/action" action or permission.
>[!Note]
>In this article, Azure Firewall is primarily considered for both Internet traffic and private traffic control. For Internet traffic, a third party, supported security NVA can be used or a [third party Security as a Service (SECaaS) provider](/azure/firewall-manager/deploy-trusted-security-partner). For private traffic, third party supported security NVAs can be used as an alternative to Azure Firewall.
@@ -202,10 +202,10 @@ When the "Private Traffic" routing policy is enabled, VNet traffic in and out of
## Step 4: Secure your spoke VNets
-Each Azure Virtual WAN hub can have one or more VNets [connected](/azure/virtual-wan/virtual-wan-site-to-site-portal#vnet) with VNet peering. Based on the [landing zone](/azure/cloud-adoption-framework/ready/landing-zone/) model in the Cloud Adoption Framework, every VNet contains a landing zone workload, applications, and services supporting an organization. Azure Virtual WAN manages the connection, the route propagation and association, and the outbound and inbound routing, but can't affect intra-VNet security. Zero Trust principles must be applied inside each spoke VNet according to the guidance published in [Apply Zero Trust principles to a spoke virtual network](azure-infrastructure-iaas.md) and other articles depending on the resource type, such as virtual machines and storage. Consider the following elements:
+Each Azure Virtual WAN hub can have one or more VNets [connected](/azure/virtual-wan/virtual-wan-site-to-site-portal#vnet) with virtual network peering. Based on the [landing zone](/azure/cloud-adoption-framework/ready/landing-zone/) model in the Cloud Adoption Framework, every virtual network contains a landing zone workload, applications, and services supporting an organization. Azure Virtual WAN manages the connection, the route propagation and association, and the outbound and inbound routing, but can't affect intra-VNet security. Zero Trust principles must be applied inside each spoke virtual network according to the guidance published in [Apply Zero Trust principles to a spoke virtual network](azure-infrastructure-iaas.md) and other articles depending on the resource type, such as virtual machines and storage. Consider the following elements:
- **Micro-segmentation:** Even if Azure Virtual WAN attracts and filters outbound traffic, use of [network security groups (NSGs)](/azure/virtual-network/security-overview) and [application security groups (ASGs)](/azure/virtual-network/application-security-groups) to regulate intra-VNet flows is still recommended.
-- **Local DMZ:** A DNAT rule created in the central firewall inside the Azure Virtual WAN Hub should filter and allow inbound non-http or https traffic. Inbound http or https traffic should be managed by a local [Azure Application Gateway and associated Web Application Firewall](/azure/active-directory/app-proxy/application-proxy-application-gateway-waf).
+- **Local DMZ:** A DNAT rule created in the central firewall inside the Azure Virtual WAN Hub should filter and allow inbound non-HTTP or HTTPS traffic. Inbound HTTP/HTTPS traffic should be managed by a local [Azure Application Gateway and associated Web Application Firewall](/azure/active-directory/app-proxy/application-proxy-application-gateway-waf).
Although Azure Virtual WAN secure virtual hubs don't support [Azure DDoS Protection](/azure/ddos-protection/ddos-protection-overview) yet, usage of DDoS to protect Internet-facing endpoints in spoke VNets is possible and highly recommended. For more information, see [Azure Firewall Manager known](/azure/firewall-manager/overview#known-issues) issues and [Hub virtual network and secured virtual hub comparison](/azure/firewall-manager/vhubs-and-vnets#comparison).
@@ -214,10 +214,10 @@ Each Azure Virtual WAN hub can have one or more VNets [connected](/azure/virtual
Because the hub in Azure Virtual WAN is locked and managed by Azure, custom components can't be installed or enabled there. Some resources that are normally deployed inside the hub, in a classic hub and spoke model, must be placed in one or more spokes that act as shared resource networks. For example:
- **Azure Bastion:** [Azure Bastion](/azure/bastion/vnet-peering) supports Azure Virtual WAN but must be deployed inside a spoke virtual network because the hub is restricted and managed by Azure. From the Azure Bastion spoke, users can reach resources in other VNets, but requires [IP-based connection](/azure/bastion/connect-ip-address) available with the Azure Bastion Standard SKU.
-- **Custom DNS servers:** DNS server software can be installed on any virtual machine and act as DNS server for all the spokes in Azure Virtual WAN. The DNS server must be installed in a spoke VNet that serves all other spokes directly, or through DNS Proxy feature offered by the Azure Firewall that is integrated inside the Virtual WAN hub.
+- **Custom DNS servers:** DNS server software can be installed on any virtual machine and act as DNS server for all the spokes in Azure Virtual WAN. The DNS server must be installed in a spoke virtual network that serves all other spokes directly, or through DNS Proxy feature offered by the Azure Firewall that is integrated inside the Virtual WAN hub.
- **Azure Private DNS Resolver:** Deployment of an [Azure Private DNS Resolver](/azure/dns/dns-private-resolver-overview) is supported inside one of the spoke VNets connected to Virtual WAN hubs. Azure Firewall that is integrated inside the Virtual WAN hub can use this resource as a custom DNS when you enable the DNS Proxy feature.
-- **Private Endpoints:** This resource type [is compatible](/azure/virtual-wan/howto-private-link) with Virtual WAN but must be deployed inside a spoke VNet. This provides connectivity to any other virtual network or branch connected to the same Virtual WAN, if the integrated Azure Firewall allows the flow. Instructions on how to secure traffic to Private Endpoints using the Azure Firewall integrated inside a Virtual WAN hub can be found in [Secure traffic destined to private endpoints in Azure Virtual WAN](/azure/firewall-manager/private-link-inspection-secure-virtual-hub).
-- **Azure Private DNS Zone (links):** This type of resource doesn't live inside a virtual network but must be [linked](/azure/dns/private-dns-virtual-network-links) to them to function correctly. Private DNS Zones can't be linked to Virtual WAN hubs. Instead, they should be connected to the spoke VNet containing custom DNS servers or an Azure Private DNS Resolver ([recommended](/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances)) or directly to the spoke VNets that require the DNS records from that zone.
+- **Private Endpoints:** This resource type [is compatible](/azure/virtual-wan/howto-private-link) with Virtual WAN but must be deployed inside a spoke virtual network. This provides connectivity to any other virtual network or branch connected to the same Virtual WAN, if the integrated Azure Firewall allows the flow. Instructions on how to secure traffic to Private Endpoints using the Azure Firewall integrated inside a Virtual WAN hub can be found in [Secure traffic destined to private endpoints in Azure Virtual WAN](/azure/firewall-manager/private-link-inspection-secure-virtual-hub).
+- **Azure Private DNS Zone (links):** This type of resource doesn't live inside a virtual network but must be [linked](/azure/dns/private-dns-virtual-network-links) to them to function correctly. Private DNS Zones can't be linked to Virtual WAN hubs. Instead, they should be connected to the spoke virtual network containing custom DNS servers or an Azure Private DNS Resolver ([recommended](/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances)) or directly to the spoke VNets that require the DNS records from that zone.
## Step 5: Review your encryption
@@ -282,7 +282,7 @@ The following training modules help your team with the skills necessary to apply
|Training |[Introduction to Azure Firewall](/training/modules/introduction-azure-firewall/)|
|---------|---------|
-|:::image type="icon" source="media/vwan/introduction-to-azure-firewall.svg" border="false"::: | Describe how Azure Firewall protects Azure VNet resources, including the Azure Firewall features, rules, deployment options, and administration with Azure Firewall Manager. |
+|:::image type="icon" source="media/vwan/introduction-to-azure-firewall.svg" border="false"::: | Describe how Azure Firewall protects Azure virtual network resources, including the Azure Firewall features, rules, deployment options, and administration with Azure Firewall Manager. |
> [!div class="nextstepaction"]
> [Start >](/training/modules/introduction-azure-firewall/)
@@ -349,7 +349,7 @@ Refer to these links to learn about the various services and technologies mentio
- [Zero Trust implementation guidance](zero-trust-overview.md)
- [Overview of the Microsoft cloud security benchmark](/security/benchmark/azure/overview)
- [Building the first layer of defense with Azure security services](/azure/architecture/solution-ideas/articles/azure-security-build-first-layer-defense)
-- [Microsoft Cybersecurity Reference Architectures](/security/cybersecurity-reference-architecture/mcra)
+- [Microsoft Cybersecurity Reference Architectures](microsoft-reference-architecture.md)
## Technical illustrations
@@ -357,4 +357,8 @@ You can download the illustrations used in this article. Use the Visio file to m
[PDF](https://download.microsoft.com/download/1/e/f/1ef1ad20-138e-419d-b30d-7f20811ef923/apply-zero-trust-to-Azure-vWAN-diagrams.pdf) | [Visio](https://download.microsoft.com/download/1/e/f/1ef1ad20-138e-419d-b30d-7f20811ef923/apply-zero-trust-to-Azure-vWAN-diagrams.vsdx)
-For additional technical illustrations, click [here](zero-trust-tech-illus.md).
\ No newline at end of file
+Review [additional technical illustrations](zero-trust-tech-illus.md).
+
+## Next steps
+
+[Learn about](/azure/networking/security/zero-trust-network-security) assessing your Zero Trust posture, including your network posture.
\ No newline at end of file
diff --git a/security-docs/zero-trust/cisa-zero-trust-maturity-model-intro.md b/security-docs/zero-trust/cisa-zero-trust-maturity-model-intro.md
index f1eb16394..1b4e37ec4 100644
--- a/security-docs/zero-trust/cisa-zero-trust-maturity-model-intro.md
+++ b/security-docs/zero-trust/cisa-zero-trust-maturity-model-intro.md
@@ -13,7 +13,7 @@ ms.reviewer: kbrewer
# Customer intent: As a security architect, I need to learn about the CISA Zero Trust Maturity Model so I can prioritize, deploy, and configure Zero Trust capabilities. My goal is to complete Maturity Model activities for users.
---
-# Configure Microsoft cloud services for the CISA Zero Trust Maturity Model
+# Align Microsoft services with the CISA Zero Trust Maturity Model
As cyber threats become increasingly sophisticated, the need for robust cybersecurity measures is more critical than ever. The U.S. Cybersecurity & Infrastructure Security Agency ([CISA](https://www.cisa.gov/)) plays a central role in defending cyberspace, spearheading national efforts to enhance the resilience of vital functions, and promoting a strong technology ecosystem. The CISA mission includes maintaining cyber situational awareness among Federal Civilian Executive Branch (FCEB) agencies, and securing the **.gov** domain. CISA assists federal agencies and industry partners with effective management of significant cyber incidents. In April 2023, CISA released the [Zero Trust Maturity Model Version 2.0](https://www.cisa.gov/zero-trust-maturity-model) (ZTMM).
@@ -44,7 +44,7 @@ Each pillar has three **cross-cutting capabilities**, which emphasize activities
* **Visibility and analytics**: Visibility refers to observable artifacts from the characteristics of, and events in, enterprise-wide environments. The focus on cyber-related data analysis helps inform policy decisions, facilitate response activities, and build a risk profile to develop proactive security measures.
* **Automation and orchestration**: Zero Trust uses automated tools and workflows for security response functions across products and services. It helps enterprises maintain oversight, security, and development process interaction for such functions, products, and services.
-* **Governance**: In this document, governance is the enforcement of enterprise cybersecurity policies, procedures, and processes, in and across pillars. Governances mitigates security risks in support of Zero Trust principles and to fulfill federal requirements.
+* **Governance**: In this document, governance is the enforcement of enterprise cybersecurity policies, procedures, and processes, in and across pillars. Governance mitigates security risks in support of Zero Trust principles and to fulfill federal requirements.
> [!NOTE]
> Visibility and analytics, automation and orchestration, and governance capabilities enable organizations to integrate advancements across pillars. The following image illustrates the pillars and cross-cutting capabilities.
@@ -59,7 +59,10 @@ The pillars span the ZTMM journey's four stages.
* **Traditional**: Manually configured lifecycles, for instance from establishment to decommission, and attribute assignments such as security and logging. Static security policies and solutions address pillars with dependencies on external systems. Least privilege is established at provisioning. Siloed pillars of policy enforcement; manual response and mitigation deployment, and limited correlation of dependencies, logs, and telemetry.
* **Initial**: Start automation of attribute assignment, lifecycle configuration, policy decisions, and enforcement. Initial cross-pillar solutions and external systems integration. Some responsive changes to least privilege after provisioning. Aggregated visibility for internal systems.
-* **Advanced**: Where applicable, automate controls for lifecycles, also configuration, and policy assignment with cross-pillar coordination. Centralize visibility and identity control, and policy enforcement integrated across pillars. Base responses to predefined mitigations, changes to least privilege on risk and posture assessments. Create enterprise-wide awareness, including externally hosted resources.
+* **Advanced**: Where applicable, automate control of identity and access lifecycles, as well as configuration and policy assignment, with coordination across security pillars. Centralize visibility, identity control, and policy enforcement across the environment.
+
+ Base responses on predefined mitigations, and dynamically adjust access toward least privilege based on risk signals and posture assessments. Extend awareness and governance across the entire enterprise, including externally hosted resources.
+
* **Optimal**: Automated, just-in-time (JIT) lifecycles and attribute assignments to assets and resources that can self-report with dynamic policies, based on automated and observed triggers. Use dynamic least privileged access, just-enough access (JEA) and within thresholds for assets and their dependencies; Enable cross-pillar interoperability with continuous monitoring, and centralized visibility with comprehensive situational awareness.
### Maturity model criteria
diff --git a/security-docs/zero-trust/deploy/overview.md b/security-docs/zero-trust/deploy/overview.md
index bd93030be..b73c09fbf 100644
--- a/security-docs/zero-trust/deploy/overview.md
+++ b/security-docs/zero-trust/deploy/overview.md
@@ -4,56 +4,70 @@ description: Learn how to deploy Zero Trust solutions to keep your organization
ms.date: 02/26/2025
ms.service: security
ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
ms.topic: checklist
-ms.collection:
- - highpri
- - zerotrust-pillar
+
+#customer intent: As a security or IT architect, I want to understand how technology pillars across the organization are integrated into the security adoption model and implemented across business scenarios.
+
---
-# Zero Trust deployment for technology pillars
-Because your organization might already have elements of Zero Trust protections already in place, this documentation set provides conceptual information to get you started and deployment plans and implementation recommendations for end-to-end adherence to Zero Trust principles. Each article acts as a checklist of deployment objectives with steps and links to more information.
-You deploy Zero Trust principles across your IT infrastructure by implementing Zero Trust controls and technologies across seven technology pillars. Six of these pillars are signal sources, a control plane for enforcement, and a critical resource to be defended. The seventh pillar is the pillar that collects signals from the first six pillars and provides visibility for security incidents and automation and orchestration for responding to and mitigating cybersecurity threats.
+
+
+
+# Overview - Technology pillars
+
+This article summarizes technology pillars in our [Zero Trust adoption model](../security-adoption-model.md).
+
+Technology pillars represent the core areas of your security architecture. They group related capabilities and controls into logical domains such as identity, endpoints, data, apps, infrastructure, networks, and security operations.
+
+Each pillar answers the same fundamental question:
+
+**How do we apply Zero Trust principles to this part of the environment?**
+
+Instead of thinking in terms of individual products or features, pillars provide a stable way to organize security design and implementation across your environment.
:::image type="content" source="../media/diagram-zero-trust-security-elements.png" alt-text="Diagram of elements of visibility, automation, and orchestration in Zero Trust." border="false":::
-The following articles provide conceptual information and deployment objectives for these seven technology pillars. Use these articles to assess your readiness and build a deployment plan to apply [Zero Trust principles](../zero-trust-overview.md).
+## Technology pillars in the adoption model
+
+Our structured adoption model focuses on three components:
+
+- [Business scenarios](../security-adoption-business-scenarios-overview.md) - Define the most critical security outcomes for the organization. They focus on **why** we're adopting Zero Trust security.
+- [Security disciplines](../security-adoption-discipline-overview.md) - Guide teams to define strategy, architecture, processes, and controls across common areas of security so that we can deliver the business scenarios. They focus on **what** Zero Trust capabilities are required.
+- **Technology pillars** - Secure specific areas of the organization such as identity, data, and devices. They focus on **where** security capabilities are implemented.
+- [Technical solutions](../implement-overview.md) - As adoption moves towards deployment, technical solutions provide detailed guidance for implementing security controls across technology pillars. They focus on **how** security is implemented.
+
+
+
+In the Zero Trust adoption model, technology pillars sit between strategy and implementation.
+
+Technology pillars don't define outcomes (business solutions) or steps (technical solutions), but they do:
+
+- Define technical boundaries where security controls are applied. These boundaries are used by solutions to organize implementation guidance and logic.
+- Act as the bridge between intent (why) and implementation (how).
+
+## Pillars
| Technology pillar | Description |
| --- | --- |
-| [](identity.md)
[Identities](identity.md) | Identities—whether they represent people, services, or IoT devices—define the Zero Trust control plane. When an identity attempts to access a resource, verify that identity with strong authentication, and ensure access is compliant and typical for that identity. Follow least privilege access principles. |
-| [](endpoints.md)
[Endpoints](endpoints.md) | Once an identity has been granted access to a resource, data can flow to a variety of different endpoints (devices), from IoT devices to smartphones, BYOD to partner-managed devices, and on-premises workloads to cloud-hosted servers. This diversity creates a massive attack surface area. Monitor and enforce device health and compliance for secure access. |
-| [](data.md)
[Data](data.md) | [Ultimately, security teams are protecting data. Where possible, data should remain safe even if it leaves the devices, apps, infrastructure, and networks the organization controls. Classify, label, and encrypt data, and restrict access based on those attributes. |
-| [](applications.md)
[Apps](applications.md)| Applications and APIs provide the interface by which data is consumed. They may be legacy on-premises workloads, lifted-and-shifted to cloud workloads, or modern SaaS applications. Apply controls and technologies to discover shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, monitor for abnormal behavior, control user actions, and validate secure configuration options. |
-| [](infrastructure.md)
[Infrastructure](infrastructure.md) | Infrastructure—whether on-premises servers, cloud-based VMs, containers, or micro-services—represents a critical threat vector. Assess for version, configuration, and JIT access to harden defense. Use telemetry to detect attacks and anomalies, and automatically block and flag risky behavior and take protective actions. |
-| [](networks.md)
[Network](networks.md) | All data is ultimately accessed over network infrastructure. Networking controls can provide critical controls to enhance visibility and help prevent attackers from moving laterally across the network. Segment networks (and do deeper in-network micro-segmentation) and deploy real-time threat protection, end-to-end encryption, monitoring, and analytics. |
-| [](visibility-automation-orchestration.md)
[Visibility, automation, and orchestration](visibility-automation-orchestration.md) | In our Zero Trust guides, we define the approach to implement an end-to-end Zero Trust methodology across identities, endpoints (devices), data, apps, infrastructure, and network. These activities increase your visibility, which gives you better data for making trust decisions. With each of these individual areas generating their own relevant alerts, we need an integrated capability to manage the resulting influx of data to better defend against threats and validate trust in a transaction. |
-
-## Documentation set
-
-Follow this table for the best Zero Trust documentation sets for your needs.
-
-|Documentation set|Helps you...|Roles|
-|---|---|---|
-|[Adoption framework](../adopt/zero-trust-adoption-overview.md) for phase and step guidance for key business solutions and outcomes|Apply Zero Trust protections from the C-suite to the IT implementation.|Security architects, IT teams, and project managers|
-|[Assessment and progress tracking resource](../zero-trust-assessment-progress-tracking-resources.md) |Assess your infrastructure's readiness and track your progress. |Security architects, IT teams, and project managers|
-|[Zero Trust partner kit](../zero-trust-partner-kit.md) |Co-branded tracking resources, workshop, and architecture illustrations |Partners and security architects |
-|[Deployment for technology pillars](../deploy/overview.md) for conceptual information and deployment objectives|Apply Zero Trust protections aligned with typical IT technology areas.|IT teams and security staff|
-|[Zero Trust for small businesses](../guidance-smb-partner.md)|Apply Zero Trust principles to small business customers.|Customers and partners working with Microsoft 365 for business|
-|[Zero Trust for Microsoft Copilots](../copilots/apply-zero-trust-copilots-overview.md) for stepped and detailed design and deployment guidance|Apply Zero Trust protections to Microsoft Copilots.|IT teams and security staff|
-|[Zero Trust deployment plan with Microsoft 365](/microsoft-365/security/microsoft-365-zero-trust?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json) for stepped and detailed design and deployment guidance|Apply Zero Trust protections to your Microsoft 365 organization.|IT teams and security staff|
-|[Incident response with XDR and integrated SIEM](../siem-xdr-overview.md)|Set XDR tools and integrate these with Microsoft Sentinel|IT teams and security staff|
-|[Zero Trust for Azure services](../azure-infrastructure-overview.md) for stepped and detailed design and deployment guidance|Apply Zero Trust protections to Azure workloads and services.|IT teams and security staff|
-|[Partner integration with Zero Trust](../integrate/overview.md) for design guidance for technology areas and specializations|Apply Zero Trust protections to partner Microsoft cloud solutions.|Partner developers, IT teams, and security staff|
-|[Develop using Zero Trust principles](../develop/overview.md) for application development design guidance and best practices|Apply Zero Trust protections to your application.|Application developers|
-|US Government guidance for [CISA](/security/zero-trust/cisa-zero-trust-maturity-model-intro), [DoD](/security/zero-trust/dod-zero-trust-strategy-intro), and the [Memorandum for Zero Trust architecture](/entra/standards/memo-22-09-meet-identity-requirements) |Prescriptive recommendations for US Government requirements |IT Architects and IT teams|
-
-## Recommended training
-
-|Training | [Establish the guiding principles and core components of Zero Trust](/training/paths/zero-trust-principles/) |
-|---------|---------|
-|:::image type="icon" source="../media/basics-of-zero-trust.png" border="false"::: | Use this learning path to understand the basics of applying Zero Trust principles to the key technology pillars of identities, endpoints, application access, networks, infrastructure, and data. |
-> [!div class="nextstepaction"]
-> [Start >](/training/paths/zero-trust-principles/)
+| [](identity.md)
[Identities](identity.md) | Control access decisions. Every request starts with identity verification and enforcement of least privilege. |
+| [](endpoints.md)
[Endpoints](endpoints.md) | Evaluate and enforce device trust. Access depends on device health, compliance, and risk. |
+| [](data.md)
[Data](data.md) | Protect the asset itself. Security persists with the data through classification, labeling, encryption, and access control. |
+| [](applications.md)
[Apps](applications.md)| Govern how data is accessed. Apply controls at the application and API layer, including permissions and session controls. |
+| [](infrastructure.md)
[Infrastructure](infrastructure.md) | Secure compute resources. Harden servers, VMs, containers, and services through configuration, access control, and monitoring. |
+| [](networks.md)
[Network](networks.md) | Control connectivity and movement. Segment and monitor traffic to prevent lateral movement and enforce secure communication.|
+| [](visibility-automation-orchestration.md)
[SecOps](visibility-automation-orchestration.md) |Integrate and operationalize all pillars. Detect, investigate, and respond using signals from across the environment. |
+
+## Zero Trust implementation workshops
+
+Microsoft's Zero Trust implementation workshops are available for each pillar. [Learn more](../workshop-zero-trust-overview.md).
+
+## What's next?
+
+- [Review](../implement-overview.md) technical solutions.
+- [Learn about](../security-adoption-model.md) our Zero Trust adoption model.
+- [Review](../security-adoption-business-scenarios-overview.md) critical security business scenarios.
diff --git a/security-docs/zero-trust/deploy/visibility-automation-orchestration.md b/security-docs/zero-trust/deploy/visibility-automation-orchestration.md
index 086e832cd..61bfdaa3d 100644
--- a/security-docs/zero-trust/deploy/visibility-automation-orchestration.md
+++ b/security-docs/zero-trust/deploy/visibility-automation-orchestration.md
@@ -3,14 +3,13 @@ title: Visibility, automation, and orchestration with Zero Trust
description: Since Zero Trust doesn't assume that requests are trustworthy, establishing a means to attest to the trustworthiness of the request is critical to proving its point-in-time trustworthiness. This attestation requires the ability to gain visibility into the activities on and around the request.
ms.service: security
ms.subservice: zero-trust
-manager: femila
ms.date: 03/12/2025
ms.topic: concept-article
ms.collection:
- zerotrust-pillar
---
-# Visibility, automation, and orchestration with Zero Trust
+# Integrated SecOps with Zero Trust
:::image type="icon" source="../media/icon-visibility-automation-orchestration-medium.png":::
@@ -20,7 +19,7 @@ In our other Zero Trust guides, we defined the approach to implementing an end-t
:::image type="content" source="../media/diagram-provide-integrated-capabilities-manage-threats.png" alt-text="Diagram of integrated capabilities to manage threats." border="true":::
-With each of these individual areas generating their own relevant alerts, we need an integrated capability to manage the resulting influx of data to better defend against threats and validate trust in a transaction.
+With each of these individual areas generating their own relevant alerts, we need an integrated security operations (SecOps) capability to manage the resulting influx of data to better defend against threats and validate trust in a transaction.
You want the ability to:
@@ -53,10 +52,10 @@ In order to use these tactics to manage threats, you should have a central conso
Security Operation Centers often deploy a combination of SIEM and SOAR technologies to collect, detect, investigate, and respond to threats. Microsoft offers Microsoft Sentinel as its SIEM-as-a-service offering. Microsoft Sentinel ingests all Microsoft Defender for Identity and third-party data.
-Microsoft 365 Defender, a key feed into Azure Sentinel, provides a unified enterprise defense suite that brings context-aware protection, detection, and response across all Microsoft 365 components. By being context- aware and coordinated, customers using Microsoft 365 can gain visibility and protection across endpoints, collaboration
+Microsoft Defender XDR, a key feed into Microsoft Sentinel, provides a unified enterprise defense suite that brings context-aware protection, detection, and response across all Microsoft 365 components. By being context- aware and coordinated, customers using Microsoft 365 can gain visibility and protection across endpoints, collaboration
tools, identities, and applications.
-It's through this hierarchy that we enable our customers to maximize their focus. Though context-awareness and automated remediation, Microsoft 365 Defender can detect and stop many threats without adding additional alert-fatigue to already overloaded SOC personnel. Advanced hunting inside of Microsoft 365 Defender brings that context to the hunt to focus on many key attack points. And hunting and orchestration across the entire ecosystem through Azure Sentinel provides the ability to gain the right visibility into all aspects of a heterogeneous environment, all while minimizing the cognitive overload of the operator.
+It's through this hierarchy that we enable our customers to maximize their focus. Though context-awareness and automated remediation, Microsoft Defender XDR can detect and stop many threats without adding additional alert-fatigue to already overloaded SOC personnel. Advanced hunting inside of Microsoft Defender XDR brings that context to the hunt to focus on many key attack points. And hunting and orchestration across the entire ecosystem through Microsoft Sentinel provides the ability to gain the right visibility into all aspects of a heterogeneous environment, all while minimizing the cognitive overload of the operator.
## Visibility, automation, and orchestration Zero Trust deployment objectives
@@ -108,11 +107,11 @@ The first step is to establish visibility by enabling [Microsoft Threat Protecti
Follow these steps:
-1. Sign up for one of the Microsoft 365 Defender workloads.
+1. Sign up for one of the Microsoft Defender XDR workloads.
2. Enable the workloads and establish connectivity.
3. Configure detection on your devices and infrastructure to bring immediate visibility into activities going on in the environment.
This gives you the all-important "dial tone" to start the flow of critical data.
-4. Enable Microsoft 365 Defender to gain cross-workload visibility and incident detection.
+4. Enable Microsoft Defender XDR to gain cross-workload visibility and incident detection.
### II. Enable automation
@@ -122,7 +121,7 @@ The next key step, once you have established visibility, is to enable automation
#### Automated investigations and remediation
-With Microsoft 365 Defender, we have automated both investigations and remediation, which essentially provides an extra Tier 1 SOC analysis.
+With Microsoft Defender XDR, we have automated both investigations and remediation, which essentially provides an extra Tier 1 SOC analysis.
[Automated Investigation and Remediation](/microsoft-365/security/mtp/mtp-autoir) (AIR) can be enabled gradually, so that you can develop a comfort level with the actions that are taken.
@@ -135,7 +134,7 @@ Follow these steps:
#### Link Microsoft Purview Data Connectors and relevant third-party products to Microsoft Sentinel
-In order to gain visibility into the incidents that result from deploying a Zero Trust model, it's important to connect Microsoft 365 Defender, Microsoft Purview Data Connectors, and relevant third party products to [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/) in order to provide a centralized platform for incident investigation and response.
+In order to gain visibility into the incidents that result from deploying a Zero Trust model, it's important to connect Microsoft Defender XDR, Microsoft Purview Data Connectors, and relevant third party products to [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) in order to provide a centralized platform for incident investigation and response.
As part of the data connection process, relevant analytics can be enabled to trigger incidents and workbooks can be created for a graphical representation of the data over time.
@@ -153,7 +152,7 @@ Although machine learning and fusion analytics are provided out of the box, it's
### III. Enable additional protection and detection controls
-Enabling additional controls improves the signal coming in to Microsoft 365 Defender and Sentinel to improve your visibility and ability to orchestrate responses.
+Enabling additional controls improves the signal coming in to Microsoft Defender XDR and Microsoft Sentinel to improve your visibility and ability to orchestrate responses.
[Attack surface reduction](/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) controls represent one such opportunity. These protective controls not only block certain activities that are most associated with malware, but also give into attempts to use specific approaches, which can help to detect adversaries leveraging these techniques earlier in the process.
diff --git a/security-docs/zero-trust/dod-zero-trust-strategy-intro.md b/security-docs/zero-trust/dod-zero-trust-strategy-intro.md
index 83df55f8a..c1051b5d6 100644
--- a/security-docs/zero-trust/dod-zero-trust-strategy-intro.md
+++ b/security-docs/zero-trust/dod-zero-trust-strategy-intro.md
@@ -13,7 +13,7 @@ ms.reviewer: ehudi
# Customer intent: I'm a security architect, and I need to learn how Microsoft cloud services align to the DoD Zero Trust Strategy so I can prioritize, deploy, and configure Zero Trust capabilities. My goal is to complete DoD Zero Trust activities for my organization.
---
-# Configure Microsoft cloud services for the DoD Zero Trust Strategy
+# Align Microsoft services with the DoD Zero Trust Strategy
The U.S. Department of Defense (DoD) Zero Trust Portfolio Management Office (ZT PfMO) was established to orchestrate DoD-wide Zero Trust adoption and execution. In November 2022, the DoD ZT PfMO released the [DoD Zero Trust Strategy and Roadmap](https://www.defense.gov/News/Releases/Release/Article/3225919/department-of-defense-releases-zero-trust-strategy-and-roadmap/).
@@ -26,7 +26,7 @@ The strategy has four goals.
* **Technology Acceleration** - Zero Trust technologies deploy at a pace equal to, or that exceeds, industry advancements to remain ahead of the changing threat environment.
* **Zero Trust Enablement** - DoD Zero Trust execution integrates with DoD, and component-level processes, resulting in seamless and coordinated Zero Trust execution.
-Microsoft has an expanding array of Zero Trust capabilities powered by a unified identity platform and pre-integrated, fit-for-purpose security tools. They offer repeatable, comprehensive coverage across the seven pillars of the DoD Zero Trust Strategy for target and advanced activities.
+Microsoft has an expanding array of Zero Trust capabilities powered by a unified identity platform and pre-integrated, fit-for-purpose security tools. These security tools provide comprehensive coverage across the seven pillars of the DoD Zero Trust Strategy for target and advanced activities.
## Pillars, capabilities, and activities
diff --git a/security-docs/zero-trust/guidance-smb-partner.md b/security-docs/zero-trust/guidance-smb-partner.md
index 663a0cb39..838453479 100644
--- a/security-docs/zero-trust/guidance-smb-partner.md
+++ b/security-docs/zero-trust/guidance-smb-partner.md
@@ -36,7 +36,7 @@ This article also includes information and resources for Microsoft partners.
|Cybersecurity playbook|Description|
|---|---|
-|:::image type="content" source="media/m365bp-cyber-security-playbook.png" alt-text="Screenshot of cybersecurity playbook for small business.":::|In this library: - [Downloadable poster](https://download.microsoft.com/download/9/c/1/9c167271-8209-492e-acc2-38a39d1834c2/m365bp-cybersecurity-playbook.pdf) that guides you through the process of configuring Business Premium for Zero Trust.
- Guidance for small and medium-sized businesses who aren't security experts and need some help getting started.
- Steps to secure unmanaged, personally owned devices (also known as bring your own device or BYOD) and managed devices (typically, company-owned devices).
- Recommendations and best practices for all users, including admins and security operations personnel.
|
+|:::image type="content" source="media/m365bp-cyber-security-playbook.png" alt-text="Screenshot of cybersecurity playbook for small business.":::|In this library: - [Downloadable poster](https://download.microsoft.com/download/9/c/1/9c167271-8209-492e-acc2-38a39d1834c2/m365bp-cybersecurity-playbook.pdf) that guides you through the process of configuring Business Premium for Zero Trust.
- Guidance for small and medium-sized businesses who aren't security experts and need some help getting started.
- Steps to secure unmanaged, personally owned devices (also known as bring your own device (BYOD)) and managed devices (typically, company-owned devices).
- Recommendations and best practices for all users, including admins and security operations personnel.
|
For more information, see the following resources:
@@ -53,7 +53,7 @@ For more information, see the following resources:
Business Premium includes Microsoft Defender for Business, which provides comprehensive security for devices with a simplified configuration experience that's optimized for small and medium-sized businesses. Capabilities include threat and vulnerability management, next-generation protection (antivirus and firewall), automated investigation and remediation, and more.
-Business Premium also includes advanced anti-phishing, anti-spam, and anti-malware protection for email content and Office files (Safe Links and Safe Attachments) with Microsoft Defender for Office 365 Plan 1. With these capabilities, your email and collaboration content is more secure and better protected.
+Business Premium also includes advanced anti-phishing, anti-spam, and anti-malware protection for email content and Office files (Safe Links and Safe Attachments) with Microsoft Defender for Office 365 Plan 1. With these capabilities, your email and collaboration content are more secure and better protected.
For more information, see the following resources:
@@ -95,7 +95,7 @@ The Defender for Endpoint APIs can be used to integrate device security capabili
You or your small business customers likely use other Software as a Service (SaaS) applications, such as Salesforce, Adobe Creative Cloud, and DocuSign. You can integrate these applications with Microsoft Entra ID and include these applications in your MFA and Conditional Access policies.
-The Microsoft Entra application gallery is a collection of software as a service (SaaS) applications that are pre-integrated with Microsoft Entra ID. All you need to do is find the application in the gallery and add it to your environment. Then, the application is available to include in the scope of your MFA and Conditional Access rules. See [Overview of the Microsoft Entra application gallery](/entra/identity/enterprise-apps/overview-application-gallery).
+The Microsoft Entra application gallery is a collection of software as a service (SaaS) applications that are preintegrated with Microsoft Entra ID. All you need to do is find the application in the gallery and add it to your environment. Then, the application is available to include in the scope of your MFA and Conditional Access rules. See [Overview of the Microsoft Entra application gallery](/entra/identity/enterprise-apps/overview-application-gallery).
After you add SaaS apps to your environment, these apps are automatically be protected with Microsoft Entra MFA and the other protections provided by security defaults. If you're using Conditional Access policies instead of security defaults, you need to add these apps to the scope of your Conditional Access and related policies. See [Turn on MFA in Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-conditional-access).
diff --git a/security-docs/zero-trust/implement-overview.md b/security-docs/zero-trust/implement-overview.md
new file mode 100644
index 000000000..14a7e6038
--- /dev/null
+++ b/security-docs/zero-trust/implement-overview.md
@@ -0,0 +1,100 @@
+---
+title: Microsoft secure Zero Trust implementation solutions
+description: Get an overview of Microsoft Zero Trust implementation solutions
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to get an overview of the Zero Trust implmentation solutions offered by Microsoft.
+---
+
+# Overview - Implement Zero Trust solutions
+
+This article provides an overview of Microsoft Zero Trust security solutions.
+
+## Security adoption
+
+Microsoft's structured adoption model for Zero Trust security focuses on three components:
+
+- [Business scenarios](security-adoption-business-scenarios-overview.md) help business leaders to define critical security outcomes across the organization. They focus on **why** we're adopting Zero Trust security.
+- [Security disciplines](security-adoption-discipline-overview.md) define the strategy, architecture, and processes required to support the security outcomes. They focus on **what** capabilities are needed.
+- [Technology pillars](deploy/overview.md) focus on implementing security for specific areas such as identity, data, and devices. They focus on **where** security capabilities are applied.
+
+Technical solutions are the final step in the security adoption and deployment journey and focus on **how**. They connect the business scenarios, discipline strategies, and architectures, together with relevant technology pillars into step-by-step product-level implementation guides.
+
+
+## Technical solutions
+
+Technical solutions do the following:
+
+- Align to business scenarios.
+- Translate and break down business scenarios into actionable steps.
+- Implement security architectures and controls from across security disciplines.
+- Base implementation guidance on Microsoft security best practices.
+- Enforce security controls across [technology pillars](deploy/overview.md).
+
+## How solutions use technology pillars
+
+Technology pillars define where security controls are applied, but they aren't implemented on their own.
+
+Technical solutions use technology pillars in two ways:
+
+- **Organize implementation around a primary pillar**.
+ Each solution focuses on securing a specific area, such as identity, endpoints, or data.
+- **Apply controls across multiple pillars**
+ Implementing a solution requires integrating capabilities from other pillars. For example, securing identity also depends on device compliance, application access, and security operations.
+
+To summarize:
+
+- Technology pillars provide the structure and scope.
+- Solutions provide the end-to-end implementation.
+
+## Choose your starting point
+
+You can implement Zero Trust solutions from a couple of starting points:
+
+- You can start with a [business scenario](security-adoption-business-scenarios-overview.md) that's important for your business. For example *Improve security posture and compliance across the organization*.
+- Alternatively you might want to focus on improving security for a specific domain, and start with a specific technology pillar. For example *Secure endpoints across the organization*.
+
+Both approaches use the same set of Microsoft security technologies.
+
+Scenario-based adoption ensures alignment to business priorities, while technology-focused adoption helps address immediate risks in specific areas of security.
+
+### Start with business scenarios
+
+The table summarizes technical solutions based on business scenarios. Follow any of the solutions for end-to-end implementation guidance.
+
+**Solution** | **Business scenario**
+--- | --- | ---
+[Protect Microsoft Copilot](copilots/apply-zero-trust-copilots-overview.md) | Rapidly and securely adopt AI |
+[Secure hybrid work](adopt/secure-remote-hybrid-work.md) | Enable people to do their job securely
+[Protect privileged access](adopt/implement-privileged-access.md) | identify and protect critical business assets
+[Improve security posture](adopt/rapidly-modernize-security-posture.md) | Continuously improve security posture and compliance.
+[Meet compliance requirements](adopt/meet-regulatory-compliance-requirements.md) | Continuously improve security posture and compliance.
+[Minimize attack impact](adopt/rapidly-modernize-security-posture.md) | Minimize business damage from security incidents
+
+
+### Start with technology pillars
+
+The table summarizes technical solutions based on specific technology pillars. Follow any of the solutions for end-to-end implementation guidance.
+
+Each solution is organized by a primary technology pillar but integrates controls from multiple pillars.
+
+**Solution** | **Technology pillar**
+--- | ---
+[Secure identity with Zero Trust](identity.md) | **Identity** - Define the Zero Trust control plane across people, services, and devices. Verify every access request using strong authentication, enforce conditional access, and apply least privilege based on risk, compliance, and typical behavior.
+[Secure endpoints with Zero Trust](endpoints.md) | **Devices** - Protect all devices accessing your environment—from IoT and mobile to partner-managed and cloud-hosted systems. Enforce device health and compliance, and continuously monitor endpoint risk before granting or maintaining access.
+[Secure data with Zero Trust](data.md) | **Data** - Protect data at all times, regardless of location. Classify and label sensitive information, encrypt it, and enforce access controls and usage restrictions based on data sensitivity.
+[Secure apps with Zero Trust](applications.md) | **Apps** - Secure applications and APIs as the interface to data. Discover and govern shadow IT, enforce in-app permissions, apply real-time access controls, monitor for abnormal behavior, and validate secure configuration.
+[Secure infrastructure with Zero Trust](infrastructure.md) | **Infrastructure** - Protect compute resources including servers, VMs, containers, and microservices. Assess configurations, enforce just-in-time (JIT) access, and use telemetry to detect and automatically respond to threats and anomalies.
+[Secure networks with Zero Trust](networks.md) | **Networks** - Secure the transport layer for all access. Use segmentation and micro-segmentation to limit lateral movement, and apply encryption, monitoring, analytics, and real-time threat protection across network traffic.
+[Secure SecOps](visibility-automation-orchestration.md) | **SecOps** - Integrate signals across all pillars to detect, investigate, and respond to threats. Correlate alerts, automate responses, and use centralized visibility to continuously validate trust and improve security posture.
+
+## Next steps
+
+- [Review](deploy/overview.md) technology pillars.
+- [Learn about](security-adoption-model.md) our Zero Trust adoption model.
+- [Review](security-adoption-business-scenarios-overview.md) critical security business scenarios.
\ No newline at end of file
diff --git a/security-docs/zero-trust/index.yml b/security-docs/zero-trust/index.yml
index 9d2af76b9..91e4de5fc 100644
--- a/security-docs/zero-trust/index.yml
+++ b/security-docs/zero-trust/index.yml
@@ -1,45 +1,89 @@
### YamlMime:Hub
-title: Zero Trust security guidance
-summary: Zero Trust is a security strategy that assumes breach and verifies every request. Implement Zero Trust protections that secure and enable your organization using deployment guides, assessment tools, and adoption frameworks aligned with the three core principles—verify explicitly, use least privilege access, and assume breach.
+title: Zero Trust Guidance Center
+summary: Zero Trust security “assumes breach,” “never trusts,” and “always verifies.” The Zero Trust Guidance Center helps you adopt security, deliver secure business outcomes, and protect technology pillars such as identity, devices, and data across your organization.
brand: azure
metadata:
- title: Zero Trust security guidance
+ title: Zero Trust Guidance Center
description: Learn about Zero Trust, a security strategy that assumes breach and verifies every request. Find deployment guides, assessment tools, and adoption frameworks to implement Zero Trust principles that protect and enable secure operations across identity, endpoints, applications, data, infrastructure, and networks in your organization.
ms.service: security
ms.subservice: zero-trust
ms.topic: hub-page
ms.author: joflore
author: MicrosoftGuyJFlo
- ms.date: 02/10/2026
+ ms.date: 05/05/2026
## HIGHLIGHTED CONTENT ##############################################
highlightedContent:
items:
- - title: What is Zero Trust?
- itemType: overview
- url: /security/zero-trust/zero-trust-overview
- - title: Assess your organization's Zero Trust posture
- url: /security/zero-trust/zero-trust-assessment-progress-tracking-resources
+ - title: Adopt security with Zero Trust principles
+ url: /security/zero-trust/security-adoption-model
itemType: get-started
- - title: Zero Trust strategy approach
- url: /security/zero-trust/adopt/zero-trust-adoption-overview
- itemType: concept
- - title: SFI - How Microsoft operationalized a Zero Trust strategy
+ - title: Review SFI patterns and best practices
url: /security/zero-trust/sfi/secure-future-initiative-overview
+ itemType: learn
+ - title: Prioritize business outcomes with scenarios
+ url: /security/zero-trust/security-adoption-business-scenarios-overview
itemType: concept
- - title: Deploying Zero Trust end-to-end
+ - title: Assess your security posture
+ url: /security/zero-trust/assessment/overview
+ itemType: get-started
+ - title: Accelerate security deployment with a Zero Trust assessment
url: https://microsoft.github.io/zerotrustassessment/
itemType: deploy
- - title: Zero Trust guidance for small businesses
- url: /security/zero-trust/guidance-smb-partner
+ - title: Implement security solutions
+ url: /security/zero-trust/implement-overview
itemType: how-to-guide
## HIGHLIGHTED CONTENT END ##############################################
+conceptualContent:
+ sections:
+ - title: Secure key business scenarios
+ summary: Review key business outcomes and the security disciplines that support them.
+ items:
+ - title: Explore business scenarios
+ links:
+ - url: /security/zero-trust/security-adoption-scenario-secure-ai
+ itemType: concept
+ text: Protect AI and data
+ - url: /security/zero-trust/security-adoption-scenario-remote-work
+ itemType: concept
+ text: Allow work from anywhere
+ - url: /security/zero-trust/security-adoption-scenario-secure-assets
+ itemType: concept
+ text: Secure critical business assets
+ - url: /security/zero-trust/security-adoption-scenario-improve-posture
+ itemType: concept
+ text: Strengthen posture and compliance
+ - url: /security/zero-trust/security-adoption-scenario-minimize-impact
+ itemType: concept
+ text: Minimize the impact of security incidents
+ - title: Build security disciplines
+ links:
+ - url: /security/zero-trust/security-adoption-discipline-strategy
+ itemType: concept
+ text: Strategy, integration, and governance
+ - url: /security/zero-trust/security-adoption-discipline-architecture
+ itemType: concept
+ text: Security architecture
+ - url: /security/zero-trust/security-adoption-discipline-identity-access
+ itemType: concept
+ text: Identity
+ - url: /security/zero-trust/security-adoption-discipline-data
+ itemType: concept
+ text: Data security
+ - url: /security/zero-trust/security-adoption-discipline-security-operations
+ itemType: concept
+ text: Security operations
+ - url: /security/zero-trust/security-adoption-discipline-development
+ itemType: concept
+ text: Developer operations
+
+
productDirectory:
- title: Deploy Zero Trust by pillar
- summary: Implement Zero Trust across your organization with comprehensive technical deployment guides for each security pillar.
+ title: Secure technology pillars across the business
+ summary: Implement Zero Trust security to achieve business outcomes and protect technology pillars.
items:
- title: Identity
imageSrc: /security/media/hubpage/security-icons/microsoft-entra.svg
@@ -74,130 +118,7 @@ productDirectory:
summary: "Embed Zero Trust principles into your development workflow and applications."
url: /security/zero-trust/develop/overview
-conceptualContent:
- title: Most viewed content
- summary: Discover the most popular Zero Trust resources based on thousands of visits from security professionals and IT implementers.
- items:
- ## CARD 1 ######################
- - title: Getting started
- links:
- - text: What is Zero Trust?
- url: /security/zero-trust/zero-trust-overview
- itemType: concept
- - text: Zero Trust deployment overview
- url: /security/zero-trust/deploy/overview
- itemType: overview
- - text: Microsoft 365 Zero Trust deployment plan
- url: /security/zero-trust/microsoft-365-zero-trust
- itemType: deploy
- - text: Deploy your identity infrastructure for Microsoft 365
- url: /microsoft-365/enterprise/deploy-identity-solution-overview
- itemType: deploy
- ## CARD 2 ######################
- - title: Assessment & adoption
- links:
- - text: Zero Trust assessment and progress tracking resources
- url: /security/zero-trust/zero-trust-assessment-progress-tracking-resources
- itemType: overview
- - text: Zero Trust assessment overview
- url: /security/zero-trust/assessment/overview
- itemType: overview
- - text: Run the Zero Trust assessment
- url: /security/zero-trust/assessment/get-started
- itemType: how-to-guide
- - text: Zero Trust adoption framework
- url: /security/zero-trust/adopt/zero-trust-adoption-overview
- itemType: concept
- ## CARD 3 ######################
- - title: Identity & device access
- links:
- - text: Identity - Zero Trust pillar
- url: /security/zero-trust/deploy/identity
- itemType: concept
- - text: Identity and device access policies
- url: /security/zero-trust/zero-trust-identity-device-access-policies-overview
- itemType: overview
- - text: Common identity and device access policies
- url: /security/zero-trust/zero-trust-identity-device-access-policies-common
- itemType: reference
- - text: Zero Trust partner kit
- url: /security/zero-trust/zero-trust-partner-kit
- itemType: reference
- ## CARD 4 ######################
- - title: Microsoft Copilots
- links:
- - text: Zero Trust Copilots overview
- url: /security/zero-trust/copilots/apply-zero-trust-copilots-overview
- itemType: overview
- - text: Zero Trust for Security Copilot
- url: /security/zero-trust/copilots/zero-trust-microsoft-copilot-for-security
- itemType: concept
- - text: Zero Trust for Microsoft 365 Copilot
- url: /security/zero-trust/copilots/zero-trust-microsoft-365-copilot
- itemType: concept
- - text: Zero Trust for Microsoft Copilot
- url: /security/zero-trust/copilots/zero-trust-microsoft-copilot
- itemType: concept
- ## CARD 5 ######################
- - title: Compliance frameworks
- links:
- - text: CISA Zero Trust Maturity Model
- url: /security/zero-trust/cisa-zero-trust-maturity-model-intro
- itemType: overview
- - text: DoD Zero Trust Strategy
- url: /security/zero-trust/dod-zero-trust-strategy-intro
- itemType: overview
- - text: US Federal Zero Trust requirements
- url: /entra/standards/memo-22-09-meet-identity-requirements
- itemType: reference
- - text: Zero Trust assessment resources
- url: /security/zero-trust/zero-trust-assessment-progress-tracking-resources
- itemType: reference
- ## CARD 6 ######################
- - title: Secure Future Initiative
- links:
- - text: Secure Future Initiative overview
- url: /security/zero-trust/sfi/secure-future-initiative-overview
- itemType: overview
- - text: Phishing-resistant MFA
- url: /security/zero-trust/sfi/phishing-resistant-mfa
- itemType: concept
- - text: Eliminate identity lateral movement
- url: /security/zero-trust/sfi/eliminate-identity-lateral-movement
- itemType: concept
- - text: Network isolation
- url: /security/zero-trust/sfi/network-isolation
- itemType: concept
- ## CARD 7 ######################
- - title: Specialized scenarios
- links:
- - text: Zero Trust for Azure IaaS
- url: /security/zero-trust/azure-infrastructure-overview
- itemType: overview
- - text: Zero Trust for Azure Virtual Desktop
- url: /security/zero-trust/azure-infrastructure-avd
- itemType: concept
- - text: Small business guidance
- url: /security/zero-trust/guidance-smb-partner
- itemType: concept
- - text: Technical illustrations
- url: /security/zero-trust/zero-trust-tech-illus
- itemType: reference
- ## CARD 8 ######################
- - title: Developer resources
- links:
- - text: Develop using Zero Trust principles
- url: /security/zero-trust/develop/overview
- itemType: overview
- - text: Configure tokens, group claims, and app roles
- url: /security/zero-trust/develop/configure-tokens-group-claims-app-roles
- itemType: how-to-guide
- - text: Register applications
- url: /security/zero-trust/develop/app-registration
- itemType: how-to-guide
- - text: Secure with Continuous Access Evaluation
- url: /security/zero-trust/develop/secure-with-cae
- itemType: concept
+
additionalContent:
sections:
diff --git a/security-docs/zero-trust/integrate-saas-apps.md b/security-docs/zero-trust/integrate-saas-apps.md
index 724713bb3..429b99a6a 100644
--- a/security-docs/zero-trust/integrate-saas-apps.md
+++ b/security-docs/zero-trust/integrate-saas-apps.md
@@ -19,9 +19,9 @@ ms.collection:
The widespread increase in cloud adoption is transforming how organizations achieve business outcomes. This shift highlights the reliance on cloud-based apps resulting in higher demand for services such as Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), and cloud-based app development platforms. SaaS apps play a key role in ensuring that applications and resources are available and accessible from any device with an Internet connection.
-While a multi-cloud environment can help reduce operational costs and improve scalability, the large amount of sensitive data and the flexibility it affords organizations can potentially pose a security risk. Deliberate steps must be taken to ensure that apps hosted in the cloud and their data are protected.
+While a multicloud environment can help reduce operational costs and improve scalability, the large amount of sensitive data and the flexibility it affords organizations can potentially pose a security risk. Deliberate steps must be taken to ensure that apps hosted in the cloud and their data are protected.
-To ensure that access and productivity are secure, implementation of SaaS apps need to align with the Zero Trust security model, which is based on these guiding principles.
+To ensure that access and productivity are secure, implementation of SaaS apps must align with the Zero Trust security model, which is based on these guiding principles.
| Zero Trust principle | Definition | Met by... |
| --- | --- | --- |
@@ -39,7 +39,7 @@ The diagram shows:
- Examples of third-party cloud apps that include SaaS apps and your custom PaaS apps.
- The role of Microsoft Entra ID to include these apps in the scope of your strong authentication and other Conditional Access policies. For more information, see [Integrating all your apps with Microsoft Entra ID](/azure/active-directory/fundamentals/five-steps-to-full-application-integration-with-azure-ad).
-- The role of Microsoft Defender for Cloud Apps in discovering the cloud apps that your organization uses. You can approve apps, apply session controls, and discover sensitive data. For newly-discovered enterprise cloud apps that support federation, you can add them to Microsoft Entra ID to enforce strong authentication and other policies.
+- The role of Microsoft Defender for Cloud Apps in discovering the cloud apps that your organization uses. You can approve apps, apply session controls, and discover sensitive data. For newly discovered enterprise cloud apps that support federation, you can add them to Microsoft Entra ID to enforce strong authentication and other policies.
- The role of Microsoft Purview Information Protection to protect cloud app data and prevent data loss in conjunction with Microsoft Defender for Cloud apps.
## Implementing the layers of protection for SaaS apps
diff --git a/security-docs/zero-trust/manage-devices-with-intune-monitor-risk.md b/security-docs/zero-trust/manage-devices-with-intune-monitor-risk.md
index 3f7ffdf56..8534340ab 100644
--- a/security-docs/zero-trust/manage-devices-with-intune-monitor-risk.md
+++ b/security-docs/zero-trust/manage-devices-with-intune-monitor-risk.md
@@ -64,8 +64,8 @@ To deploy security baselines and monitor compliance for these settings, use the
|Step |Description |
|---------|---------|
-|1 |Review key concepts and compare the Microsoft Defender for Endpoint and the Windows security baselines in Intune.
To learn about recommendations for Defender for Endpoint, see [Increase compliance to the Microsoft Defender for Endpoint security baseline](/defender-endpoint/configure-machines-security-baseline).
To review the list of security baselines that are available with Intune, and how to avoid conflicts, see [Use security baselines to configure Windows devices in Intune](/mem/intune-service/protect/security-baselines).
-|2 | Use Intune to deploy the security baseline for Windows settings. For more information, see related guidance in [Step 5. Deploy device profiles](manage-devices-with-intune-configuration-profiles.md). |
+|1 |Review key concepts and compare the Microsoft Defender for Endpoint and the Windows security baselines in Intune.
To learn about recommendations for Defender for Endpoint, see [Increase compliance to the Microsoft Defender for Endpoint security baseline](/defender-endpoint/configure-machines-security-baseline).
To review the list of security baselines that are available with Intune, and how to avoid conflicts, see [Use security baselines to configure Windows devices in Intune](/mem/intune-service/protect/security-baselines). |
+|2 | Use Intune to deploy the security baseline for Windows settings. For more information, see related guidance in [Step 5. Deploy device profiles](manage-devices-with-intune-configuration-profiles.md). |
|3 | Use Intune to deploy Defender for Endpoint baseline settings. To create the profile and choose the correct baseline, see [Manage security baseline profiles in Microsoft Intune](/intune/intune-service/protect/security-baselines-configure).
You can also follow the instructions as [Review and assign the Microsoft Defender for Endpoint security baseline](/defender-endpoint/configure-machines-security-baseline#review-and-assign-the-microsoft-defender-for-endpoint-security-baseline) in the Defender for Endpoint documentation. |
|4 | In the Defender for Endpoint documentation, review [Ensure your devices are configured properly](/defender-endpoint/configure-machines) and the [Security baseline card on device configuration management](/defender-endpoint/configure-machines-security-baseline#monitor-compliance-to-the-defender-for-endpoint-security-baseline). |
diff --git a/security-docs/zero-trust/manage-devices-with-intune-require-compliance.md b/security-docs/zero-trust/manage-devices-with-intune-require-compliance.md
index a6ca72198..4279ba7a1 100644
--- a/security-docs/zero-trust/manage-devices-with-intune-require-compliance.md
+++ b/security-docs/zero-trust/manage-devices-with-intune-require-compliance.md
@@ -19,7 +19,7 @@ ms.custom:
# Step 4. Require healthy and compliant devices with Intune
-Conditional Access provides additional verification of device status before allowing access to a service. Conditional Access doesn’t work unless you specify conditions. In [Step 3. Set up compliance policies](manage-devices-with-intune-compliance-policies.md), you defined compliance policies that specify the minimum requirements a device must meet to access your environment. As described in this article, you’ll create the corresponding Conditional Access policy in Microsoft Entra ID to require compliant devices. This helps keep your corporate data secure while giving users the ability to work from any device and from any location.
+Conditional Access provides another verification of device status before allowing access to a service. Conditional Access doesn’t work unless you specify conditions. In [Step 3. Set up compliance policies](manage-devices-with-intune-compliance-policies.md), you defined compliance policies that specify the minimum requirements a device must meet to access your environment. As described in this article, you’ll create the corresponding Conditional Access policy in Microsoft Entra ID to require compliant devices. This helps keep your corporate data secure while giving users the ability to work from any device and from any location.
After setting up device compliance policies and assigning these to user groups, Intune lets Microsoft Entra ID know if a device is compliant or not. To use this status as a condition for access, you must work with your Microsoft Entra administrator to create a Conditional Access rule to require compliant PCs and mobile devices.
diff --git a/security-docs/zero-trust/media/adoption-business-scenarios.png b/security-docs/zero-trust/media/adoption-business-scenarios.png
new file mode 100644
index 000000000..63e718b1f
Binary files /dev/null and b/security-docs/zero-trust/media/adoption-business-scenarios.png differ
diff --git a/security-docs/zero-trust/media/adoption-guidance-context.png b/security-docs/zero-trust/media/adoption-guidance-context.png
new file mode 100644
index 000000000..6509097e1
Binary files /dev/null and b/security-docs/zero-trust/media/adoption-guidance-context.png differ
diff --git a/security-docs/zero-trust/media/adoption-map-national-institute.png b/security-docs/zero-trust/media/adoption-map-national-institute.png
new file mode 100644
index 000000000..60da76dd2
Binary files /dev/null and b/security-docs/zero-trust/media/adoption-map-national-institute.png differ
diff --git a/security-docs/zero-trust/media/adoption-model.png b/security-docs/zero-trust/media/adoption-model.png
new file mode 100644
index 000000000..90ac78051
Binary files /dev/null and b/security-docs/zero-trust/media/adoption-model.png differ
diff --git a/security-docs/zero-trust/media/adoption-navigation-connections.png b/security-docs/zero-trust/media/adoption-navigation-connections.png
new file mode 100644
index 000000000..94cd93654
Binary files /dev/null and b/security-docs/zero-trust/media/adoption-navigation-connections.png differ
diff --git a/security-docs/zero-trust/media/adoption-navigation-main.png b/security-docs/zero-trust/media/adoption-navigation-main.png
new file mode 100644
index 000000000..719549082
Binary files /dev/null and b/security-docs/zero-trust/media/adoption-navigation-main.png differ
diff --git a/security-docs/zero-trust/media/adoption-navigation-structure.png b/security-docs/zero-trust/media/adoption-navigation-structure.png
new file mode 100644
index 000000000..d16551bca
Binary files /dev/null and b/security-docs/zero-trust/media/adoption-navigation-structure.png differ
diff --git a/security-docs/zero-trust/media/adoption-role-collaboration.png b/security-docs/zero-trust/media/adoption-role-collaboration.png
new file mode 100644
index 000000000..03129d4f1
Binary files /dev/null and b/security-docs/zero-trust/media/adoption-role-collaboration.png differ
diff --git a/security-docs/zero-trust/media/adoption-role-delegation.png b/security-docs/zero-trust/media/adoption-role-delegation.png
new file mode 100644
index 000000000..26af1415b
Binary files /dev/null and b/security-docs/zero-trust/media/adoption-role-delegation.png differ
diff --git a/security-docs/zero-trust/media/adoption-role-list.png b/security-docs/zero-trust/media/adoption-role-list.png
new file mode 100644
index 000000000..2709f9c46
Binary files /dev/null and b/security-docs/zero-trust/media/adoption-role-list.png differ
diff --git a/security-docs/zero-trust/media/adoption-zero-trust-open-capabilities.png b/security-docs/zero-trust/media/adoption-zero-trust-open-capabilities.png
new file mode 100644
index 000000000..81aa39d65
Binary files /dev/null and b/security-docs/zero-trust/media/adoption-zero-trust-open-capabilities.png differ
diff --git a/security-docs/zero-trust/media/adoption-zero-trust-open-mapping.png b/security-docs/zero-trust/media/adoption-zero-trust-open-mapping.png
new file mode 100644
index 000000000..d88ea2b51
Binary files /dev/null and b/security-docs/zero-trust/media/adoption-zero-trust-open-mapping.png differ
diff --git a/security-docs/zero-trust/media/adoption-zero-trust-open.png b/security-docs/zero-trust/media/adoption-zero-trust-open.png
new file mode 100644
index 000000000..27b9e3689
Binary files /dev/null and b/security-docs/zero-trust/media/adoption-zero-trust-open.png differ
diff --git a/security-docs/zero-trust/media/develop-security-agile.png b/security-docs/zero-trust/media/develop-security-agile.png
new file mode 100644
index 000000000..34ace3d3f
Binary files /dev/null and b/security-docs/zero-trust/media/develop-security-agile.png differ
diff --git a/security-docs/zero-trust/media/development-security-operations.png b/security-docs/zero-trust/media/development-security-operations.png
new file mode 100644
index 000000000..25e5468bb
Binary files /dev/null and b/security-docs/zero-trust/media/development-security-operations.png differ
diff --git a/security-docs/zero-trust/media/disciplines.png b/security-docs/zero-trust/media/disciplines.png
new file mode 100644
index 000000000..c42ce2467
Binary files /dev/null and b/security-docs/zero-trust/media/disciplines.png differ
diff --git a/security-docs/zero-trust/media/end-to-end-approach.png b/security-docs/zero-trust/media/end-to-end-approach.png
new file mode 100644
index 000000000..68badc200
Binary files /dev/null and b/security-docs/zero-trust/media/end-to-end-approach.png differ
diff --git a/security-docs/zero-trust/media/implement-privileged-access-classify.png b/security-docs/zero-trust/media/implement-privileged-access-classify.png
new file mode 100644
index 000000000..c80e82e3c
Binary files /dev/null and b/security-docs/zero-trust/media/implement-privileged-access-classify.png differ
diff --git a/security-docs/zero-trust/media/implement-privileged-access-user.png b/security-docs/zero-trust/media/implement-privileged-access-user.png
new file mode 100644
index 000000000..584bd43f8
Binary files /dev/null and b/security-docs/zero-trust/media/implement-privileged-access-user.png differ
diff --git a/security-docs/zero-trust/media/implement-privileged-assets-attacks.png b/security-docs/zero-trust/media/implement-privileged-assets-attacks.png
new file mode 100644
index 000000000..e442cc295
Binary files /dev/null and b/security-docs/zero-trust/media/implement-privileged-assets-attacks.png differ
diff --git a/security-docs/zero-trust/media/internet-of-things-challenges.png b/security-docs/zero-trust/media/internet-of-things-challenges.png
new file mode 100644
index 000000000..d6f80ad0a
Binary files /dev/null and b/security-docs/zero-trust/media/internet-of-things-challenges.png differ
diff --git a/security-docs/zero-trust/media/internet-of-things-devices.png b/security-docs/zero-trust/media/internet-of-things-devices.png
new file mode 100644
index 000000000..eb750b72d
Binary files /dev/null and b/security-docs/zero-trust/media/internet-of-things-devices.png differ
diff --git a/security-docs/zero-trust/media/internet-of-things-isolation.png b/security-docs/zero-trust/media/internet-of-things-isolation.png
new file mode 100644
index 000000000..ebc854cae
Binary files /dev/null and b/security-docs/zero-trust/media/internet-of-things-isolation.png differ
diff --git a/security-docs/zero-trust/media/internet-of-things-outcomes.png b/security-docs/zero-trust/media/internet-of-things-outcomes.png
new file mode 100644
index 000000000..028f05829
Binary files /dev/null and b/security-docs/zero-trust/media/internet-of-things-outcomes.png differ
diff --git a/security-docs/zero-trust/media/reference-architecture-overview.png b/security-docs/zero-trust/media/reference-architecture-overview.png
new file mode 100644
index 000000000..fd86507d8
Binary files /dev/null and b/security-docs/zero-trust/media/reference-architecture-overview.png differ
diff --git a/security-docs/zero-trust/media/reference-architecture-workshop.png b/security-docs/zero-trust/media/reference-architecture-workshop.png
new file mode 100644
index 000000000..263265667
Binary files /dev/null and b/security-docs/zero-trust/media/reference-architecture-workshop.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-defender-map.png b/security-docs/zero-trust/media/security-adoption-defender-map.png
new file mode 100644
index 000000000..efda74f98
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-defender-map.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-control-plane.png b/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-control-plane.png
new file mode 100644
index 000000000..acfafdf37
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-control-plane.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-data-plane.png b/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-data-plane.png
new file mode 100644
index 000000000..61562ecf0
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-data-plane.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-model.png b/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-model.png
new file mode 100644
index 000000000..7a0eddffd
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-model.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-privileged-device.png b/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-privileged-device.png
new file mode 100644
index 000000000..23afdb4dc
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-privileged-device.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-privileged-path.png b/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-privileged-path.png
new file mode 100644
index 000000000..35ada6b3c
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-privileged-path.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-privileged.png b/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-privileged.png
new file mode 100644
index 000000000..58450a695
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-privileged.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-user-app.png b/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-user-app.png
new file mode 100644
index 000000000..011e096ce
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise-user-app.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise.png b/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise.png
new file mode 100644
index 000000000..9f3b0e4d9
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-access-enterprise.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-access-fragment.png b/security-docs/zero-trust/media/security-adoption-discipline-access-fragment.png
new file mode 100644
index 000000000..2d6a14688
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-access-fragment.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-access-pillar.png b/security-docs/zero-trust/media/security-adoption-discipline-access-pillar.png
new file mode 100644
index 000000000..0a5c6e4c2
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-access-pillar.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-access-privileged-control.png b/security-docs/zero-trust/media/security-adoption-discipline-access-privileged-control.png
new file mode 100644
index 000000000..aac45d6b4
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-access-privileged-control.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-access-privileged.png b/security-docs/zero-trust/media/security-adoption-discipline-access-privileged.png
new file mode 100644
index 000000000..78d347e79
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-access-privileged.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-access-strategy-assets.png b/security-docs/zero-trust/media/security-adoption-discipline-access-strategy-assets.png
new file mode 100644
index 000000000..2d6664f22
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-access-strategy-assets.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-access-strategy-pathway-complex.png b/security-docs/zero-trust/media/security-adoption-discipline-access-strategy-pathway-complex.png
new file mode 100644
index 000000000..af5525d52
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-access-strategy-pathway-complex.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-access-strategy-pathway.png b/security-docs/zero-trust/media/security-adoption-discipline-access-strategy-pathway.png
new file mode 100644
index 000000000..50191a58a
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-access-strategy-pathway.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-access-strategy.png b/security-docs/zero-trust/media/security-adoption-discipline-access-strategy.png
new file mode 100644
index 000000000..f4aa9b109
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-access-strategy.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-access-workshop.png b/security-docs/zero-trust/media/security-adoption-discipline-access-workshop.png
new file mode 100644
index 000000000..87558c6d2
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-access-workshop.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-architecture-collaboration.png b/security-docs/zero-trust/media/security-adoption-discipline-architecture-collaboration.png
new file mode 100644
index 000000000..0fe04a2a2
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-architecture-collaboration.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-architecture-focus.png b/security-docs/zero-trust/media/security-adoption-discipline-architecture-focus.png
new file mode 100644
index 000000000..79e0628a9
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-architecture-focus.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-architecture-relationships.png b/security-docs/zero-trust/media/security-adoption-discipline-architecture-relationships.png
new file mode 100644
index 000000000..dd8b79949
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-architecture-relationships.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-architecture.png b/security-docs/zero-trust/media/security-adoption-discipline-architecture.png
new file mode 100644
index 000000000..118d20350
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-architecture.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-data-balance.png b/security-docs/zero-trust/media/security-adoption-discipline-data-balance.png
new file mode 100644
index 000000000..e6f336a4a
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-data-balance.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-data-challenges.png b/security-docs/zero-trust/media/security-adoption-discipline-data-challenges.png
new file mode 100644
index 000000000..00703505e
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-data-challenges.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-data-safety.png b/security-docs/zero-trust/media/security-adoption-discipline-data-safety.png
new file mode 100644
index 000000000..7a61030d9
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-data-safety.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-data-technology.png b/security-docs/zero-trust/media/security-adoption-discipline-data-technology.png
new file mode 100644
index 000000000..e48c55cfa
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-data-technology.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-dev-agile.png b/security-docs/zero-trust/media/security-adoption-discipline-dev-agile.png
new file mode 100644
index 000000000..e078c76d0
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-dev-agile.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-dev-overview.png b/security-docs/zero-trust/media/security-adoption-discipline-dev-overview.png
new file mode 100644
index 000000000..b14ecea1c
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-dev-overview.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-dev-pillars.png b/security-docs/zero-trust/media/security-adoption-discipline-dev-pillars.png
new file mode 100644
index 000000000..d95cc4893
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-dev-pillars.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-dev-technical.png b/security-docs/zero-trust/media/security-adoption-discipline-dev-technical.png
new file mode 100644
index 000000000..ce7659e8d
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-dev-technical.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-dev.png b/security-docs/zero-trust/media/security-adoption-discipline-dev.png
new file mode 100644
index 000000000..222d3d463
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-dev.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-infrastructure.png b/security-docs/zero-trust/media/security-adoption-discipline-infrastructure.png
new file mode 100644
index 000000000..212caf6d8
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-infrastructure.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-iot-isolation.png b/security-docs/zero-trust/media/security-adoption-discipline-iot-isolation.png
new file mode 100644
index 000000000..927e7317e
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-iot-isolation.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-iot-strategy.png b/security-docs/zero-trust/media/security-adoption-discipline-iot-strategy.png
new file mode 100644
index 000000000..7bbf88587
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-iot-strategy.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-iot-system.png b/security-docs/zero-trust/media/security-adoption-discipline-iot-system.png
new file mode 100644
index 000000000..4555ef7cc
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-iot-system.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-iot.png b/security-docs/zero-trust/media/security-adoption-discipline-iot.png
new file mode 100644
index 000000000..a6cf1ec39
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-iot.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-operations-collection.png b/security-docs/zero-trust/media/security-adoption-discipline-operations-collection.png
new file mode 100644
index 000000000..3dde07f86
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-operations-collection.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-operations-invented.png b/security-docs/zero-trust/media/security-adoption-discipline-operations-invented.png
new file mode 100644
index 000000000..dd6a911ef
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-operations-invented.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-operations-issues.png b/security-docs/zero-trust/media/security-adoption-discipline-operations-issues.png
new file mode 100644
index 000000000..4b2ada744
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-operations-issues.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-operations-mission.png b/security-docs/zero-trust/media/security-adoption-discipline-operations-mission.png
new file mode 100644
index 000000000..201e53667
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-operations-mission.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-operations-network.png b/security-docs/zero-trust/media/security-adoption-discipline-operations-network.png
new file mode 100644
index 000000000..2a297f964
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-operations-network.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-operations-roles-model.png b/security-docs/zero-trust/media/security-adoption-discipline-operations-roles-model.png
new file mode 100644
index 000000000..13b4f5aaf
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-operations-roles-model.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-operations-roles.png b/security-docs/zero-trust/media/security-adoption-discipline-operations-roles.png
new file mode 100644
index 000000000..94aea06da
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-operations-roles.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-operations-secrets.png b/security-docs/zero-trust/media/security-adoption-discipline-operations-secrets.png
new file mode 100644
index 000000000..223092857
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-operations-secrets.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-operations-shiny.png b/security-docs/zero-trust/media/security-adoption-discipline-operations-shiny.png
new file mode 100644
index 000000000..be6e1921e
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-operations-shiny.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-operations-tool-overload.png b/security-docs/zero-trust/media/security-adoption-discipline-operations-tool-overload.png
new file mode 100644
index 000000000..77713801b
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-operations-tool-overload.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-operations-tool.png b/security-docs/zero-trust/media/security-adoption-discipline-operations-tool.png
new file mode 100644
index 000000000..583eba7fd
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-operations-tool.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-operations-visibility.png b/security-docs/zero-trust/media/security-adoption-discipline-operations-visibility.png
new file mode 100644
index 000000000..58c670d0f
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-operations-visibility.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-operations.png b/security-docs/zero-trust/media/security-adoption-discipline-operations.png
new file mode 100644
index 000000000..87d0d0967
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-operations.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-posture-mission.png b/security-docs/zero-trust/media/security-adoption-discipline-posture-mission.png
new file mode 100644
index 000000000..7fbccacb2
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-posture-mission.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-posture.png b/security-docs/zero-trust/media/security-adoption-discipline-posture.png
new file mode 100644
index 000000000..1f909cd4c
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-posture.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-privileged-access-attack.png b/security-docs/zero-trust/media/security-adoption-discipline-privileged-access-attack.png
new file mode 100644
index 000000000..71c21190d
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-privileged-access-attack.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-discipline-technical-workshop.png b/security-docs/zero-trust/media/security-adoption-discipline-technical-workshop.png
new file mode 100644
index 000000000..b9e93b884
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-discipline-technical-workshop.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-disciplines.png b/security-docs/zero-trust/media/security-adoption-disciplines.png
new file mode 100644
index 000000000..795953d1a
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-disciplines.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-entra-map.png b/security-docs/zero-trust/media/security-adoption-entra-map.png
new file mode 100644
index 000000000..010901138
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-entra-map.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-github-map.png b/security-docs/zero-trust/media/security-adoption-github-map.png
new file mode 100644
index 000000000..76d59c2f0
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-github-map.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-intune-map.png b/security-docs/zero-trust/media/security-adoption-intune-map.png
new file mode 100644
index 000000000..86c3ea0d6
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-intune-map.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-minimize-damage-success.png b/security-docs/zero-trust/media/security-adoption-minimize-damage-success.png
new file mode 100644
index 000000000..e03ba5e71
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-minimize-damage-success.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-protect-critical.png b/security-docs/zero-trust/media/security-adoption-protect-critical.png
new file mode 100644
index 000000000..6c1555315
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-protect-critical.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-purview-map.png b/security-docs/zero-trust/media/security-adoption-purview-map.png
new file mode 100644
index 000000000..dcefd86ba
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-purview-map.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-security-exposure-map.png b/security-docs/zero-trust/media/security-adoption-security-exposure-map.png
new file mode 100644
index 000000000..9299fb9b3
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-security-exposure-map.png differ
diff --git a/security-docs/zero-trust/media/security-adoption-sentinel-map.png b/security-docs/zero-trust/media/security-adoption-sentinel-map.png
new file mode 100644
index 000000000..3f1c14992
Binary files /dev/null and b/security-docs/zero-trust/media/security-adoption-sentinel-map.png differ
diff --git a/security-docs/zero-trust/media/security-concept-account.png b/security-docs/zero-trust/media/security-concept-account.png
new file mode 100644
index 000000000..d076ec810
Binary files /dev/null and b/security-docs/zero-trust/media/security-concept-account.png differ
diff --git a/security-docs/zero-trust/media/security-concept-intermediary-compare.png b/security-docs/zero-trust/media/security-concept-intermediary-compare.png
new file mode 100644
index 000000000..d2d3a36f0
Binary files /dev/null and b/security-docs/zero-trust/media/security-concept-intermediary-compare.png differ
diff --git a/security-docs/zero-trust/media/security-concept-intermediary-risk-type.png b/security-docs/zero-trust/media/security-concept-intermediary-risk-type.png
new file mode 100644
index 000000000..923a35053
Binary files /dev/null and b/security-docs/zero-trust/media/security-concept-intermediary-risk-type.png differ
diff --git a/security-docs/zero-trust/media/security-concept-intermediary-risk.png b/security-docs/zero-trust/media/security-concept-intermediary-risk.png
new file mode 100644
index 000000000..a128f1460
Binary files /dev/null and b/security-docs/zero-trust/media/security-concept-intermediary-risk.png differ
diff --git a/security-docs/zero-trust/media/security-concept-intermediary.png b/security-docs/zero-trust/media/security-concept-intermediary.png
new file mode 100644
index 000000000..7e32fc798
Binary files /dev/null and b/security-docs/zero-trust/media/security-concept-intermediary.png differ
diff --git a/security-docs/zero-trust/media/security-concept-level.png b/security-docs/zero-trust/media/security-concept-level.png
new file mode 100644
index 000000000..e44aac424
Binary files /dev/null and b/security-docs/zero-trust/media/security-concept-level.png differ
diff --git a/security-docs/zero-trust/media/security-executive-workshop-overview-large.png b/security-docs/zero-trust/media/security-executive-workshop-overview-large.png
new file mode 100644
index 000000000..51ce64626
Binary files /dev/null and b/security-docs/zero-trust/media/security-executive-workshop-overview-large.png differ
diff --git a/security-docs/zero-trust/media/security-executive-workshop-overview.png b/security-docs/zero-trust/media/security-executive-workshop-overview.png
new file mode 100644
index 000000000..19b027bef
Binary files /dev/null and b/security-docs/zero-trust/media/security-executive-workshop-overview.png differ
diff --git a/security-docs/zero-trust/media/security-executive-workshop-part-a-large.png b/security-docs/zero-trust/media/security-executive-workshop-part-a-large.png
new file mode 100644
index 000000000..931d38489
Binary files /dev/null and b/security-docs/zero-trust/media/security-executive-workshop-part-a-large.png differ
diff --git a/security-docs/zero-trust/media/security-executive-workshop-part-a.png b/security-docs/zero-trust/media/security-executive-workshop-part-a.png
new file mode 100644
index 000000000..5f6616375
Binary files /dev/null and b/security-docs/zero-trust/media/security-executive-workshop-part-a.png differ
diff --git a/security-docs/zero-trust/media/security-executive-workshop-part-b-large.png b/security-docs/zero-trust/media/security-executive-workshop-part-b-large.png
new file mode 100644
index 000000000..fc8af25a8
Binary files /dev/null and b/security-docs/zero-trust/media/security-executive-workshop-part-b-large.png differ
diff --git a/security-docs/zero-trust/media/security-executive-workshop-part-b.png b/security-docs/zero-trust/media/security-executive-workshop-part-b.png
new file mode 100644
index 000000000..bbb8643c9
Binary files /dev/null and b/security-docs/zero-trust/media/security-executive-workshop-part-b.png differ
diff --git a/security-docs/zero-trust/media/security-executive-workshop-part-c-large.png b/security-docs/zero-trust/media/security-executive-workshop-part-c-large.png
new file mode 100644
index 000000000..ec9c3c991
Binary files /dev/null and b/security-docs/zero-trust/media/security-executive-workshop-part-c-large.png differ
diff --git a/security-docs/zero-trust/media/security-executive-workshop-part-c.png b/security-docs/zero-trust/media/security-executive-workshop-part-c.png
new file mode 100644
index 000000000..0c77c9cf1
Binary files /dev/null and b/security-docs/zero-trust/media/security-executive-workshop-part-c.png differ
diff --git a/security-docs/zero-trust/media/security-platform-integration.png b/security-docs/zero-trust/media/security-platform-integration.png
new file mode 100644
index 000000000..3068b6e9f
Binary files /dev/null and b/security-docs/zero-trust/media/security-platform-integration.png differ
diff --git a/security-docs/zero-trust/media/security-strategy-governance.png b/security-docs/zero-trust/media/security-strategy-governance.png
new file mode 100644
index 000000000..b27f262b0
Binary files /dev/null and b/security-docs/zero-trust/media/security-strategy-governance.png differ
diff --git a/security-docs/zero-trust/media/security-strategy.png b/security-docs/zero-trust/media/security-strategy.png
new file mode 100644
index 000000000..6cdb5097f
Binary files /dev/null and b/security-docs/zero-trust/media/security-strategy.png differ
diff --git a/security-docs/zero-trust/media/workshop-unified-engagement.png b/security-docs/zero-trust/media/workshop-unified-engagement.png
new file mode 100644
index 000000000..ca534eeb5
Binary files /dev/null and b/security-docs/zero-trust/media/workshop-unified-engagement.png differ
diff --git a/security-docs/zero-trust/media/workshop-unified-technologies.png b/security-docs/zero-trust/media/workshop-unified-technologies.png
new file mode 100644
index 000000000..2cb458094
Binary files /dev/null and b/security-docs/zero-trust/media/workshop-unified-technologies.png differ
diff --git a/security-docs/zero-trust/media/workshops-get-started.png b/security-docs/zero-trust/media/workshops-get-started.png
new file mode 100644
index 000000000..fb9db4bb7
Binary files /dev/null and b/security-docs/zero-trust/media/workshops-get-started.png differ
diff --git a/security-docs/zero-trust/media/workshops-unified.png b/security-docs/zero-trust/media/workshops-unified.png
new file mode 100644
index 000000000..d7f27fdb8
Binary files /dev/null and b/security-docs/zero-trust/media/workshops-unified.png differ
diff --git a/security-docs/zero-trust/media/zero-trust-assumptions.png b/security-docs/zero-trust/media/zero-trust-assumptions.png
new file mode 100644
index 000000000..b13b942f0
Binary files /dev/null and b/security-docs/zero-trust/media/zero-trust-assumptions.png differ
diff --git a/security-docs/zero-trust/media/zero-trust-graph-attack.png b/security-docs/zero-trust/media/zero-trust-graph-attack.png
new file mode 100644
index 000000000..aec4fa7dc
Binary files /dev/null and b/security-docs/zero-trust/media/zero-trust-graph-attack.png differ
diff --git a/security-docs/zero-trust/media/zero-trust-graph-principles-1.png b/security-docs/zero-trust/media/zero-trust-graph-principles-1.png
new file mode 100644
index 000000000..e704a5993
Binary files /dev/null and b/security-docs/zero-trust/media/zero-trust-graph-principles-1.png differ
diff --git a/security-docs/zero-trust/media/zero-trust-graph-principles-2.png b/security-docs/zero-trust/media/zero-trust-graph-principles-2.png
new file mode 100644
index 000000000..169f0111d
Binary files /dev/null and b/security-docs/zero-trust/media/zero-trust-graph-principles-2.png differ
diff --git a/security-docs/zero-trust/media/zero-trust-graph.png b/security-docs/zero-trust/media/zero-trust-graph.png
new file mode 100644
index 000000000..737fe49e7
Binary files /dev/null and b/security-docs/zero-trust/media/zero-trust-graph.png differ
diff --git a/security-docs/zero-trust/media/zero-trust-principles-adoption.png b/security-docs/zero-trust/media/zero-trust-principles-adoption.png
new file mode 100644
index 000000000..0ddd2883b
Binary files /dev/null and b/security-docs/zero-trust/media/zero-trust-principles-adoption.png differ
diff --git a/security-docs/zero-trust/media/zero-trust-principles.png b/security-docs/zero-trust/media/zero-trust-principles.png
new file mode 100644
index 000000000..82888acd4
Binary files /dev/null and b/security-docs/zero-trust/media/zero-trust-principles.png differ
diff --git a/security-docs/zero-trust/microsoft-365-zero-trust.md b/security-docs/zero-trust/microsoft-365-zero-trust.md
index 068ab0303..a941c1e54 100644
--- a/security-docs/zero-trust/microsoft-365-zero-trust.md
+++ b/security-docs/zero-trust/microsoft-365-zero-trust.md
@@ -1,7 +1,6 @@
---
title: "Zero Trust deployment plan with Microsoft 365"
ms.subservice: zero-trust
-manager: rkarlin
description: Learn how to apply Zero Trust security principles with Microsoft 365 to defend against threats and protect sensitive data.
ms.topic: solution-overview
ms.service: security
@@ -16,7 +15,7 @@ ms.collection:
ms.date: 04/14/2025
---
-# Zero Trust deployment plan with Microsoft 365
+# Zero Trust deployment with Microsoft 365
This article provides a deployment plan for building **Zero Trust** security with Microsoft 365. Zero Trust is a security model that assumes breach and verifies each request as though it originated from an uncontrolled network. Regardless of where the request originates or what resource it accesses, the Zero Trust model teaches us to "never trust, always verify."
@@ -101,7 +100,7 @@ Go to [**_Zero Trust identity and device access protection_**](zero-trust-identi
|Includes|Prerequisites|Doesn't include|
|---------|---------|---------|
-|Recommended identity and device access policies for three levels of protection: - Starting point
- Enterprise (recommended)
- Specialized
Additional recommendations for: - External users (guests)
- Microsoft Teams
- SharePoint
|Microsoft E3 or E5
Microsoft Entra ID in either of these modes: - Cloud-only
- Hybrid with password hash sync (PHS) authentication
- Hybrid with pass-through authentication (PTA)
- Federated
|Device enrollment for policies that require managed devices. See [Manage devices with Intune](/microsoft-365/solutions/manage-devices-with-intune-overview) to enroll devices.|
+|Recommended identity and device access policies for three levels of protection: - Starting point
- Enterprise (recommended)
- Specialized
More recommendations for: - External users (guests)
- Microsoft Teams
- SharePoint
|Microsoft E3 or E5
Microsoft Entra ID in either of these modes: - Cloud-only
- Hybrid with password hash sync (PHS) authentication
- Hybrid with pass-through authentication (PTA)
- Federated
|Device enrollment for policies that require managed devices. See [Manage devices with Intune](/microsoft-365/solutions/manage-devices-with-intune-overview) to enroll devices.|
#### Phase 2 — Enroll devices into management with Intune
diff --git a/security-docs/zero-trust/microsoft-reference-architecture.md b/security-docs/zero-trust/microsoft-reference-architecture.md
new file mode 100644
index 000000000..393bc7e7a
--- /dev/null
+++ b/security-docs/zero-trust/microsoft-reference-architecture.md
@@ -0,0 +1,83 @@
+---
+title: Review Microsoft Cybersecurity Reference Architectures (MCRA)
+description: Plan security modernization with the help of the MCRA reference architectures.
+ms.service: security
+ms.subservice: zero-trust
+ms.topic: overview
+ms.date: 05/29/2026
+author: rayne-wiselman
+ms.author: raynew
+
+#customer intent: As a security architect or IT architect, I want to understand how I can use the MCRA to adopt recommendations and best practices for my security architectures.
+---
+
+
+# Review Microsoft Cybersecurity Reference Architectures (MCRAs)
+
+The Microsoft Cybersecurity Reference Architecture (MCRA) provides an extensive set of technical architectures for use during Zero Trust security adoption and modernization.
+
+MCRA architectures capture the end-to-end security journey for the *hybrid of everything* technology estate and span across legacy IT, multicloud, OT/IoT, AI, and more.
+
+The architectures help you to accelerate planning and execution of security modernization using open standards, Microsoft’s security solutions, and third-party security technologies.
+
+The MCRA is a component of our structured [security adoption model](security-adoption-model.md). The model provides a standardized process for planning, prioritizing, designing, and implementing security modernization across the business, based on Zero Trust principles.
+
+## Recent MCRA updates
+
+[Download the latest version of the MCRAs](https://download.microsoft.com/download/692e68d0-ddaf-44d7-8136-378f01d9f4a1/MCRA-June-2026.pptx), published in June 2026.
+
+:::image type="content" source="./media/reference-architecture-overview.png" alt-text="Screenshot of some of the diagrams included in the updated Microsoft Cybersecurity Reference Architecture." lightbox="./media/reference-architecture-overview.png":::
+
+### Key changes
+
+Key changes in the latest release from the earlier April 2025 version.
+
+**Change/Update* | **Details**
+--- | ---
+**Main Menu** | Updated design to align to [security adoption model](security-adoption-model.md).
+**Introduction** | Updated these slides: *Antipatterns*, *Security is hard*
Added two assumptions, and Zero Trust description.
+**Data Security Reference Architecture** | Added new diagram.
+**Standards Mapping** | Updated proposed drafts of Zero Trust Reference Model standard (The Open Group), and Microsoft mapping to them.
+**AI** | Updated most slides in the section.
+**People** | Updated roles list from The Open Group.
Added example guidance from CEO role.
+**Microsoft Products** | Updated design to align to [security adoption model](security-adoption-model.md).
+**New solution/service** | Added Microsoft Agent 365 to attack chain, standards mappings, role mappings, product references, and reference architectures (Capabilities, Identity, Security Operations, and Data Security).
+**New solution/service** | Added Microsoft Foundry to Infrastructure and Multicloud reference architectures.
+**Cross-slide** | Threat intelligence daily signals updated to 100+ trillion.
+
+
+## MCRA structure
+
+MCRA illustrates how Microsoft capabilities work together and includes:
+
+- Antipatterns (common mistakes) and best practices.
+- Threat trends and attack patterns.
+- The importance of end-to-end security and ruthlessly security work prioritization.
+- Guidance for successful Zero Trust end-to-end security adoption.
+- Mapping Microsoft capabilities to Zero Trust standards and roles.
+
+MCRA architecture diagrams cover:
+
+- Microsoft cybersecurity capabilities
+- Zero Trust user access
+- Security operations (SecOps/SOC)
+- Operational technology (OT)
+- Multicloud and cross-platform capabilities
+- Attack chain coverage
+- Infrastructure and development security
+- Security organizational functions
+
+## How do I use the MCRA?
+
+You typically use the architectures as a:
+
+- **Starting template for a security architecture** - Use MCRA architectures to define a target state for cybersecurity capabilities. It's useful because it covers capabilities across the modern enterprise estate that spans on-premises, mobile devices, multiple clouds, and OT/IoT Technology.
+- **Comparison reference for security capabilities** - Compare Microsoft's recommendations with what you own and implement. Organizations often find they have technology they weren't aware of.
+- **Learning tool for Microsoft** - In presentation mode, each capability has a "ScreenTip" with a short description of each capability, and a link to documentation to learn more.
+- **Learning tool for security integration** - Architects and technical teams can identify and use integration points in Microsoft security capabilities and their existing capabilities.
+- **Learning tool for cybersecurity** - For people new to cybersecurity, the resources provide a learning tool as they take their first steps.
+
+## Next steps
+
+- [Download the latest MCRAs](https://download.microsoft.com/download/692e68d0-ddaf-44d7-8136-378f01d9f4a1/MCRA-June-2026.pptx).
+- Continue your [security adoption journey](security-adoption-journey.md).
diff --git a/security-docs/zero-trust/respond-incident-azure.md b/security-docs/zero-trust/respond-incident-azure.md
index a7042b05e..ba7b29b9a 100644
--- a/security-docs/zero-trust/respond-incident-azure.md
+++ b/security-docs/zero-trust/respond-incident-azure.md
@@ -43,7 +43,7 @@ For example:
|Portal |Tasks |
|---------|---------|
|**In the Azure portal** | Use Microsoft Sentinel in the Azure portal to correlate the incident with your security processes, policies, and procedures (3P). On an incident details page, select **Investigate in Microsoft Defender XDR** to open the same incident in the Defender portal. |
-|**In the Defender portal** | Investigate details such as the incident scope, asset timelines, and self-healing pending actions. You might also need to manually remediate entities, perform live response, and add prevention measures.
On the incident details page's **Attack story** tab:
- View the attack story of the incident to understand its scope, severity, detection source, and what entities are affected.
- Analyze the incident's alerts to understand their origin, scope, and severity with the alert story within the incident.
- As needed, gather information on impacted devices, users, and mailboxes with the graph. Select on any entity to open a flyout with all the details.
- See how Microsoft Defender XDR has automatically resolved some alerts with the **Investigations** tab.
- As needed, use information in the data set for the incident from the **Evidence and Response** tab. |
+|**In the Defender portal** | Investigate details such as the incident scope, asset timelines, and self-healing pending actions. You might also need to manually remediate entities, perform live response, and add prevention measures.
On the incident details page's **Attack story** tab:
- View the attack story of the incident to understand its scope, severity, detection source, and what entities are affected.
- Analyze the incident's alerts to understand their origin, scope, and severity with the alert story within the incident.
- As needed, gather information on impacted devices, users, and mailboxes with the graph. Select any entity to open a flyout with all the details.
- See how Microsoft Defender XDR has automatically resolved some alerts with the **Investigations** tab.
- As needed, use information in the data set for the incident from the **Evidence and Response** tab. |
|**In the Azure portal** | Return to the Azure portal to perform extra incident actions, such as:
- Performing 3P automated investigation and remediation actions
- Creating custom security orchestration, automation, and response (SOAR) playbooks
- Recording evidence for incident management, such as comments to record your actions and the results of your analysis.
- Adding custom measures. |
For more information, see:
diff --git a/security-docs/zero-trust/respond-incident-defender.md b/security-docs/zero-trust/respond-incident-defender.md
index b715a93f4..9a330719e 100644
--- a/security-docs/zero-trust/respond-incident-defender.md
+++ b/security-docs/zero-trust/respond-incident-defender.md
@@ -58,7 +58,7 @@ Make sure to take advantage of Microsoft Sentinel's playbook and automation rule
- **Automation rules** are a way to centrally manage automation in Microsoft Sentinel, by allowing you to define and coordinate a small set of rules that can apply across different scenarios. For more information, see [Automate threat response in Microsoft Sentinel with automation rules](/azure/sentinel/automate-incident-handling-with-automation-rules).
-After onboarding your Microsoft Sentinel workspace to the Defender portal, note that there are differences in how automation functions in your workspace. For more information, see [Automation with Microsoft Sentinel in the Defender portal](/azure/sentinel/automation).
+After you onboard the Microsoft Sentinel workspace to the Defender portal, note that there are differences in how automation functions in your workspace. For more information, see [Automation with Microsoft Sentinel in the Defender portal](/azure/sentinel/automation).
## Post-incident response
diff --git a/security-docs/zero-trust/secure-iaas-apps.md b/security-docs/zero-trust/secure-iaas-apps.md
index 60360a3af..5152a2c1d 100644
--- a/security-docs/zero-trust/secure-iaas-apps.md
+++ b/security-docs/zero-trust/secure-iaas-apps.md
@@ -37,7 +37,7 @@ For new articles in this content set, please:
--->
-# Apply Zero Trust principles to IaaS applications in Amazon Web Services
+# Apply Zero Trust principles to AWS resources
@@ -57,7 +57,7 @@ AWS is one of the public cloud providers available in the market, along with Mic
- Azure and AWS are integrated to run workloads and IT business solutions.
- You secure an AWS IaaS workload using Microsoft products.
-AWS virtual machines, called Amazon Elastic Compute Cloud (Amazon EC2), run on top of an AWS virtual network, called Amazon Virtual Private Cloud (Amazon VPC). Users and cloud administrators set up an Amazon VPC in their AWS environment and add Amazon EC2 virtual machines.
+AWS virtual machines (Amazon Elastic Compute Cloud (Amazon EC2)) run on top of an AWS virtual network, called Amazon Virtual Private Cloud (Amazon VPC). Users and cloud administrators set up an Amazon VPC in their AWS environment and add Amazon EC2 virtual machines.
AWS CloudTrail logs AWS account activity in the AWS environment. Amazon EC2, Amazon VPC, and AWS CloudTrail are common in AWS environments. Collecting logs from these services is essential to understanding what is going on in your AWS environment and the actions to take to avoid or mitigate attacks.
@@ -341,7 +341,7 @@ By implementing continuous checks on Azure Resource Manager (ARM), Bicep, or Ter
You implement the Zero Trust **use least-privilege access** principle by:
-- Conducting robust reviews of your infrastructure configurations with least-privilege identity access and networking set up.
+- Conducting robust reviews of your infrastructure configurations with least-privilege identity access and networking setup.
- Assigning users role-based access control (RBAC) to resources at the repository level, team level, or organization level.
**Prerequisites:**
diff --git a/security-docs/zero-trust/security-adoption-business-scenarios-overview.md b/security-docs/zero-trust/security-adoption-business-scenarios-overview.md
new file mode 100644
index 000000000..edc292c41
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-business-scenarios-overview.md
@@ -0,0 +1,107 @@
+---
+title: Adopt security business scenarios in the Microsoft security adoption model
+description: Learn how to get started with common business scenarios in the Microsoft security adoption model
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a security business leader or adopter, I want to understand how to driven security adoptions by focusing on common security business outcomes.
+---
+
+# Adoption - business scenarios
+
+This article explains how business scenarios help you prioritize security adoption based on business outcomes rather than individual technologies.
+
+Organizations rarely modernize security all at once. Instead, most focus first on the risks that matter most to the business.
+
+Our [structured adoption model](security-adoption-model.md) starts with business scenarios. Business scenarios:
+
+- Describe common and high-priority organizational risk situations, and help you determine which security capabilities to adopt first.
+- Provide a shared starting point for business leaders, security leaders, architects, and technical teams to align on *where to begin* and *why.*
+
+> [!TIP]
+> Microsoft offers a rich set of security adoption workshops - the *Security Adoption Framework (SAF) workshops*. Our structured adoption model guidance aligns with the expert-led guidance from Microsoft Unified delivered in those workshops. Learn more about [SAF workshops](workshop-business-overview.md).
+
+
+
+## Why business scenarios matter
+
+As a business leader, you're accountable for managing cybersecurity risk as part of protecting the organization.
+
+Meeting that responsibility requires a clear, practical way to set priorities, communicate intent, and track progress - one that connects technical security work to the business outcomes you care about.
+
+Business scenarios provide that connection. They frame security efforts in terms of business outcomes such as enabling secure work from anywhere, and help translate technical initiatives into business-relevant goals in language that resonates with leadership.
+
+This outcome‑based framing helps you to:
+
+- **Connect security and business**: Understand why specific security initiatives matter.
+- **Prioritize security initiatives**: Set business‑aligned priorities for your security team.
+- **Set expectations**: Understand what to expect from security investments and teams.
+- **Make decisions**: Make informed decisions about prioritization, investment, risk, tradeoffs, and resource allocation.
+- **Track adoption**: Track security adoption and modernization progress without too much deep technical detail.
+
+
+## What is a business scenario?
+
+A business scenario represents a recognizable business situation that drives security risk. Each scenario:
+
+- Reflects a common organizational challenge or operating model.
+- Highlights the most critical security risks in that situation,
+- Emphasizes the security outcomes that should be prioritized first.
+
+For example, an organization modernizing legacy infrastructure faces different risks than a "digital-native" business that only operates and builds in the cloud.
+
+Business scenarios capture these differences so that security investments can be aligned to real business needs.
+
+**Business scenarios are**:
+
+- A prioritization tool for security modernization.
+- A way to connect business risk to security outcomes.
+- A communication mechanism between business and technical stakeholders.
+
+Business scenarios don't describe how to implement security controls. Implementation is covered by [security disciplines](security-adoption-discipline-overview.md) and [technical solutions](implement-overview.md) that align to the priorities and outcomes of business scenarios.
+
+## Align with security disciplines and solutions
+
+Our security adoption model intentionally separates intent, design, and execution:
+
+- **Business scenarios** define the business context and capture the business problem we want address and what outcomes matter.
+- **Security disciplines** provide foundational, cross‑cutting practices that apply across all scenarios and solutions.
+- **Technology pillars** represent the core areas of a security architecture such as identity, data, and devices. They provide stable boundaries in which to design and implement security controls across the organization.
+- **Technical solutions** show how to implement a business scenario using Microsoft security products. Technical solutions usually focus on a specific technology pillar and integrate other pillars as needed to provide and end-to-end implementation.
+
+A single business scenario is often supported by multiple security disciplines, multiple technology pillars, and multiple technical solutions. You can learn more about how these components integrate on a per-business scenario basis.
+
+
+## How do I use the model?
+
+1. Select one or more business scenarios that most closely matches your prioritized business goals.
+1. Review security disciplines associated with the scenario.
+1. Deploy a scenario using its mapped technology pillars and technical solutions.
+
+Following this model ensures that you start with business priorities, maintain consistency, avoid duplicate work, and implement using prescriptive solution guidance based on security best practices.
+
+## Structure of business scenarios
+
+Each business scenario includes:
+
+- **Overview** - A concise, plain‑language description that enables rapid understanding and shows how the scenario fits within the adoption model.
+- **Business value** - Explains why the scenario matters to business leaders, technology roles, and security teams, supporting prioritization and executive alignment.
+- **Technical strategy and architecture** - Describes how planning, and oversight, technical strategy, and operational security disciplines work together to enable the scenario and its outcome.
+
+## Next steps
+
+Start with a set of common business scenarios and learn how to map them across the adoption model.
+
+- [I want to rapidly and securely adopt AI (including protecting data)](security-adoption-scenario-secure-ai.md).
+- [I want people to do their job securely from anywhere](security-adoption-scenario-remote-work.md).
+- [I want to minimize business damage from security incidents](security-adoption-scenario-minimize-impact.md).
+- [I want to identify and protect critical business assets](security-adoption-scenario-secure-assets.md).
+- [I want to continuously improve my security posture and compliance](security-adoption-scenario-improve-posture.md).
+
+
+
+
diff --git a/security-docs/zero-trust/security-adoption-business-scenarios-technologies.md b/security-docs/zero-trust/security-adoption-business-scenarios-technologies.md
new file mode 100644
index 000000000..0929d27ff
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-business-scenarios-technologies.md
@@ -0,0 +1,189 @@
+---
+title: Align business outcomes and scenarios with Microsoft technologies
+description: Learn how business security outcomes are enabled with Microsoft security technologies.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+#customer intent: As a business leader or security adopter, I want to understand how Microsoft security technologies interact with each other as we adopt and modernize security
+---
+
+# Enable business scenarios with Microsoft technologies
+
+This article shows how [business scenarios](security-adoption-business-scenarios-overview.md) are implemented with Microsoft technologies.
+
+We capture the business outcome for each scenario, the disciplines responsible for delivering the outcomes, and the Microsoft technologies that enable it.
+
+
+## Minimize business damage
+
+### Outcome
+
+Minimize business damage by detecting, investigating, and responding to security incidents quickly and consistently across the enterprise.
+
+
+### Primary discipline
+
+Security operations (SecOps). [Learn more](security-adoption-discipline-security-operations.md).
+
+### Primary technologies
+
+Primary technologies for this business solution are Microsoft Defender XDR services, and Microsoft Sentinel.
+
+#### Microsoft Defender
+
+Defender and other security services align under the Defender portal. Defender XDR is the unifying threat detection and response layer for SecOps. It brings together signals, alerts, and response actions from a range of Defender technologies, enabling coordinated detection, investigation, and response across the digital estate.
+
+:::image type="content" source="./media/security-adoption-defender-map.png" alt-text="Illustration of how Microsoft Defender aligns to the business scenario." lightbox="./media/security-adoption-defender-map.png":::
+
+#### Microsoft Sentinel
+
+Microsoft Sentinel is a primary enabler for this business scenario.
+
+- It provides centralized visibility across your entire digital estate, enabling rapid detection and response to threats before they cause significant damage.
+- Automated playbooks and SOAR capabilities accelerate incident response, reducing mean time to remediation.
+- Microsoft Sentinel is the primary technology to enable a unified and effective security operations discipline that provides comprehensive threat detection, investigation, and response capabilities across technology pillars.
+
+:::image type="content" source="./media/security-adoption-sentinel-map.png" alt-text="Illustration of how Microsoft Sentinel aligns to the business scenario." lightbox="./media/security-adoption-sentinel-map.png":::
+
+
+Review the business scenario [Minimizing business damage from security incidents](security-adoption-scenario-minimize-impact.md).
+
+## Enable secure work from anywhere
+
+### Outcome
+
+Enable productivity while enforcing Zero Trust access decisions based on identity, device health, risk, and data sensitivity.
+
+### Primary discipline
+
+Access and identities. [Learn more](security-adoption-discipline-identity-access.md).
+
+### Primary technologies
+
+Primary technologies for this business solution are Microsoft Entra and Microsoft Intune.
+
+#### Microsoft Entra
+
+Microsoft Entra technologies are a primary enabler for this business scenario. It provides the identities necessary to secure remote access from anywhere. Technologies like Microsoft Entra Private Access allow you to replace legacy VPNs and Microsoft Entra Conditional Access is the policy engine to enforce compliance with Zero Trust policy.
+
+:::image type="content" source="./media/security-adoption-entra-map.png" alt-text="Illustration of how Microsoft Entra aligns to the business scenario." lightbox="./media/security-adoption-entra-map.png":::
+
+#### Microsoft Intune
+
+Microsoft Intune technologies are a primary enabler for this business scenario. It provides cloud-based unified endpoint management across multiple operating systems, cloud, on-premises, mobile, desktop, and virtualized endpoints. Intune provides the device compliance foundation for Zero Trust access: MFA + compliant device + risk evaluation when paired with Microsoft Entra Conditional Access. Only secure devices can reach SaaS, apps, and data.
+
+:::image type="content" source="./media/security-adoption-intune-map.png" alt-text="Illustration of how Microsoft Intune aligns to the business scenario." lightbox="./media/security-adoption-intune-map.png":::
+
+
+Review the business scenario [Enabling people to do their job securely](security-adoption-scenario-remote-work.md).
+
+## Continuously improve posture and compliance
+
+### Outcome
+
+Reduce exposure and improve compliance by providing clear visibility into attack paths, misconfigurations, and vulnerabilities across the digital estate.
+
+### Primary discipline
+
+- Posture management: Continuous visibility, risk assessment, prioritization, and improvement tracking. [Learn more](security-adoption-discipline-posture.md).
+- Development security: Effective identification and remediation of vulnerabilities across the development lifecycle. [Learn more](security-adoption-discipline-development.md).
+- Data security: Protect sensitive and personal data. [Learn more](security-adoption-discipline-data.md).
+
+### Primary technologies
+
+Primary technologies for this business solution are Microsoft Security Exposure Management, GitHub Advanced Security, and Microsoft Priva.
+
+#### Microsoft Security Exposure Management
+
+Microsoft Security Exposure Management is a primary enabler for this business scenario. It provides a unified view of your security posture, enabling you to identify attack paths, prioritize vulnerabilities based on business impact, and track security improvements over time.
+
+:::image type="content" source="./media/security-adoption-security-exposure-map.png" alt-text="Graphic shows how Microsoft Security Exposure Management aligns to the business scenario." lightbox="./media/security-adoption-security-exposure-map.png":::
+
+#### GitHub Advanced Security
+
+Security posture isn't only about deployed assets—it's also shaped by how software is built. Shifting security earlier in the development lifecycle reduces downstream exposure, lowers remediation cost, and improves overall risk posture.
+
+GitHub Advanced Security is a primary enabler for this business scenario. It shifts security left by integrating security scanning directly into the development workflow, enabling developers to identify and fix vulnerabilities before code reaches production.
+It improves security posture by:
+
+- Preventing vulnerabilities from entering production environments.
+- Reducing exposure that would otherwise appear later in posture tools.
+- Supporting compliance by enforcing consistent security standards in code.
+- Lowering remediation cost and risk compared to post‑deployment fixes.
+
+:::image type="content" source="./media/security-adoption-github-map.png" alt-text="Illustration of how GitHub advanced security aligns to the business scenario." lightbox="./media/security-adoption-github-map.png":::
+
+#### Microsoft Priva
+
+Microsoft Priva is a primary enabler for this business scenario. It helps organizations discover personal data across their environment, automate privacy risk assessments, and demonstrate compliance with privacy regulations such as GDPR, CCPA, and other data protection requirements.
+
+
+Review the business scenario [Continuously improving security posture and compliance](security-adoption-scenario-improve-posture.md).
+
+
+## Protect critical assets
+
+### Outcome
+
+Identify where sensitive data resides and applying appropriate protection controls throughout its lifecycle.
+
+
+### Primary discipline
+
+Data security: Provide comprehensive data governance, protection, and compliance. [Learn more](security-adoption-discipline-data.md)
+
+
+
+### Primary technologies
+
+Primary technologies for this business solution are Microsoft Purview, and Microsoft Entra for privileged access.
+
+#### Microsoft Purview
+
+Microsoft Purview is a primary enabler for this business scenario. It provides comprehensive data discovery, classification, and protection capabilities that help organizations identify where sensitive data resides and apply appropriate protection controls throughout its lifecycle.
+
+:::image type="content" source="./media/security-adoption-purview-map.png" alt-text="Graphic shows how Microsoft Purview aligns to the business scenario." lightbox="./media/security-adoption-purview-map.png":::
+
+#### Microsoft Entra
+
+Microsoft Entra partners with Purview to provide the identity control plane for this business scenario, ensuring that access to sensitive data is governed, verified, and continuously monitored. It enforces least-privilege access and secures privileged roles that can access or modify critical assets.
+
+
+Review the business scenario [Identifying and protecting critical business assets](security-adoption-scenario-secure-assets.md).
+
+## Rapidly and securely adopt AI
+
+### Outcome
+
+Enable teams to innovate with AI quickly while protecting data, code, and intellectual property.
+
+
+### Primary discipline
+
+Data security: Control data used by and produced through AI. Include discovery, classification, sensitivity labels, DLP, and governance for AI interactions. Enable teams to innovate with AI quickly while protecting data, code, and intellectual property.
+
+### Primary technologies
+
+Primary technologies for this business solution are Microsoft Purview, and GitHub Advanced Security.
+
+#### Microsoft Purview
+
+Microsoft Purview is a primary enabler for this business scenario. It provides comprehensive data discovery, classification, and protection capabilities that help organizations identify where sensitive data resides and apply appropriate protection controls throughout its lifecycle.
+
+
+Review the business scenario [Rapidly and securely adopt AI](security-adoption-scenario-secure-ai.md).
+
+## Next steps
+
+- [Select a business scenario](security-adoption-business-scenarios-overview.md) to get started.
+- Review implementation instructions for:
+
+ - [I want to minimize business damage](security-adoption-scenario-minimize-impact.md).
+ - [I want people to do their job from anywhere](security-adoption-scenario-remote-work.md).
+ - [I want to continuously improve security posture](security-adoption-scenario-improve-posture.md).
+ - [I want to protect critical assets](security-adoption-scenario-secure-assets.md).
+ - [I want to secure privileged access](security-adoption-scenario-privileged-access.md).
+ - [I want to security adoption AI](security-adoption-scenario-secure-ai.md).
\ No newline at end of file
diff --git a/security-docs/zero-trust/security-adoption-discipline-architecture-tips.md b/security-docs/zero-trust/security-adoption-discipline-architecture-tips.md
new file mode 100644
index 000000000..083f03f08
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-architecture-tips.md
@@ -0,0 +1,96 @@
+---
+title: Tips for an effective security architecture
+description: Use these tips as you modernize security architectures across the business, based on Zero Trust principles.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want guidance and tips to help me as I modernize security architectures and frameworks across the business.
+---
+
+# Tips for effective security architecture
+
+As you establish the Security Architecture discipline, this article provides guidance on how to apply 10 immutable laws of security risk as practical tips as you establish and modernize the [Security Architecture discipline](security-adoption-discipline-architecture.md).
+
+
+
+## Review the immutable laws of security
+
+Architecture exists to identify challenging requirements and translate them into actionable guidance to reduce security risk, limit damage, and keep systems available over time. At the foundation of this work are the immutable laws of security.
+
+These laws describe uncomfortable truths about security that help you to plan effective control, avoid common misconceptions that undermine security architecture, and create organizational risk.
+
+**Immutable law** | **Architecture impact**
+--- | ---
+**1. If a bad actor can persuade you to run their program, it’s not your computer** | Unauthorized code execution causes loss of control. Prevention alone is insufficient.
+**2. If a bad actor can alter the operating system, it’s not your computer** | Control‑plane compromise is systemic risk. This applies whether the control plane is a local operating system, an identity management system, a security tool, or anything else with system/root level access.
+**3. If a bad actor has unrestricted physical access, it’s not your computer** | Physical exposure must be assumed, not treated as an exception.
+**4. If a bad actor can run active content on your website, it’s not your website** | Execution boundaries define trust boundaries.
+**5. Weak passwords trump strong security** | Identity failures defeat layered controls.
+**6. A computer is only as secure as its administrator** | Privileged access is a critically important security priority.
+**7. Encrypted data is only as secure as its decryption key** | Cryptography without governance is fragile.
+**8. An out‑of‑date antimalware scanner is marginally better than none** | Static defenses decay.
+**9. Absolute anonymity isn’t achievable** | Visibility is unavoidable.
+**10. Technology is not a panacea** | People and process failures must be assumed.
+
+## Apply the ten laws of cybersecurity risk
+
+Even after understanding how security control is potentially lost and the impact on security architecture, this isn't enough information to design a system. Security architects must also understand:
+
+- What are we optimizing for?
+- Where do we concentrate effort?
+- What tradeoffs are acceptable?
+
+To figure out these questions, we can apply 10 common laws of cybersecurity risk. Each set of laws deals with different aspects of cybersecurity.
+
+**Law** | **Architecture implication** | **Modernization guidance**
+--- | --- | ---
+**1. Security success is ruining the attacker's ROI** | Design architectures that increase attacker cost and reduce payoff, especially for high‑value assets. | - Concentrate controls around identity, privileged access, and sensitive data.
- Reduce flat trust zones; segment systems so compromise doesn’t scale.
- Prioritize protections that break common attacker chains, not special cases.
+**2. Not keeping up is falling behind** | Static architectures fail. Architecture must assume continuous evolution. | - Security architecture is never done. It must be operationally sustainable and continuously improved.
- Design for continuous update (patching, configuration, policy).
- Prefer cloud‑native and managed services that evolve faster than on-premises or bespoke systems.
- Ensure visibility and inventory are architectural requirements, not afterthoughts.
+**3. Security is a business enabler (productivity always wins)** | If architecture creates friction, it's bypassed. | - Good security architecture enables productivity by default.
- Favor identity‑based access over network complexity.
- Integrate security controls into standard user and developer workflows.
- Make secure paths the easiest paths.
+**4. Attackers don't care** | Attackers use any available access path in the environment. Architecture must eliminate the cheapest paths, not defend only the obvious ones. | - Architecture must reflect real attacker behavior, not idealized beliefs in individual controls.
- Assume compromise through phishing, misconfiguration, or legacy protocols.
- Remove architectural single points of catastrophic failure.
- Secure against the full attack lifecycle (lateral movement, execute on objectives), not just initial access.
+**5. Ruthless prioritization is a survival skill** | You cannot secure everything. | - Architecture is about choosing what not to do.
- Identify crown‑jewel assets and design “defense‑in‑depth” there.
- Accept lower assurance where business impact is lower.
- Use business scenarios to guide architectural investment.
+**6. Cybersecurity is a team sport** | Architecture must integrate work across disciplines and teams. | - Architects design coordination, not just controls.
- Align architecture with platform teams, developers, and operations.
- Delegate controls to platforms that can do them better (cloud providers, identity systems).
- Avoid custom solutions where shared services suffice.
+**7. Your network isn't as trustworthy as you think it is** | Network trust must never be the primary or only control plane. | - This law underpins the move away from perimeter‑centric design.
- Shift trust decisions to identity, device, and application context.
- Design architectures that assume the network is observable and hostile.
- Retain effective controls such as firewalls/web app firewalls (WAFs), but don't rely on them to detect/block everything.
- Use Zero Trust access models consistently across environments.
+**8. Isolated networks aren't automatically secure** | Isolation is effective only when rigorously designed and maintained. | - Retain network isolation that works well. Make sure you maintain it, and attackers can't easily work around it.
- Architecture must account for people and process, not just topology.
- Treat isolation as a system, not a network filtering rule.
- Secure all bridging points (media, vendor access, admins).
- Assume compromise and apply strong identity and operational controls, even in “air‑gapped” design.
+**9. Encryption alone isn't a data protection solution** | Cryptology is only as secure as the keys that unlock it. | - Encryption is important, but is ineffective without secure implementation and operation.
- Architect centralized key management and access governance.
- Protect decryption paths as aggressively as encrypted storage.
- Combine encryption with identity, monitoring, and policy enforcement.
+**10. Technology doesn't solve people and process problems** | Architecture must assume imperfect humans and processes. | - Modernize security architecture to reduce the blast radius of human error. Don't let clicking on a single phishing email cause your security posture to fail.
- Design systems that are resilient to error.
- Automate guardrails where possible.
- Avoid architectures that depend on flawless manual operation.
+
+
+## Build an architecture
+
+As a security architect you can use these two tables as complementary lenses. One to validate technical soundness and the other to drive risk-based prioritization. When combined, they form a practical decision framework for architectural design and modernization.
+
+**Laws** | **Aim** | **Architectural use** | **Questions answered** |
+--- | --- | --- | ---
+**Immutable laws of security** | Capture technical truths that always hold. | Ensure architectures don't violate technical reality.
Test assumptions
Validate trust boundaries.
Avoid false confidence. | *Is the architecture fundamentally sound*?
*Does the design rely on something that can easily be bypassed*?
*Are we assuming technology can make up for untrusted admins, weak passwords, or physical access methods*?
*Are we mistaking encryption, isolation, or tools for actual control*?
+**Laws of cybersecurity risk** | Decide what matters most. | Identify where to invest architecture effort.
Shape modernization roadmaps.
Justify tradeoffs to business leaders. | *Where do attackers get the biggest payoff for least effort*?
*Which controls actually change attacker behavior*?
*What work is no longer worth doing*?
+
+### Example
+
+So if we take an example that applies both tables together.
+
+**Design decision** | **Immutable laws lens** | **Ten laws lens**
+--- | --- | ---
+Reduce dependency on network ACLs to identity‑based access | Networks aren’t trustworthy, identity matters. | Raises attacker cost and aligns with Zero Trust principles.
+Prioritize MFA for admins before hardening edge firewalls. | Weak passwords trump strong security. | Cheapest way to break common attack chains.
+Segment workloads instead of relying on “air gaps” | Isolation isn’t automatically secure. | Reduces blast radius when attackers get in.
+Automate patching and config drift detection | Out‑of‑date defenses fail. | Not keeping up is falling behind
+
+Using both tables together leads to security architectures that:
+
+
+- Assume compromise, focus on risk reduction and damage limitation, rather than promising absolute prevention.
+- Focus on identity, privilege, and lateral movement, not just on perimeter defense.
+- Assume continuous change and evolution, and not static diagrams.
+- Balance business productivity with risk reduction. Align security controls to business value.
+- Integrate people, processes, and technology.
+- Reduce attacker ROI instead of chasing perfect security.
+- Apply Zero Trust principles end-to-end.
+
+## Next steps
+
+Make sure you [review the other security disciplines](security-adoption-discipline-overview.md).
\ No newline at end of file
diff --git a/security-docs/zero-trust/security-adoption-discipline-architecture.md b/security-docs/zero-trust/security-adoption-discipline-architecture.md
new file mode 100644
index 000000000..af1ea0dfb
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-architecture.md
@@ -0,0 +1,168 @@
+---
+title: Modernize end-to-end security architecture
+description: Follow the end-to-end security architecture discipline in the Microsoft security adoption model to modernize security architectures.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+#customer intent: As a business leader or security adopter, I want to understand how I can use the Microsoft secrity adoption model to modernize security architectures and frameworks across the business.
+
+---
+
+# Establish a Security Architecture discipline
+
+This article helps security and technology teams establish and modernize a Security Architecture discipline that provides a clear, end‑to‑end technical vision for security across the organization.
+
+[Security disciplines](security-adoption-discipline-overview.md) are groupings of related security work that help organizations consistently deliver security outcomes across the entire technology estate. Within the security adoption model, disciplines help provide a bridge between [business scenarios](security-adoption-business-scenarios-overview.md) and [technical implementation](implement-overview.md), ensuring that security investments translate into real measurable outcomes as part of the [security adoption model](security-adoption-model.md).
+
+
+
+## Why this discipline?
+
+Traditional security architecture approaches are often:
+
+- Network‑centric or perimeter‑focused
+- Fragmented across teams and tools
+- Limited to static diagrams or reference documents
+- Disconnected from day‑to‑day design, implementation, and operations
+
+These limitations make it difficult to manage security as a system. Instead, organizations end up optimizing individual tools or platforms in isolation, which leads to inconsistencies, gaps, conflicts, and increased risk.
+
+The Security Architecture discipline modernizes this model by establishing a coherent, end‑to‑end technical vision that connects people, processes, and technology. Rather than focusing on individual controls in isolation, this discipline ensures that all security controls and capabilities work together as an integrated system aligned to Zero Trust principles.
+
+Without an effective Security Architecture discipline in place, organizations commonly experience:
+
+- Security and technology teams operating in silos.
+- Fragmented and duplicated security solutions.
+- Gaps and overlaps in security controls.
+- Slow and ineffective prevention, detection, and response.
+- Repeated incidents caused by unresolved systemic weaknesses.
+- Increased organizational risk and business impact.
+
+A mature security architecture overcomes these limitations by:
+
+- **Using a common architecture**: Ensure that controls and decisions align to a shared architectural model rather than isolated technical solutions.
+- **Connecting strategy to execution**. A common security architecture translates security strategy, policies, and standards into a coordinated technical approach that guides design, implementation, and operations across the full security lifecycle.
+- **Applying Zero Trust consistently**. Ensuring Zero Trust principles are applied uniformly across all security planning, design, and implementation efforts.
+
+The following diagram illustrates how security architecture enables resilience across the enterprise with Zero Trust principles.
+
+:::image type="content" source="./media/security-adoption-discipline-architecture.png" alt-text="This graphic illustrates how security architecture enables Zero Trust principles" lightbox="./media/security-adoption-discipline-architecture.png":::
+
+## Mission and outcomes
+
+The Security Architecture discipline provides technical clarity and structure for how security capabilities fit together across the organization. It enables organizations to:
+
+- **Define a clear end state**: Establish a shared understanding of how security platforms, controls, and technologies work together to protect business assets.
+- **Integrate security across the technology estate**: Ensure identities, devices, networks, infrastructure, applications, data, and emerging technologies are protected through a coherent, end‑to‑end architecture.
+- **Improve consistency and integration**: Reduce fragmentation by guiding teams to implement controls that align to architectural principles rather than point‑in‑time or tool‑specific decisions.
+- **Enable effective prioritization**: Focus effort on the most impactful risks using a Zero Trust‑aligned, data‑driven approach instead of reacting to the most visible or urgent issues.
+- **Reduce incident frequency and impact**: Improve resilience by eliminating systemic weaknesses, accelerating response, and reducing repeat incidents over time.
+
+## How to apply this discipline
+
+To apply the Security Architecture discipline effectively, focus on establishing a consistent approach across the organization:
+
+
+1. **Establish architectural principles and design patterns**
+ Provide clear guidance that ensures security controls and technologies are designed and implemented consistently across systems and environments.
+1. **Integrate architecture into design, implementation, and operations**
+ Ensure that architectural guidance is embedded into decision-making processes, not treated as a static, or isolated activity.
+1. **Align architecture across disciplines and technology areas**
+ Ensure that identity, infrastructure, applications, and data protections work together as part of a cohesive system rather than independent solutions.
+1. **Continuously refine architecture based on risk and feedback**
+ Use insights from security posture, incidents, and changing business requirements to evolve architecture over time.
+
+
+## Manage change through architecture
+
+To provide this support and move modernization forward, a modern Security Architecture discipline must focus on many areas.
+
+### Comprehensive coverage
+
+Security architecture must account for end‑to‑end complexity across the organization. This requires integrating individual security disciplines into a coherent whole and maintaining a shared understanding of how security technologies and controls work together to protect business assets.
+Comprehensive coverage reduces low visibility areas, prevents silos, and ensures security decisions consider the broader system—not just individual components.
+
+
+### Ruthless prioritization
+
+Security architecture must continually drive prioritization so that limited resources are focused on the most impactful risks. Without clear prioritization, organizations waste effort on low‑value (and seemingly urgent) distractions, or overly complex solutions that do little to improve real security outcomes.
+
+### Data‑driven prioritization
+
+Effective prioritization is grounded in data and focuses on three factors:
+
+- **Cheap, easy, and reliable attacks**: Address the attack techniques that are easiest for adversaries to execute and most likely to succeed. This maximizes attacker disruption and security return on investment.
+- **Business impact**: Prioritize defenses that protect the highest‑value business assets or have broad organizational impact.
+- **Effective and efficient mitigations**: For the most important risks, invest first in the simplest, cheapest, and most effective mitigations to reduce risk quickly and measurably.
+
+### Continuous improvement
+
+Security architecture should advance through continuous, incremental improvement, rather than attempting to design perfect solutions up front.
+Continuous improvement recognizes that:
+
+- Security should improve every day, even from a suboptimal starting point.
+- The work is never finished, and designs must evolve with threats, technology, and the business.
+- Quick wins combined with longer‑term investments keep security moving forward and prevent stagnation.
+
+The following graphic shows how the Security Architecture discipline focuses across the enterprise.
+
+:::image type="content" source="./media/security-adoption-discipline-architecture-focus.png" alt-text="This graphic shows how Security Architecture focuses across the enterprise" lightbox="./media/security-adoption-discipline-architecture-focus.png":::
+
+
+## Discipline roles and collaborators
+
+Security architects and enterprise architects primarily own the Security Architecture discipline.
+
+In larger organizations, these responsibilities are distributed across formal roles and supported by documented architecture processes. In smaller organizations, roles might be combined and handled more informally. In all cases, documenting security architecture as it develops, formally or informally, is recommended.
+
+
+Effective delivery depends on close collaboration with:
+
+- **[Security Strategy, Integration, and Governance discipline](security-adoption-discipline-strategy.md)**: Align architecture to strategy, policy, standards, and risk posture, while providing technical feedback to ensure strategy is practical and actionable.
+- **Technology and engineering teams**: Implement architectural guidance and provide feedback on feasibility and operational impact.
+- **Domain architecture roles**: Align identity, application, infrastructure, data, and network architectures to security architecture principles and standards.
+- **[Security operations (SecOps) discipline](security-adoption-discipline-security-operations.md)**: Provide continuous feedback from incidents, detections, and attacker behavior to inform architectural improvements.
+
+The Security Architecture discipline provides the technical clarity that keeps design, engineering, and operations teams aligned to a common vision, ensuring architectural decisions reinforce—not fragment—the security program.
+
+The following diagram shows the breadth of security architecture and contrasts it with engineering and technical experts who tend to focus on single technologies.
+
+:::image type="content" source="./media/security-adoption-discipline-architecture-collaboration.png" alt-text="This diagram shows how Security Architecture works across the organization" lightbox="./media/security-adoption-discipline-architecture-collaboration.png":::
+
+
+## Alignment with other disciplines
+
+**Discipline** | **Security Architecture role**
+--- | ---
+**Strategy, Integration, and Governance** | Translates security strategy, policy, and priorities into a coordinated technical approach, while supplying technical feedback that keeps strategy realistic and clearly communicated.
+**Technical strategy disciplines** | Ensures designs and implementations align to shared architectural principles, enabling integration and reuse rather than isolated evolution.
+**Operational disciplines** | Guides architectural improvements that strengthen prevention, detection, response, and recovery over time.
+
+Together, these disciplines enable continuous improvement across security strategy, architecture, and operations.
+
+The following diagram illustrates these relationships.
+
+
+:::image type="content" source="./media/security-adoption-discipline-architecture-relationships.png" alt-text="Security Discipline Relationship Summary" lightbox="./media/security-adoption-discipline-architecture-relationships.png":::
+
+## Alignment with technology pillars
+
+Security architecture ensures that controls across all technology pillars align to a coherent Zero Trust‑based design and remain consistent over time. Alignment with technology pillars is as follows:
+
+- **Identities**: Ensures identity systems and privileged access controls align to Zero Trust and protect access to all assets.
+- **Endpoints**: Secures devices used as operational footholds by attackers through consistent lifecycle management.
+- **Infrastructure**: Protects cloud and on‑premises platforms that underpin workloads and identity systems.
+- **Apps**: Applies consistent security controls across SaaS, packaged, and custom applications and their communication channels.
+- **Data**: Protects business‑critical data from theft, manipulation, and extortion.
+- **Network**: Ensures network controls support identity‑centric access models while mitigating classic network‑based attacks.
+- **AI**: Integrates new skills, tools, and controls to manage AI‑related risks and attacker use of AI.
+
+## Next steps
+Microsoft Unified offers cybersecurity reference architectures, Zero Trust guidance, and expert-led workshops to help organizations with end to end security architecture.
+
+- Learn more about [Microsoft Cybersecurity Reference Architectures](microsoft-reference-architecture.md).
+- Learn more about [Security Adoption Framework (SAF) workshops](workshop-business-overview.md).
+- [Review other security disciplines](security-adoption-discipline-overview.md).
diff --git a/security-docs/zero-trust/security-adoption-discipline-data.md b/security-docs/zero-trust/security-adoption-discipline-data.md
new file mode 100644
index 000000000..bae1c0a2a
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-data.md
@@ -0,0 +1,165 @@
+---
+title: Establish a Data Security discipline during security adoption
+description: Use the Microsoft security adoption model to modernize secure data across the business, based on Zero Trust principles.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand how I can use the Microsoft security adoption model to secure data cross the business.
+---
+
+
+
+# Establish a Data Security discipline
+
+This article helps security and technology teams establish and modernize a Data Security discipline that helps organizations protect data wherever it is created, stored, processed, shared, or used, while still enabling collaboration, analytics, cloud services, and AI adoption.
+
+[Security disciplines](security-adoption-discipline-overview.md) are groupings of related security work that help organizations consistently deliver security outcomes across the entire technology estate. Within the security adoption model, disciplines help provide a bridge between [business scenarios](security-adoption-business-scenarios-overview.md) and [technical implementation](implement-overview.md), ensuring that security investments translate into real measurable outcomes as part of the [security adoption model](security-adoption-model.md).
+
+
+## Why this discipline
+
+Data is the lifeblood of modern organizations. It underpins business operations, decision‑making, and innovation, but it's also one of the most valuable assets targeted by attackers.
+
+Traditional, network‑centric data protection approaches are no longer sufficient in environments that use cloud services, encryption, mobile devices, and distributed collaboration. A modern Data Security discipline moves beyond perimeter controls to identity‑aware, lifecycle‑based protection, aligned to business value and risk.
+Without effective data security, organizations face material business risk, including:
+
+- Unintentional data exposure by employees using cloud service, personal devices, and AI.
+- Malicious insider activity targeting sensitive information.
+- Threat actors bypassing perimeter‑based controls in distributed environments.
+- Ransomware and extortion attacks disrupting operations.
+- Regulatory penalties, reputational damage, and—in some industries—life‑safety impacts.
+
+A dedicated Data Security discipline provides the structure needed to reduce these risks while enabling secure and productive use of data across the organization.
+
+## Mission and outcomes
+
+The mission of the Data Security discipline is to protect the confidentiality, integrity, and availability of data assets throughout their lifecycle, enabling secure business operations and informed decision‑making.
+
+A mature Data Security discipline delivers these core outcomes:
+
+- **Data confidentiality**: Ensure only authorized users and systems can access data.
+- **Data integrity**: Prevent unauthorized alteration or corruption of data.
+- **Data availability**: Ensure data is accessible to authorized users when needed.
+
+Failure in these outcomes can lead to data theft and abuse, disrupt business operations, enable fraud, expose regulated data, or even cause physical harm to people.
+
+When you establish clear ownership, classification, and protection strategies, data security becomes an enabler of business outcomes rather than a constraint.
+
+:::image type="content" source="./media/security-adoption-discipline-data-safety.png" alt-text="Diagram of the CIA triad illustrating confidentiality, integrity, and availability as core data security principles." lightbox="./media/security-adoption-discipline-data-safety.png":::
+
+
+To apply the Data Security discipline effectively, focus on establishing a consistent approach to protecting data based on its sensitivity and business impact:
+
+1. **Define a data protection strategy aligned to business priorities and risk**
+ Establish a clear approach for identifying, classifying, and protecting data based on its value and the risks associated with its exposure or misuse.
+1. **Apply protection consistently across the data lifecycle**
+ Ensure that data is protected wherever it resides, moves, or is used, including across devices, applications, and cloud environments.
+1. **Establish standardized data protection policies and controls**
+ Provide clear guidance to ensure sensitive data is handled, accessed, and shared in a consistent and secure manner across the organization.
+1. **Align data protection with critical business assets and scenarios**
+ Prioritize controls that protect high-value and regulated data, especially in scenarios such as protecting critical assets and enabling secure collaboration.
+1. **Continuously monitor and improve data protection**
+ Use insights from data usage, risk signals, and security events to refine protections and reduce the risk of data exposure or loss over time.
+
+
+### Manage change
+
+Traditional data security approaches often rely on a single control point, such as network‑based data loss prevention (DLP). This model is ineffective in modern environments because it:
+
+- Operates only at limited points in the data lifecycle.
+- Must perfectly balance protection and productivity in a single moment,
+- Fails when data is encrypted, shared via cloud services, or accessed on personal devices.
+
+This diagram summarizes the challenges to overcome using a modern approach to data security.
+
+:::image type="content" source="./media/security-adoption-discipline-data-challenges.png" alt-text="Diagram of the data security lifecycle highlighting challenges at each stage, including creation, storage, and transfer." lightbox="./media/security-adoption-discipline-data-challenges.png":::
+
+A modern Data Security discipline focuses on continuous visibility and control across the entire data lifecycle.
+
+## Key focus areas
+
+Modern data security strategies emphasize:
+
+**Focus** | **Details**
+--- | ---
+**Prioritize critical data** | Protect the most business‑critical data first.
+**Collaborate, coverage, visibility** | Collaborate across the business for full visibility of structured and unstructured data across devices, apps, and clouds, preventing data silos.
+**Discover data** | Know where data exists and what value or sensitivity it has.
+**Classify data** | Apply consistent labels so security controls can be applied automatically.
+**Lifecycle protection** | Secure data regardless of the location, technical platform, device, or environment.
Apply this strategy throughout the lifecycle of the data: **create**, **consume**, **store**, **share**, and **dispose**. Secure data during creation and generation, storage at rest, during access/sharing/use, and in transit, as well as data that is no longer active and archived or deleted.
+**Monitoring and enforcement** | Implement real-time visibility and automated enforcement to detect and respond to real-time unauthorized access or exfiltration.
+**Learn and improve** | Continuously improve data security. Adapt strategy and data controls as data formats, platforms, and use cases evolve, including AI.
+
+This approach enables protection that scales with business and technology change.
+
+This diagram illustrates a high level data security strategy that enables both security and productivity.
+
+:::image type="content" source="./media/security-adoption-discipline-data-balance.png" alt-text="Diagram of a data security strategy showing Zero Trust foundation, enterprise collaboration, and data lifecycle stages." lightbox="./media/security-adoption-discipline-data-balance.png":::
+
+In the diagram:
+
+- The Zero Trust foundation, shown by a dotted line, establishes a modern identity boundary and data loss prevention between internal functions and the external environment. This foundation prevents unauthorized data loss, but enables collaboration with authorized external parties.
+- The enterprise collaboration environment, in lighter green, is where most of your organizational data is created, processed, and stored. Limit access to internal users only and apply least privilege by default.
+- Critical apps and data, in darker green, represent the most sensitive data in the organization that must be restricted to a limited set of authorized users and applications. You can share this data within the enterprise collaboration environment and with some authorized external parties, but it must be protected and monitored always.
+
+## Discipline roles and collaborators
+
+Data security requires close collaboration across business, security, and technology teams. In larger organizations, roles are often distributed and formalized; in smaller organizations, responsibilities might be combined.
+
+Primary roles in this discipline typically include:
+
+- Data Officer / Data Governance teams
+- Data and AI architects
+- Data and AI engineering and operations teams
+
+Key collaborators include:
+
+- **Business leaders and data owners** – Define data value, usage, and classification.
+- **Security strategy and governance teams** – Define policies, standards, and oversight.
+- **Architecture roles** – Integrate data security controls into system and platform designs.
+- **Developers** – Implement secure data handling within applications.
+- **Security‑adjacent disciplines** – Align data security with privacy, risk, and compliance efforts.
+
+## Alignment with other disciplines
+
+The Data Security discipline works in close coordination with other disciplines:
+
+- **Access and Identities discipline**– Identity and access policies determine who can access data.
+- **Security Architecture discipline** – Architecture defines end-to-end patterns for protecting data.
+- **Security Operations (SecOps) discipline** – Detects and responds to data-related incidents.
+- **Security Posture discipline** – Measures and improves data protection maturity.
+
+Clear ownership and shared accountability are essential as data responsibilities expand.
+
+## Alignment to technology pillars
+
+Data travels across systems, users, and environments. As a result, the Data Security discipline spans all technology pillars.
+
+:::image type="content" source="./media/security-adoption-discipline-data-technology.png" alt-text="Diagram of Zero Trust foundation with layers for enterprise collaboration, critical data, and technology pillars." lightbox="./media/security-adoption-discipline-data-technology.png":::
+
+Aligned technology pillars include:
+
+- **Identities**: Data security relies on identity security controls to enforce secure access to data through strong identity and access controls.
+- **Endpoints**: Data security relies on endpoint security controls to prevent data theft from compromised or unmanaged devices.
+- **Infrastructure**: Data security relies on infrastructure security controls to protect data stored or processed on servers, containers, and cloud platforms.
+- **Apps**: Data security relies on app security controls to ensure apps securely access and handle sensitive data.
+- **Data**: Data security relies on data security controls to discover, classify, protect, and monitor data throughout its lifecycle.
+*- *Network**: Data security relies on data security controls to help discover and secure data as it is transferred between systems.
+- **AI**: Data security relies on AI security controls to protect data used to train, analyze, and generate AI outputs.
+
+## Next steps
+
+Microsoft Unified offers expert-led workshops to help organizations accelerate modernization of Security Posture Management strategy, architecture, and technology. These workshops include:
+
+- **Architecture and strategy workshops** - The Security Adoption Framework Data Security workshop focuses on data security modernization. This workshop is available as a less than four-hour discussion focused on key learnings and best practices.
+
+- **Technology adoption workshops** - Microsoft Unified has workshops to help organizations learn about, plan, implement, and optimize the use of data technologies.
+
+:::image type="content" source="./media/security-adoption-discipline-access-workshop.png" alt-text="Diagram of Microsoft Unified workshops for Access and Identity technology adoption, showing key phases and activities." lightbox="./media/security-adoption-discipline-access-workshop.png":::
+
+
+
diff --git a/security-docs/zero-trust/security-adoption-discipline-development-imperatives.md b/security-docs/zero-trust/security-adoption-discipline-development-imperatives.md
new file mode 100644
index 000000000..c2339d99b
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-development-imperatives.md
@@ -0,0 +1,235 @@
+---
+title: Adopt secure development planning imperatives
+description: Modernize and secure development processes and functions using key imperatives.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand the key imperatives for modernizing and securing dev functions and processes across the business.
+---
+
+# Adopt secure development planning imperatives
+
+This article defines the key imperatives for integrating security into development practices as part of the [Development Security discipline](security-adoption-discipline-development.md).
+
+
+Modern organizations rely on rapid software development to deliver innovation, meet business requirements, maintain competitive advantage, and respond to changing business needs. While DevOps enables this agility, it also introduces new security risks as code, infrastructure, and deployment processes evolve more quickly.
+
+To securely adopt DevOps practices, organizations must integrate security into development strategy, workflows, and delivery processes, and adopt DevSecOps practices that secure application delivery across the lifecycle.
+
+## Outcomes
+
+Adopting the planning imperatives in this article enables organizations to:
+
+- Reduce the introduction of security weaknesses into production workloads.
+- Improve consistency of production readiness decisions.
+- Reduce friction between development, security, and operations.
+- Improve resilience of applications and delivery infrastructure.
+- Sustain innovation velocity while managing security and operational risk.
+
+## Recognize the scope of development security
+
+Development security applies to more than application code. Organizations should define security requirements and activities across all components involved in designing, building, deploying, and operating workloads.
+
+Organizations must account for security risks across:
+
+- Application logic and services
+- Infrastructure automation/Infrastructure‑as‑code (IaC) deployments
+- Build and release pipelines
+- Deployment configurations and operational scripting
+- Developer environments and service identities
+- Third-party dependencies and supply chain components
+
+Recognizing this full scope helps organizations define security requirements that reflect how modern workloads are delivered, rather than limiting security to application code review late in the lifecycle.
+
+## Account for key risks
+
+Organizations should explicitly include the following risks when defining requirements:
+
+**Risk area** | **Example impact**
+--- | ---
+Application design flaws | Unauthorized access, data exposure, persistent logic flaws.
+Pipeline compromise | Injection of malicious code into build artifacts.
+Developer environment compromise | Theft of credentials or elevation of privileges.
+DevOps tooling misuse | Unauthorized changes via automation or integrations.
+Supply chain vulnerabilities | Introduction of malicious or vulnerable dependencies.
+
+These risks directly inform the planning imperatives defined in this article and must be addressed through design, process, and governance decisions.
+
+These risks affect both application workloads and the infrastructure used to build and operate them.
+
+
+## Integrate security into strategy/lifecycle
+
+Security must be incorporated into development strategy, not applied as a post-release control.
+
+Organizations must define security requirements alongside functional requirements and align them with:
+
+- Development strategy
+- Architectural planning
+- Delivery workflows
+- Operational support models
+
+Security outcomes are shared responsibilities owned by engineering and operations roles, supported by security specialists.
+
+Security enables innovation, it isn't a gate applied after delivery.
+
+Organizations must adopt a continuous Secure Development Lifecycle (SDL) approach that includes:
+
+
+
+- Defining security requirements early in design.
+- Aligning security requirements with architecture and implementation.
+- Integrating security with infrastructure automation.
+- Performing continuous security validation.
+- Tracking security findings.
+- Prioritizing remediation.
+- Applying security findings to release readiness decisions so that security issues are treated as production blockers when necessary.
+
+Security must be continuously evaluated and improved as application architectures, risks, and delivery models evolve.
+
+## Define minimum production viability criteria
+
+Workloads must meet minimum viability criteria before production release. These criteria define whether a workload is safe, compliant, and operationally ready for production use across three dimensions:
+
+- **Development (dev)**: Development stakeholders define minimum functional requirements necessary to meet business needs and customer/user value.
+- **Security (sec)**: Security stakeholders define minimum requirements necessary to meet regulatory obligations, sustain organizational security posture, and support detection and response of active threats.
+- **Operations (ops)**: Operations stakeholders define minimum performance, quality, and supportability requirements necessary for the workload to operate reliably in production environments.
+
+Production viability criteria:
+
+- Ensure workloads are safe to deploy and operate in production environments.
+- Act as release decision inputs and must be enforced consistently across development workflows.
+
+Production viability criteria evolve based on changes to:
+
+- Application delivery models.
+- Threat conditions.
+- Organizational risk tolerance.
+- Compliance requirements.
+
+
+## Integrate security into development workflows
+
+Security must be embedded directly into development and delivery processes. Organizations should:
+
+- Define security requirements within development workflows.
+- Integrate security activities into:
+ - Design processes
+ - Build pipelines
+ - Deployment workflows (CI/CD)
+- Implement security validation mechanisms such as:
+ - Code scanning
+ - Dependency validation
+ - Configuration checks
+
+
+Security findings must be treated the same as production defects and incorporated into release decisions.
+
+Security validation should occur continuously through the delivery, not only at release checkpoints.
+
+
+## Balance and harmonize requirements
+
+Organizations must define how development, security, and operational requirements are balanced in software delivery decisions. Production workloads must meet requirements across:
+
+- Business functionality.
+- Security resilience.
+- Speed of innovation.
+- Operational reliability and performance.
+
+Organizations must define shared delivery objectives and performance metrics that:
+
+- Align to shared performance and delivery objectives across development, security, and operations.
+- Avoid domination by a single domain.
+- Prioritize outcomes based on:
+ - Organizational risk tolerance.
+ - Regulatory obligations.
+ - Business accountability.
+
+The balance must adapt as threat conditions evolve, delivery models change, and organizational priorities shift.
+
+
+## Establish shared accountability
+
+Effective DevSecOps requires shared ownership across development, security, and operations teams with a view to:
+
+- Aligning ownership of production viability criteria.
+- Aligning delivery objectives across disciplines.
+- Reducing silos and unhealthy friction that creates security gaps, delivery delays, and operational instability.
+
+
+## Apply policy-driven security guardrails
+
+Policy-driven guardrails should enforce controls without introducing excessive friction. Guardrails should include:
+
+- Identity and access requirements.
+- Configuration and compliance standards.
+- Deployment and release controls.
+
+Guardrails should be:
+
+- Integrated into platform foundations (for example landing zones).
+- Embedded into development/deployment workflows.
+- Enforced automatically when possible.
+
+This approach ensures security requirements are consistently applied while maintaining delivery velocity.
+
+For a balanced approach to security and speed of innovation, review adoption using [policy-driven guardrails](/azure/cloud-adoption-framework/ready/enterprise-scale/dine-guidance).
+
+## Sustain and improve
+
+Security doesn't remain effective as a static set of controls and must evolve over time.
+
+Organizations must continuously evaluate and update development security practices in response to changes in:
+
+- Threat conditions and attacker behavior.
+- Application architectures and delivery models.
+- Regulatory obligations.
+- Organizational risk tolerance.
+- Production viability criteria.
+- Development delivery processes.
+- Security governance practices.
+
+Security practices must evolve alongside the systems they protect.
+
+### Alignment techniques
+
+Teams must align to:
+
+- **Define common goals**: Development, security, and operations leaders should collaboratively define delivery objectives and performance metrics for workload delivery, to support consistent release planning.
+- **Prevent single‑domain decision dominance**: Delivery decisions should account for development, security, and operational requirements to avoid imbalances that might negatively impact workload reliability, compliance, or business functionality.
+- **Prioritize continuous improvement over static release criteria**: Development security practices should be iteratively refined over time as application delivery models, threat conditions, and organizational priorities evolve.
+- **Establish shared delivery context across stakeholder roles**: Development, security, and operations teams should maintain a shared understanding of:
+ - Business urgency and delivery timelines
+ - Relevant threat conditions and risk exposure
+ - Operational availability and supportability requirements
+- **Monitor delivery friction introduced by security requirements**: Security requirements may introduce delivery friction. Leaders should evaluate whether this friction contributes to risk reduction (for example, by enabling earlier identification of vulnerabilities) or unnecessarily delays workload delivery without materially improving production resilience.
+- **Incorporate development security into planning and resource allocation**: Security requirements for application workloads should be incorporated into development planning and resource allocation alongside functionality and operational support requirements.
+- **Define shared delivery performance objectives**: Performance and success metrics for application workloads should reflect development, security, and operational delivery outcomes.
+
+
+
+## Align workflows with security requirements
+
+Security must be operationalized through development workflows. Organizations must define and align workflows for:
+
+- Architectural design activities.
+- Build and deployment processes.
+- Issue tracking and remediation workflows.
+
+Security findings must be:
+
+- Prioritized and tracked.
+- Managed alongside production defects.
+- Incorporated into release readiness decisions.
+
+Workflow alignment ensures that security requirements are consistently enforced throughout delivery.
+
+
+## Next steps
+
+[Learn about](develop/overview.md) development using Zero Trust principles
diff --git a/security-docs/zero-trust/security-adoption-discipline-development-security.md b/security-docs/zero-trust/security-adoption-discipline-development-security.md
new file mode 100644
index 000000000..09506f9d2
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-development-security.md
@@ -0,0 +1,233 @@
+---
+title: Shift DevOps to DevSecOps
+description: Learn why we need to integrate security to DevOps modernization.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand the need for integrating security into DevOps, and shifting to DevSecOps.
+---
+
+# Shift DevOps to DevSecOps
+
+As you create or modernize a [Development Security discipline](security-adoption-discipline-development.md), this article outlines how integrating security into development practices enables the shift from developer operations (DevOps) to developer-security-operations (DevSecOps), and helps secure application delivery.
+
+Modern organizations rely on rapid software development to deliver innovation, respond to changing business requirements, and maintain competitive advantage. DevOps enables this agility through continuous integration and delivery. However, increased speed also introduces new security risks.
+
+Continuous release cycles reduce the time between design decisions and production deployment, increasing the likelihood that weaknesses are introduced into production environments, including:
+
+- Application design weaknesses
+- Vulnerable dependencies
+- Configuration errors
+- Infrastructure automation flaws
+- Poor secrets management or hygiene.
+
+## DevOps risk
+
+Modern DevOps environments expand the attack surface across development, pipeline, and production systems. DevOps tools such as source code repositories, pipelines, and automation systems are high-value targets for attackers.
+
+If malicious code is introduced early, it might pass through existing security checks and reach production systems.
+
+Common attack objectives include:
+
+- Injecting malicious code into build artifacts.
+- Compromising developer identities or service accounts.
+- Accessing or exfiltrating production data.
+
+Attackers often target custom applications and development environments to gain access to:
+
+- Sensitive organizational or customer data.
+- Proprietary business logic and intellectual property.
+- Production infrastructure through compromised development systems.
+- Downstream customers through software supply chain compromise.
+
+Potential security risks are summarized in the following diagram:
+
+:::image type="content" source="./media/develop/secure-devops-environments/diagram-enterprise-devops-overview-inline.png" alt-text="Diagram illustrates DevOps environments and security threats." lightbox="./media/develop/secure-devops-environments/diagram-enterprise-devops-overview-expanded.png":::
+
+
+### Application and development risk
+
+Application workloads can be compromised through weaknesses introduced during development or through compromise of the infrastructure used to build and deploy them.
+
+
+**Risk** | **Target** | **Potential outcome**
+--- | --- | ---
+**App design/implementation** | Security issues introduced during design or development may expose workloads to attack techniques such as:
- Improper input validation
- Insecure authentication or authorization logic
- Weak or improperly implemented cryptography
- Exposure of sensitive data through application logic | These weaknesses might allow attackers to:
- Access or manipulate application data
- Execute unauthorized operations
- Maintain persistent access through implanted logic flaws.
+**Dev infrastructure/automation** | Attacks might target:
- Source code repos
- Build pipelines
- Deployment automation
- Infrastructure-as-code (IaC) templates
- Develop endpoints or service identities | Compromise might allow attackers to:
- Insert malicious code into build artifacts
- Modify deployment configurations
- Maintain persistent access through implanted logic flaw
- Obtain credentials or secrets used in production environments.
+**Dev software supply chain** | Applications commonly rely on:
- Third‑party libraries
- Open‑source packages
- Container images
- Platform services | Vulnerabilities or malicious code introduced through these dependencies might affect:
- Organizational production workloads
- Customer or partner environments
+
+Integrating security into development processes reduces the likelihood that these risks propagate into production release.
+
+## Shifting left
+
+Shift left is a security engineering approach that integrates security earlier in the development lifecycle.
+
+
+Instead of validating security late in the process, organizations embed it into:
+
+- Envisioning
+- Design
+- Development
+- Operations
+
+This reduces remediation cost and risk exposure.
+
+To support this approach, organizations should"
+
+- Use structured best practices such as the [Security Development Lifecycle (SDL)](https://www.microsoft.com/securityengineering/sdl/practices) early in the process, rather than late when issues become expensive and difficult to fix.
+- To sustain this approach, integrate governance, risk, and compliance (GRC) into development strategy.
+
+
+## What is DevSecOps?
+
+DevSecOps delivers on the Shift Left approach by extending DevOps and embedding security into every stage of the software development lifecycle - from idea inception through design, development, and operations.
+
+- In traditional development approaches, security validation was often performed as a final quality gate before release. This created delays, increased remediation cost, and allowed vulnerabilities to persist until late in the lifecycle.
+- DevSecOps shifts security earlier and embeds it continuously into development and operational processes.
+- DevSecOps reduces friction between development, operations, and security teams, aligning them around shared goals of innovation speed, reliability, and security resilience, and enabling teams to address the most important issues early and continuously.
+- DevSecOps integrates security into:
+
+ - Architectural design
+ - Application implementation
+ - Infrastructure automation
+ - Deployment and operational processes
+
+### Benefits
+
+DevSecOps enables development, security, and operations teams to:
+
+- Identify and remediate issues earlier in the lifecycle.
+- Reduce exposure in production.
+- Maintain delivery speed while managing risk.
+
+Security becomes part of how software is built and delivered, rather than a control applied after delivery.
+
+:::image type="content" source="./media/development-security-operations.png" alt-text="Graphic showing how development, security, and operations fit together" lightbox="./media/development-security-operations.png":::
+
+
+## Secure innovation lifecycle
+
+Innovation typically progresses through two lifecycle stages:
+
+**Stage** | **Details**
+--- | ---
+**Idea incubation** | A capability is designed, implemented, and validated for initial production use. It begins with a new idea
+**Initial release** | A **first production release** meets the minimum product criteria for safe product use.
- **Development**: Functionality meets the minimum business requirements.
- **Security**: Capabilities meet the regulatory compliance, security, and safety requirements for production use.
- **Operations:** Functionality meets the minimum quality, performance, and supportability requirements to be a production system.
+
+After initial release, development becomes iterative as workloads evolve with:
+
+- Changing risk tolerance
+- Application requirements and maturity
+- Regulatory obligations
+- Threat conditions
+
+:::image type="content" source="./media/develop-security-agile.png" alt-text="Diagram showing how DevSecOps keeps the development cycle agile and continuously improving" lightbox="./media/develop-security-agile.png":::
+
+## Integrate security into development
+
+
+Traditional development approaches validate security late in the lifecycle, as a final gate before release after design and implementation are complete. In modern development environments, delaying validation increases:
+
+- Vulnerability complexity
+- Remediation cost
+- Operational delays and disruption
+- Increased risk exposure to active exploitation
+
+DevSecOps integrates security continuously throughout development and operations, to address issues earlier, reduce risk, and improve consistency.
+
+### Key practices
+
+Security must be embedded into existing development processes to be effective, scalable, and sustainable. It should be integrated directly into how apps are designed, built, deployed, and operated, not implemented in a separate or parallel workflow. We recommend:
+
+- Mapping end-to-end workflows from idea through development, deployment, and ongoing operations.
+- Defining clear roles, tools, and responsibilities for security at each stage of the lifecycle.
+- Establishing consistent remediation paths for vulnerabilities, defects, and design issues.
+
+Tailor security practices based on workload risk. Business-critical applications require greater rigor, while lower-risk scenarios can follow streamlined approaches.
+
+At a minimum, ensure that you:
+
+- Identify the stages, people, and technologies involved in your development lifecycle.
+- Define how security activities integrate into each stage, rather than treating them as separate checkpoints.
+- Establish processes for handling both major changes and routine fixes throughout the lifecycle.
+
+## Automate security into development and deployment
+
+Automation is essential to enforce security consistently and at scale across development and operations.
+
+- Integrate security controls and tooling directly into CI/CD pipelines.
+- Automate key activities such as threat modeling, code scanning, validation, and policy enforcement.
+- Use Infrastructure as Code (IaC) to enable repeatable, secure deployments.
+
+Platform foundations such as Azure landing zones can support this approach by
+
+Platform foundations such as [Azure landing zones](/azure/cloud-adoption-framework/ready/landing-zone/design-area/platform-automation-devops) can support this approach by providing standardized patterns for security, governance, and DevOps integration.
+
+## Expected outcomes
+
+Organizations that shift from DevOps to DevSecOps can:
+
+- Reduce the likelihood that vulnerabilities are introduced into production workloads
+- Limit the ability of attackers to exploit development infrastructure or automation
+- Improve resilience of applications to evolving attack techniques
+- Support regulatory and organizational compliance requirements
+- Sustain innovation velocity without increasing operational or security risk
+
+
+
+## Tips on navigating the journey
+
+Adopting DevSecOps requires organizational and cultural changes.
+
+### Education and culture changes
+
+These are critical early steps. The team you have must develop new skills and adopt new perspectives to understand the DevSecOps model.
+
+Education and culture change takes time, focus, executive sponsorship, and regular follow up to help individuals fully understand and see the value of the change.
+
+ Changing cultures and skills drastically can sometimes tap into the professional identity of individuals, creating potential for strong resistance. It's critical to understand and express the why, what, and how of the change for each individual and their situation.
+
+### Change takes time
+
+You can only move as fast as your team can adapt to the implications of doing things in new ways. Teams must do their existing jobs while they transform.
+
+It's critical to carefully prioritize what is most important and to manage expectations of how fast this change can happen.
+
+Focusing on a crawl, walk, run strategy, where the most important and foundational elements come first, serves your organization well.
+
+
+### Change introduces (temporary) friction
+
+All new technologies, methodologies, and other changes introduce friction and confusion. It's critical to focus on healthy friction that drives critical thinking to reduce risk while avoiding unhealthy friction that slows down processes with limited benefit or risk reduction.
+
+### Limited resources
+
+
+A challenge that organizations usually face early on is to find talent and skills in both security and application development.
+
+As organizations begin to collaborate more effectively, they might find hidden talent, such as developers with a security mindset or security professionals with a development background.
+
+
+### Ongoing shifts
+
+Apps are changing fast. In addition to new features, the technical definition and composition of an application is fundamentally changing with the introduction of technologies such as cloud, serverless, and AI.
+
+This shift is changing development practices, application security, and even empowers nondevelopers to create applications.
+
+### Consider an SRE model
+
+Some DevSecOps implementations combine operations and security responsibilities into a **site reliability engineer (SRE)** role.
+
+While such a model can work, it's often an extreme change from existing enterprise culture and practices.
+
+If you're considering an SRE model, we recommend that you start by embedding security into DevOps using practical quick wins and incremental progress outlined in this guidance to ensure you're getting good return on investment (ROI) and meeting immediate needs.
+
+This incrementally adds security responsibilities to your operations and development personnel, which moves teams closer to an SRE end-state.
+
+## Next steps
+
+[Learn about](security-adoption-discipline-development-imperatives.md) secure development best practices.
\ No newline at end of file
diff --git a/security-docs/zero-trust/security-adoption-discipline-development.md b/security-docs/zero-trust/security-adoption-discipline-development.md
new file mode 100644
index 000000000..00154da31
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-development.md
@@ -0,0 +1,227 @@
+---
+title: Establish a Development Security discipline
+description: Use the Microsoft security adoption model to modernize and secure development processes and functions, based on Zero Trust principles.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand how I can use the Microsoft security adoption model to modernize and secure dev functions and processes across the business.
+---
+
+# Establish a Development Security discipline
+
+
+This article helps security and technology teams establish and modernize a Development Security discipline. This discipline helps security, engineering, and technology teams ensure that software is designed, built, integrated, and deployed securely—without slowing innovation.
+
+[Security disciplines](security-adoption-discipline-overview.md) are groupings of related security work that help organizations consistently deliver security outcomes across the entire technology estate. Within the security adoption model, disciplines help provide a bridge between [business scenarios](security-adoption-business-scenarios-overview.md) and [technical implementation](implement-overview.md), ensuring that security investments translate into real measurable outcomes as part of the [security adoption model](security-adoption-model.md).
+
+
+
+## Why this discipline?
+
+Software is deeply interconnected with identities, data, infrastructure, and business processes. When development security is weak or inconsistent, each software release can introduce new vulnerabilities that attackers exploit to gain access to broader organizational assets.
+
+Without an effective Development Security discipline, organizations commonly experience:
+
+- Increased risk from software vulnerabilities introduced during development.
+- Application compromise that enables lateral movement across identities and data.
+- Disruption of business operations and revenue.
+- Exposure or abuse of customer and regulated data.
+- Accumulation of technical debt that increases long‑term risk and remediation cost.
+
+A strong development security discipline ensures that each release reduces risk, rather than compounding it.
+
+## Mission and outcomes
+
+
+The Development Security discipline reduces organizational risk by ensuring that all software, whether developed internally or by partners, is designed, built, integrated, and deployed in alignment with security standards, without slowing delivery or innovation.
+
+Organizations that mature this discipline achieve:
+
+- Security built into development processes rather than added late.
+- Earlier identification and remediation of design and implementation flaws.
+- More predictable, secure release cycles.
+- Reduced rework, emergency fixes, and operational disruption.
+- Lower accumulation of technical and security debt over time.
+
+Development Security ensures that security posture improves continuously with each release, rather than being periodically reset.
+
+
+### Changes in team work
+
+It's important that a Development Security discipline meets developers and product teams where they are, focusing n integrating security into existing development workflows, rather than introducing late-stage controls, friction-heavy review processes, or even skipping security in development processes.
+
+This approach is often described as **shifting left**, introducing security thinking earlier in ideation, design, and implementation, when issues are easier and less costly to fix. Shifting left does not mean saying no earlier in the process. Instead, it introduces security-informed discussion early to improve product decisions and ensure solutions meet security and business requirements.
+
+Key principles include:
+
+- **Early integration**: Consider security during ideation and design, not just testing
+- **Developer alignment**: Meet development and product teams where they already work
+- **Small, incremental change**: Prefer automation and low-friction improvements
+- **Continuous improvement**: Treat security as an ongoing discipline, not a milestone
+
+Over time, consistent integration reduces fire drills and accelerates delivery rather than slowing it.
+
+
+## How to apply this discipline
+
+To apply the Development Security discipline effectively, focus on establishing a consistent approach to building and maintaining secure applications and services across the organization:
+
+1. **Define a secure development strategy aligned to business risk**
+ Establish a clear approach for how applications and services are designed, built, and maintained to reduce the risk of compromise and protect critical business functionality.
+1. **Embed security into development and engineering processes**
+ Ensure security practices are integrated into planning, design, development, and deployment activities rather than applied after the fact.
+1. **Establish standardized secure development practices**
+ Provide clear guidance to ensure that secure coding, testing, and release practices are applied consistently across teams and projects.
+1. **Align development security with critical assets and business scenarios**
+ Prioritize protections for applications and services that support high-value assets and key business operations.
+1. **Continuously improve based on risk, vulnerabilities, and feedback**
+ Use insights from vulnerabilities, incidents, and testing results to strengthen development practices and reduce risk over time.
+
+
+
+## Manage change
+
+
+Modern development security is typically implemented through a DevSecOps approach that combines agile delivery with essential governance and quality practices before release.
+
+Rather than choosing between speed and security, DevSecOps focuses on securing key aspects of the development lifecycle to mitigate urgent risk while not impeding rapid release cycles:
+
+**Secure the design** – Use proven security design patterns and validate designs through threat modeling.
+**Secure the code** – Follow secure coding practices and validate software and dependencies.
+**Secure the pipeline** – Validate the pipeline process and protect CI/CD systems from compromise and unauthorized change. Ensure traceability of changes to the pipeline and the software going through the pipeline.
+**Secure operations** – Ensure deployed workloads follow configuration, patching, and operational best practices.
+
+Teams can improve outcomes by continuously refining collaboration between development, security, and operations, balancing functional delivery goals with reliability and risk reduction.
+
+:::image type="content" source="./media/security-adoption-discipline-dev-overview.png" alt-text="DevSecOps strategy that combines traditional development practices with Agile techniques." lightbox="./media/security-adoption-discipline-dev-overview.png":::
+
+This continuous incremental improvement should be applied to both work production (software code produced in the lifecycle) as well as the maturing of the development lifecycle itself.
+
+
+## Define a DevSecOps process
+
+Development Security is commonly implemented through a DevSecOps operating model that evolves over time rather than appearing fully formed. DevSecOps brings development, security, and operations together to achieve better outcomes through continuous improvement.
+
+Most organizations progress through these stages:
+
+Development (Dev) – The first production release focuses on delivering a minimally viable product (MVP) that meets core business requirements.
+DevOps – After initial release, teams focus on rapid iteration, operational stability, and governance through continuous delivery.
+DevSecOps – As collaboration matures, development, security, and operations work together to continuously refine processes and balance speed, risk, and reliability.
+
+
+:::image type="content" source="./media/security-adoption-discipline-dev-agile.png" alt-text="DevSecOps strategy that combines traditional quality controls and agile development." lightbox="./media/security-adoption-discipline-dev-agile.png":::
+
+This progression allows organizations to improve security outcomes without sacrificing agility or innovation.
+
+
+### Establish a secure MVP baseline
+
+A key step in this model is defining what constitutes a minimum viable product (MVP) from development, security, and operations perspectives. Establishing this shared baseline creates clarity across teams and enables consistent improvement over time.
+
+**Component** | **Details**
+--- | ---
+**Dev(elopment)** | Ensure that the software meets the minimum business and functional requirements.
+**Sec(urity)** | Ensure that software meets the minimum security and compliance requirements.
+**Op(eration)s** | Ensure that software meets the minimum quality, reliability, and operational readiness requirements.
+
+MVP requirements vary by organization and industry and are influenced by risk appetite, regulatory exposure, and business criticality. These requirements often evolve as the organization, threat landscape, and delivery models change.
+
+
+### Continuous software improvement
+
+After the initial production release, workloads move into continuous improvement cycles. In this phase, development, security, and operations refine both the software and the delivery process.
+Security efforts focus on:
+
+- **Integrate security natively** into development workflows, using the same tools and prioritization models as other engineering work
+- **Rapidly identify, prioritize and fix security bugs** as part of standard release cycles.
+-
+This approach aligns with Microsoft Secure Future Initiative (SFI) learnings such as pr[**Paved Paths**](https://devblogs.microsoft.com/engineering-at-microsoft/building-paved-paths-the-journey-to-platform-engineering/), where secure practices are built into platforms and processes rather than enforced externally.
+
+Over time, this continuous learning helps teams refine requirements, streamline collaboration, and better balance delivery speed, security, and reliability.
+
+
+## Discipline roles and collaborators
+
+The Dev Security discipline is typically run by teams doing app and product development.
+
+Primary roles in this discipline typically include:
+
+- Technology delivery and product managers
+- Software developers (including AI development)
+- Software security engineers
+- DevOps and platform engineers
+- Testing and quality engineering roles
+- Supply chain and dependency security roles
+
+Key collaborators include:
+
+- Business and technical leadership – Provide sponsorship and prioritization
+- Architecture roles – Guide secure design and integration decisions
+- Security Strategy, Integration, and Governance discipline roles– Provide policy, education, and oversight
+- Infrastructure and platform teams – Enable secure development environments
+- Security Operations (SecOps) – Monitor and respond when applications are attacked
+
+## Alignment with other disciplines
+
+Development Security is tightly integrated with other SAF disciplines:
+
+- Access and Identities – Protects developer, workload, and service identities.
+- Infrastructure Security – Secures platforms running applications and pipelines.
+- Data Security – Ensures sensitive data is protected throughout the software lifecycle.
+- SecOps– Detects and responds to application-level attacks.
+- Security Strategy, Integration, and Governance – Aligns development practices to enterprise risk priorities.
+
+Together, these disciplines ensure software security supports broader business and security outcomes.
+
+## Alignment with technology pillars
+
+Executing the strategy for the development security discipline requires security controls across multiple technology pillars.
+
+:::image type="content" source="./media/security-adoption-discipline-dev-pillars.png" alt-text="Development Security - mapping to technology pillars." lightbox="./media/security-adoption-discipline-dev-pillars.png":::
+
+Alignment with technology pillars includes:
+
+
+- **Identities**: Protects developer and workload identities and credentials.
+- **Endpoints**: Secures developer workstations and build systems.
+- **Infrastructure**: Protects platforms hosting code, pipelines, and workloads.
+- **Apps**: Provides a primary focus for development security practices.
+- **Data**: Protects data used, generated, and stored by applications.
+- **Network**: Designs software to operate securely on untrusted networks.
+- **AI**: Secures AI components and models used in modern applications.
+
+This breadth ensures the discipline addresses real-world attack paths.
+
+## What's next?
+
+Additional development security strategy guidance is in the [Development security strategy](security-adoption-discipline-development-security.md).
+
+### Take a workshop
+
+Microsoft Unified offers expert-led workshops to help organizations modernize their Dev security discipline. These workshops include:
+
+- **Architecture and strategy workshops** - The *Security Adoption Framework (SAF) - Architecture Design Session: Infrastructure and Development Security workshop* focuses on accelerating development security modernization and integration with infrastructure security. This workshop is available as a less than four-hour discussion focused on key learnings and best practices.
+- **Technology adoption workshops**: Microsoft Unified has workshops to help organizations learn about, plan, implement, and optimize the use of Microsoft Development Security Technology as illustrated in this diagram.
+
+:::image type="content" source="./media/security-adoption-discipline-dev-technical.png" alt-text="Development Technology Adoption Workshops" lightbox="./media/security-adoption-discipline-dev-technical.png":::
+
+
+
+### Review the Microsoft Security Development Lifecycle
+
+The Microsoft Continuous Security Development Lifecycle provides a methodology to securely develop software. The Security Development Lifecycle (SDL) is the approach Microsoft uses to integrate security into DevOps processes (sometimes called a DevSecOps approach). The SAF development security guidance helps you adapt the SDL approach and practices to your organization.
+
+You can apply the practices described in the SDL approach to all types of software development and all platforms, from classic waterfall through to modern DevOps approaches. This generally applicable software security approach works across any type of software and platform.
+
+For more information, see [Microsoft Security Development Lifecycle (SDL)](https://www.microsoft.com/securityengineering/sdl/).
+
+Effective development security requires following a security development lifecycle (SDL) like the [Microsoft Security Development Lifecycle (SDL)](https://www.microsoft.com/securityengineering/sdl/)
+
+
+## Next steps
+
+[Learn about](security-adoption-discipline-development-security.md) the shift from DevOps to DevSecOps.
\ No newline at end of file
diff --git a/security-docs/zero-trust/security-adoption-discipline-identity-access-enterprise-model.md b/security-docs/zero-trust/security-adoption-discipline-identity-access-enterprise-model.md
new file mode 100644
index 000000000..4117bd46a
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-identity-access-enterprise-model.md
@@ -0,0 +1,159 @@
+---
+title: Build an enterprise access architecture across the security adoption Identities and Access discipline
+description: Learn how to design an architecture for enterprise access within the security adoption Identities and Access discipline
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand how I can design an enterprise access architecture across the security adoption Identities and Access discipline
+---
+
+# Design an enterprise access architecture
+
+This article describes how to design an enterprise access model as part of an [Access and Identities discipline](security-adoption-discipline-identity-access.md).
+
+It provides guidance for establishing an enterprise access architecture based on a coherent, Zero Trust model for understanding, designing, and governing all access paths to digital assets.
+
+
+## Why an enterprise access architecture?
+
+Consistent and comprehensive policy enforcement is critical in preventing threat actors from using weak access controls to access your environment, and from escalating privileges during an attack.
+
+Modern enterprises operate in complex environments where access isn't limited to internal users on corporate networks. People and processes who access include:
+
+- Employees, partners, and customers
+- Applications, services, and automation
+- Administrators and operators with privileged permissions
+- AI agents acting on behalf of users or autonomously
+
+The enterprise access architecture provides a single architectural model for reasoning about all of these access paths consistently. Its purpose is to:
+
+- Establish a shared way to understand how access is granted, controlled, and monitored.
+- Unify general access and privileged access under Zero Trust principles.
+- Prevent unintended privilege escalation across systems and environments.
+- Support secure productivity across hybrid and multicloud platforms.
+
+This architecture applies to logical access to digital assets. It doesn't address physical access to devices or facilities. Learn more about physical security in [Azure security fundamentals](/azure/security/fundamentals/physical-security).
+
+
+
+## Architectural model overview
+
+The enterprise access architecture organizes access using a few foundational concepts:
+
+- **Architectural planes**, which describe where control and value reside
+- **Access pathways** , which describe how users, systems, and administrators interact with assets.
+
+Together, these concepts describe where business value lives, how it's accessed, and how attackers attempt to gain control.
+
+
+### Data/Workload plane
+
+The data and workload plane contains the systems where business value is created and stored, including:
+
+- Business applications and services
+- Data stores, models, and intellectual property
+
+Because this plane holds the highest concentration of business value, it's the primary objective of most attacks.
+
+:::image type="content" source="./media/security-adoption-discipline-access-enterprise-data-plane.png" alt-text="Picture of enterprise access architecture data plane." lightbox="./media/security-adoption-discipline-access-enterprise-data-plane.png":::
+
+
+
+## Management plane
+
+The management plane enables organizations to deploy, configure, and operate workloads and platforms across on‑premises, cloud, and multicloud environments.
+Access to this plane allows operators to influence workloads at scale, making it a high‑value target for attackers.
+
+## Control plan
+
+The control plane enforces access decisions across the environment. It's typically anchored in enterprise identity systems and, where required, supporting network controls for constrained or legacy environments (for example, some OT systems).
+
+Compromise of the control plane often enables indirect control of all other planes and therefore demands the strongest protections.
+
+
+The diagram shows control and management planes in an enterprise access architecture.
+Both planes have inherent control over business‑critical assets, making them high‑value targets. Compromise of either plane often enables attackers to take control of the data/workload plane indirectly.
+
+
+:::image type="content" source="./media/security-adoption-discipline-access-enterprise-control-plane.png" alt-text="Picture of enterprise access architecture control and management planes." lightbox="./media/security-adoption-discipline-access-enterprise-control-plane.png":::
+
+## Access pathways
+
+To deliver business value, assets in these planes must be accessed through multiple pathways.
+
+
+### User, agent, and application access
+
+General access pathways include:
+
+- **User access**: Employees, partners, and customers access systems through workstations and devices, often using remote access technologies.
+- **Application access**: Services and workloads access other systems programmatically through APIs.
+- **Agent access**: AI agents operating on behalf of users or acting autonomously using dedicated identities.
+
+:::image type="content" source="./media/security-adoption-discipline-access-enterprise-user-app.png" alt-text="Picture of enterprise access architecture user, agent, and app access." lightbox="./media/security-adoption-discipline-access-enterprise-user-app.png":::
+
+Each of these pathways significantly expands the attack surface and must be governed consistently.
+
+## Privileged access
+
+In addition to general access, systems require privileged access for administration, operation, and maintenance.
+
+Because privileged access enables broad control over business‑critical assets, it represents disproportionate risk and must be held to the highest assurance standards.
+
+The enterprise access architecture ensures that privileged pathways are explicitly separated, controlled, and monitored, rather than being implicit extensions of general access.
+
+:::image type="content" source="./media/security-adoption-discipline-access-enterprise-privileged.png" alt-text="Picture of enterprise access architecture privileged access." lightbox="./media/security-adoption-discipline-access-enterprise-privileged.png":::
+
+[Learn more](security-adoption-discipline-identity-access-privileged-model.md) about designing a privileged access architecture.
+
+## Review core architectural principles
+
+Effective enterprise access architectures consistently apply the following principles across all planes and pathways.
+
+**Principle** | **Details**
+--- | ---
+**Enforce Zero Trust** | Assume compromise of adjacent components.
Explicitly validate trust for every access request.
Apply least privilege consistently.
+**Enable business processes** | Security controls must support legitimate work, not obstruct it.
+**Apply consistent policy** | Enforce policy uniformly across users, admins, apps, APIs, and agents.
+**Prevent privileges escalation** | Enforce clear separation between control, management, and workload planes.
+**Continuously verify posture** | Audit configurations and monitor behavior indicative of attack
+
+## Evolution from the legacy AD tier model
+
+The enterprise access architecture evolves the scope of the legacy Active Directory tier model, which focused on preventing privilege escalation in on‑premises Windows environments.
+
+While effective for its time, the tier model didn't fully address modern realities such as:
+
+- Cloud services and SaaS platforms
+- External users and zero‑perimeter access
+- APIs, service identities, and automation
+- AI agents and multicloud environments
+
+
+:::image type="content" source="./media/security-adoption-discipline-access-enterprise-model.png" alt-text="Picture of enterprise access modern." lightbox="./media/security-adoption-discipline-access-enterprise-model.png":::
+
+### Mapping legacy tiers
+
+The enterprise access architecture preserves the security intent of the tier model while expanding it for modern environments.
+
+- **Tier 0 > Control plane**: Encompasses the full control plane, including identity systems, centralized access enforcement, and network controls.
+- **Tier 1 > Management and data/workload planes**: Separates into the management plane (protect enterprise-wide IT management functions) and per-workload administration performed by IT teams/business unities. This separation improves protection for high-value systems and DevOps operations.
+- **Tier 2 > General access pathways**: Covers users access (B2B, B2C, public) and expands to include application/API access pathways, and their attack surfaces.
+
+## How to use this architecture
+
+The enterprise access architecture isn't an implementation guide. Instead, it provides:
+
+- A shared mental model for architects and security leaders
+- A foundation for aligning identity, privileged access, and Zero Trust strategies
+- A framework for evaluating and improving access‑related security decisions over time
+
+Detailed implementation guidance is covered in related discipline and solution articles.
+
+## Next steps
+
+[Review](security-adoption-discipline-identity-access-privileged-model.md) privileged access architecture.
\ No newline at end of file
diff --git a/security-docs/zero-trust/security-adoption-discipline-identity-access-privileged-model.md b/security-docs/zero-trust/security-adoption-discipline-identity-access-privileged-model.md
new file mode 100644
index 000000000..1d7f3f9b5
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-identity-access-privileged-model.md
@@ -0,0 +1,210 @@
+---
+title: Build a privileged access architecture across the security adoption Identities and Access discipline
+description: Learn how to design an architecture for privileged access within the security adoption Identities and Access discipline
+ms.date: 05/12/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand how I can design an privileged access architecture across the security adoption Identities and Access discipline
+---
+
+
+# Design a privileged access architecture
+
+This article describes how to design a privileged access architecture as part of an [Access and Identities discipline](security-adoption-discipline-identity-access.md).
+
+It provides guidance for security architects and designers who need to translate the [secure privileged access business outcome](security-adoption-scenario-privileged-access.md) into an end-to-end architecture that can be implemented and operated.
+
+## Why a privileged access architecture?
+
+Securing and governing privileged access is critically important because privileged access controls the identity system, management interfaces, and enforcement mechanisms that protect everything else.
+
+The goal of this article is to help you design an architecture that:
+
+- Defines approved privileged access paths.
+- Makes those paths enforceable across identity, devices, and interfaces.
+- Makes privileged activity observable for response and continuous improvement.
+
+## Privileged access design
+
+A privileged access architecture:
+
+- Defines how high impact administrative access is intentionally designed, constrained, and governed across the organization.
+- Prevents loss of control over business critical systems by ensuring that only explicitly authorized, trustworthy access paths are used, and that those paths are continuously validated and monitored.
+
+Designing privileged access is not a single technical decision and isn't owned by a single technical function. It's a result of coordinated design decisions across multiple security disciplines, each contributing a distinct part of the overall control system.
+
+## Privileged access disciplines
+
+The disciplines summarized in the table work together to ensure that privileged access is intentional, enforceable, observable, and sustainable.
+
+
+**Discipline** | **Role**
+--- | ---
+**Security strategy, integration and governance** | Defines why privileged access exists and what must be protected. It sets priorities, risk tolerance, and success criteria. These decisions establish the scope and intent of the privileged access architecture before any controls are designed.
+**End-to-end security architecture** | Translates strategy into a coherent technical design. It ensures privileged access controls work together across identities, endpoints, apps, and infrastructure, instead of as isolated tools. This discipline defines the closed‑loop model authorized access paths that are enforced, validated, and continuously monitored across control, management, and workload planes.
+**Access and identity** | Defines who can perform privileged actions and under what conditions. It designs privileged identities, role models, approval workflows, and access lifecycles so that elevated access is explicit, limited, and time‑bound. It ensures identity signals (risk, context, role) are reliable inputs into privileged access decisions.
+**Infrastructure security** | Infrastructure provides the enforcement layer that limits blast radius. It isolates privileged access paths from standard user environments, reduces attack surface on systems used for administration, and supports conditional enforcement based on identity and device trust. Infrastructure design ensures privileged access constraints are technically enforceable, not just policy‑defined.
+**Security posture** | Measures whether privileged access controls remain effective over time. It tracks coverage, configuration drift, and compliance against defined security levels or profiles, providing feedback to governance and architecture. Posture management ensures privileged access protections scale, adapt, and improve rather than degrade.
+**Security operations (SecOps)** | SecOps ensures privileged access is observable and defensible in practice. It defines what normal privileged behavior looks like, prioritizes monitoring for high‑impact identities and access paths, and enables rapid detection, investigation, and response when anomalies occur. Privileged access architecture is designed with the assumption that controls can fail and misuse must be detected quickly.
+
+
+
+## Strategy, integration, and governance
+
+A privileged access architecture must be anchored in a strong [security strategy, integration, and governance discipline](security-adoption-discipline-strategy.md) that defines why privileged access matters, how to apply it across the organization, and how to sustain it over time.
+
+### Mission and outcomes
+
+Within a privileged access architecture, this discipline enables the organization to:
+
+- **Set a clear direction for privileged access**: Define what constitutes high‑impact access, which access paths are allowed, restricted, or eliminated, and how success is measured.
+- **Integrate privileged access into operations**: Embed privileged access requirements into planning, architecture, engineering, operations, and partner ecosystems so they are not treated as exceptions.
+- **Govern decisions and investments**: Establish policies, standards, and accountability that drive consistent prioritization and execution across identity, infrastructure, applications, and security operations.
+- **Enable better business decisions**: Provide leaders with the risk context needed to approve access, technology changes, and new initiatives safely—rather than blocking progress or accepting unmanaged risk.
+- **Focus and prioritize**: Translate business priorities into actionable privileged access strategy so teams focus on the most consequential risks, not just the most visible issues.
+- **Adapt to change**: Continuously update privileged access strategies as shift happens in evolving threats, new technologies, and business needs.
+- **Reduce incident impact**: Improve consistency, coordination, and accountability, reducing both the likelihood and severity of privileged access–related incidents and improving recovery outcomes.
+
+### Implementation readiness
+
+**Decide** | **Details** | **Why?**
+--- | --- | ---
+**What does privileged access mean in your organization?** | Define which roles, actions, and systems count as high-impact.
For example: Entra Global Administrators, Azure subscription owners, production database administrators, and identity platform operators. | Without this definition, teams can’t clearly identify which accounts require stronger controls—everything becomes “somewhat privileged,” leading to inconsistent use of PIM, PAWs, stricter Conditional Access, and monitoring.
+**Which business-critical systems are in scope?** | List the systems where loss of admin control would cause real damage (identity systems, core infrastructure, production workloads, sensitive data platforms). | Prevents teams from protecting low‑value systems first or skipping high‑impact ones because “ownership wasn’t clear”.
+**Which privileged access paths are allowed, restricted, or eliminated?** | Decide how admins are allowed to reach those systems (for example: only from PAWs, only via approved portals, no legacy protocols, no direct RDP from personal devices). | Implementation teams need this to know which access patterns to block vs. design for. Otherwise, they preserve risky paths for “compatibility”.
+**Trade offs you're willing to accept** | Explicitly state where convenience wins and where it doesn’t (for example: emergency access allowed with logging vs. no standing admin access ever). | Stops endless debates during rollout and prevents security from being blamed for “breaking operations”.
+**Who is allowed/approved to change privileged access design** | Define decision‑makers for role creation, exceptions, scope expansion, and emergency changes (not just “IT decides”). | Without clear ownership, exceptions accumulate silently and risks increases over time.
+**Which standards are non-negotiable for privileged access**? | Document rules like “all human admins use PIM”, “no standing Global Admins”, “privileged access requires compliant devices”. | Gives implementers guardrails — they don’t have to interpret intent or reinvent policy per team.
+
+
+## End-to-end security architecture
+
+A privileged access architecture must be designed as an [end‑to‑end security architecture](security-adoption-discipline-architecture.md), not a collection of individual controls. This discipline ensures that identity, devices, access enforcement, monitoring, and response work together as a single closed‑loop system that can withstand partial failures.
+
+### Mission and outcomes
+
+Within a privileged access architecture, this discipline enables the organization to:
+
+- **Design privileged access as a system**: Ensure identity, device trust, access enforcement, monitoring, and response reinforce each other rather than operating in isolation.
+- **Define authorized access paths end‑to‑end**: Make it explicit how a privileged session is established, validated, monitored, and terminated.
+- **Prevent bypass and privilege escalation**: Avoid gaps where attackers can move between planes (control, management, workload) or bypass controls through legacy paths.
+- **Assume control failure and recover safely**: Design for detection and response when controls fail, not just prevention.
+- **Create enforceable constraints**: Ensure architectural intent can actually be enforced by identity systems, devices, infrastructure, and platforms.
+
+### Implementation readiness
+
+**Decision before implementation** | **Details** | **Why this matters**
+--- | --- | ---
+**Document a reference architecture for privileged access** | Document the end‑to‑end model for a privileged session (identity > device > interface > target > monitoring > response). | Without this, teams deploy “correct” controls that don’t work together and can be bypassed.
+**Assume plane separation** | Define boundaries between control plane, management plane, and workload/data plane, and which identities can cross them. | Prevents privilege escalation from lower‑trust planes into higher‑impact systems.
+**Specify integration points** | Specify which signals must flow between systems (identity risk → access decisions, access events → monitoring, monitoring → response). | Ensures telemetry and enforcement are connected, not just enabled.
+**Decide on a failure and containment model** | Decide how the architecture behaves when an admin account, device, or session is compromised. | Avoids architectures that collapse completely once one control fails.
+**Decide on an enforcement model** | Decide where enforcement happens (identity, device, network, platform) and which controls are authoritative. |Prevents reliance on soft policies that can’t actually block access.
+
+## Access and identities
+
+The [access and identities discipline](security-adoption-discipline-identity-access.md) turns privileged access strategy into explicit identity models. It defines who can perform privileged actions, under what conditions, for how long, and with which signals contributing to access decisions.
+
+### Mission and outcomes
+
+Within a privileged access architecture, this discipline enables the organization to:
+
+- **Make privilege explicit**: : Clearly distinguish privileged identities from standard user and workload identities.
+- **Eliminate standing privilege**: Ensure elevated access is time‑bound, approved, and auditable.
+- **Reduce blast radius**: Scope privileged roles tightly to systems and actions that truly require them.
+- **Provide reliable trust signals**: Ensure identity risk, authentication strength, and context can be used in access decisions.
+- **Support recovery without weakening controls**: Enable emergency access without reintroducing permanent risk.
+
+### Implementation readiness
+
+**Decision before implementation** | **Details** | **Why this matters**
+--- | --- | ---
+**Which identities are privileged?** | Define which human and non‑human identities are considered privileged, and which are explicitly not. | Prevents mixing admin, service, and automation identities under one model.
+**What's the privileged role taxonomy?** | Define role tiers, scopes, and responsibilities (for example: tenant‑wide vs workload‑specific admins). |Enables correct role assignment and avoids over‑privileging.
+**Define access lifecycle** |Define how privileged access is granted (JIT, approvals), duration, renewal, and revocation. | Without this, teams default to standing access “until later”.
+**Decide on required trust signals** | Specify which signals must be evaluated (MFA strength, device compliance, identity risk, session context). | Allows Conditional Access to be designed intentionally instead of reactively.
+**Decide on an emergency access model** | Define break‑glass accounts, controls, logging, and review expectations. | Ensures recoverability without undermining the architecture.
+
+
+
+
+## Infrastructure security
+
+The [Infrastructure security discipline](security-adoption-discipline-infrastructure.md) provides the enforcement surface that makes privileged access constraints real. This discipline ensures architectural intent can actually be applied and sustained.
+
+### Mission and outcomes
+
+Within a privileged access architecture, this discipline enables the organization to:
+
+- **Enforce isolation**: Separate privileged environments from standard user environments.
+- **Reduce attack surface**: Harden systems used for administration.
+- **Limit blast radius**: Prevent lateral movement from compromised assets.
+- **Support identity-driven enforcement**: Ensure infrastructure can honor identity and device trust decisions.
+
+
+### Implementation readiness
+
+**Decision before implementation** | **Details** | **Why this matters**
+--- | --- | ---
+**Define an isolation model** | Define how privileged environments are separated from standard environments. | Limits lateral movement and credential theft.
+**Define attack surface reduction expectations** | Define baseline hardening for admin devices and systems. |Prevents privileged access from running on insecure foundations.
+**Decide on enforcement mechanisms** |Decide how identity, device, and network controls are enforced by infrastructure. | Avoids architectures that rely on policy alone.
+**Identity platform constraints** | Document cloud, on-premises, and hybrid limitations. | Prevents designs that can’t be implemented.
+**Define infrastructure prerequisites** | Define what must exist before rollout (device management, identity integration). | Avoids failed or partial deployments.
+
+## Security posture
+
+The [security posture management discipline](security-adoption-discipline-posture.md) ensures that privileged access protections remain effective over time, not just at initial deployment. It turns architecture into continuous assurance.
+
+### Mission and outcomes
+
+Within a privileged access architecture, this discipline enables the organization to:
+
+- **Measure effectiveness**: Know whether privileged access protections are actually in place and working.
+- **Detect drift**: Identify when roles, devices, or access paths fall out of compliance.
+- **Prioritize remediation**: Focus effort on gaps that increase real business risk.
+- **Sustain the architecture**: Keep privileged access aligned as environments and organizations evolve.
+
+
+### Implementation readiness
+
+**Decision before implementation** | **Details** | **Why this matters**
+--- | --- | ---
+**Define security levels** | Define expected protection levels for privileged roles, devices, and access paths. | Prevents inconsistent protection across teams and platforms.
+**Define coverage expectations** | Decide what “complete” looks like (roles, devices, systems covered). |Avoids partial implementations being treated as success.
+**Decide on a drift detection model** |Define how deviations are identified and reported.| Prevents silent erosion of controls over time.
+**Review cadence** | Decide how often privileged access posture is reviewed. | Ensures issues are addressed before incidents occur.
+**Decide on remediation ownership** | Define who fixes gaps and by when. | Turns posture into action, not reporting.
+
+## SecOps
+
+The [SecOps discipline](security-adoption-discipline-security-operations.md) ensures privileged access is observable, prioritized, and actionable. This discipline makes sure misuse of privileged access is detected quickly and handled consistently.
+
+### Mission and outcomes
+
+Within a privileged access architecture, this discipline enables the organization to:
+
+- **Detect privileged misuse early**: Treat privileged activity as high‑signal events, not background noise.
+- **Prioritize response**: Ensure incidents involving privileged access receive immediate attention.
+- **Contain damage quickly**: Reduce dwell time and blast radius during privileged access incidents.
+- **Feed learning back into design**: Use real incidents to improve strategy, architecture, and controls.
+
+
+### Implementation readiness
+
+**Decision before implementation** | **Details** | **Why this matters**
+--- | --- | ---
+**Define what normal privileged behavior looks like** | Define expected admin actions, locations, devices, and access patterns. | Enables meaningful anomaly detection instead of alert floods.
+**Decide which events are high priority** | Identify privileged role activations, admin sign‑ins, access from non‑trusted devices, and policy bypasses. | Ensures privileged incidents are not lost among lower‑risk alerts
+**Define response ownership** |Define who owns investigation, containment, and escalation for privileged incidents.| Avoids delays during high‑impact events.
+**Define response playbooks** | Define expected actions when privileged misuse is suspected. | Ensures consistent, repeatable response under pressure.
+**Decide on a feedback loop to strategy** | Decide how incidents drive changes to strategy and architecture. | Prevents repeating the same failures.
+
+
+## What's next?
+
+Kick off deployment with [Implement a privileged access architecture](security-adoption-scenario-privileged-access.md).
\ No newline at end of file
diff --git a/security-docs/zero-trust/security-adoption-discipline-identity-access-privileged-strategy.md b/security-docs/zero-trust/security-adoption-discipline-identity-access-privileged-strategy.md
new file mode 100644
index 000000000..017a1e919
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-identity-access-privileged-strategy.md
@@ -0,0 +1,128 @@
+---
+title: Build a privileged access architecture strategy across the security adoption Identities and Access discipline
+description: Learn how to design a strategy for privileged access within the security adoption Identities and Access discipline
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand how I can design a privileged access architecture across the security adoption Identities and Access discipline
+---
+
+
+# Establish a privileged access strategy
+
+[Security disciplines](security-adoption-discipline-overview.md) are groupings of related security work that help teams to consistently deliver security outcomes across the entire technology estate. They're used in our security adoption model to provide a bridge between [business scenarios](security-adoption-business-scenarios-overview.md) and technical implementation, ensuring that security investments translate into real, measurable outcomes.
+
+The Security Architecture discipline establishes a cross-organizational strategy for controlling and governing access paths to business assets.
+
+As you establish the Security Architecture discipline, this article provides guidance for creating a privileged access architecture.
+
+## Privileged access strategy
+
+Designing a privileged access strategy should be treated as a top security priority because compromise of privileged users and systems is likely and has high-impact consequences. Privileged users typically have control over business‑critical assets, and attackers frequently exploit weaknesses in privileged access during targeted data theft and human-operated ransomware incidents.
+
+A privileged access strategy is designed to:
+
+- Reduce organizational risk by controlling, minimizing, and protecting high‑impact access paths. This requires applying rigorous security controls across the full security lifecycle (identify, protect, detect, respond, recover, and govern) using Zero Trust principles.
+- Progressively reduce attacker opportunities while preserving the organization’s ability to operate and administer critical systems.
+
+
+## Strategic goals
+
+Key strategic goals are summarized in the table.
+
+**Goal** | **Details** | **Action**
+--- | --- | ---
+**Limit exposure of privileged credentials** | Privileged credentials are high‑value targets wherever they are used or stored. Exposure occurs when privileged users authenticate from lower‑security devices or environments, creating opportunities for credential theft and system compromise. | Reduce risk by applying least privilege through a combination of:
- Just Enough Access: Grant only the permissions required to perform specific tasks.
- Just‑in‑Time access: Provide elevated access only when needed, often with approval workflows.
- Elevated protections: Apply stronger security controls to privileged accounts, devices, and data than to standard users.
+**Isolate and monitor privileged access pathways** | An effective privileged access strategy seals off unauthorized escalation paths and leaves only a small number of approved, tightly controlled, and closely monitored pathways for privileged activity. | Action requires a holistic, end‑to‑end approach that includes:
- Stronger authentication and device trust requirements.
- Continuous monitoring for anomalous activity.
- Priority detection and response when privileged access is involved
+**Reduce the number of privileged assets** | A sustainable strategy minimizes how much privilege exists in the environment. Reducing the number of privileged identities directly lowers the attack surface and attacker return on investment.| Organizations should actively identify and remove unnecessary privileged access by:
- Eliminating unused or excessive permissions.
- Redesigning support and operational processes.
- Removing accounts from privileged groups where elevation is not required.
+**Separate workflows** | Using the same accounts or workstations for productivity activity and administrative activity potentially introduces a dangerous bridge between common attack vectors and enterprise‑wide control. | Organizations must clearly separate high‑exposure productivity activities (email, web browsing, collaboration) from high‑impact administrative activities.
People who perform privileged tasks should use separate accounts, devices, and workflows for administrative access, preventing attackers from moving from low‑risk environments into high‑impact systems.
+
+
+## Strategic design principles
+
+Design a privileged access architecture around the following principles:
+
+- **Treat privileged access as an end-to-end system**: Privileged access risk spans identities and role assignments, devices and execution environments, intermediary components such as gateways and management agents, elevation workflows and approval processes, and monitoring/response mechanisms. Attackers will find and chain weaknesses across these elements. A resilient strategy assumes attackers are goal‑oriented and technology‑agnostic and therefore requires a complete, integrated approach.
+- **Assume attackers are persistent, adaptive, and goal‑oriented**: Attackers do not target technologies, they target outcomes. They'll probe for small weaknesses, combine multiple techniques, and shift to the easiest available path when blocked. They are looking for a good return on their investment. The strategy must be resilient to this behavior by eliminating entire classes of unauthorized access paths, not just hardening individual components.
+- **Understand no single control is sufficient**: A sustainable strategy must blend multiple technologies and controls into a holistic approach that covers multiple attacker entry points. There's no silver bullet. Implementing a Privileged Identity Management / Privileged Access Management (PIM/PAM) solution is valuable, but not sufficient on its own, because attackers don’t operate within the boundaries of a single product. A resilient strategy builds a solution that works across identities, devices, intermediaries, workflows, and detection/response. Single‑layer defenses leave exploitable gaps.
+- **Apply Zero Trust principles consistently**: The strategy must apply Zero Trust principles across the entire privileged access lifecycle, as a design requirement.
+ - Explicit verification for every privileged session.
+ - Least privilege through Just‑Enough‑Access and Just‑In‑Time processes.
+ - Assume breach, limiting blast radius and detecting abuse quickly.
+- **Prefer centralized, cloud‑based control planes**: Privileged access strategies depend on consistent policy enforcement, visibility, and rapid evolution as attacker techniques change.
+Using cloud‑based identity and security services as the control plane enables:
+
+ - Centralized policy enforcement across environments
+ - Continuous logging, analytics, and detection
+ - Faster rollout of new protections with less operational drift
+
+ Execution might occur on devices, intermediaries, or workloads, but governance and decision‑making must remain centralized.
+- **Design for incremental improvement, not perfection**: Privileged access strategy is a journey, and sustainability is as important as strength.
+Design choices should:
+
+ - Deliver immediate risk reduction
+ - Support phased adoption
+ - Avoid brittle or overly complex solutions
+ - Improve security posture continuously without disrupting operations
+
+- **Make authorized privileged access low-risk and observable**: The goal is to enable necessary administrative work, but in a way that is tightly controlled, high assurance, and continuously monitored—because privileged access is foundational to all other security assurances.
+
+## Understand privilege access pathways
+
+We recommend deploying a "closed loop" system for privileged access, so that only trustworthy clean devices, accounts, and intermediately systems are allowed. There are two goals around privileged access pathways:
+
+- Strictly limit the ability to perform privileged actions to a few authorized pathways.
+- Protect and closely monitor those pathways.
+
+### Types of pathways
+
+There are two primary pathways used to access enterprise systems:
+
+- **User access**: Standard user accounts performing productivity tasks such as email, collaboration, web browsing, and line‑of‑business applications.
+**Privileged access**: High‑impact access used to manage systems, data, and infrastructure. Compromise of this pathway enables widespread damage.
+
+The following diagram illustrates these pathways.
+- User Access depicts a standard user account performing general productive tasks.
+- Privileged Access depicts privileged accounts accessing business-critical system and data.
+
+:::image type="content" source="./media/security-adoption-discipline-access-strategy-pathway.png" alt-text="Picture showing user access versus privileged access." lightbox="./media/security-adoption-discipline-access-strategy-pathway.png":::
+
+Within these paths, identity systems provide identity support functions for standard and privileged users. Authorized elevation paths provide standard users with the means to interact with privileged workflows. These components together make up the privileged attack surface that adversaries might target to gain elevated access.
+
+This diagram shows a simple cloud architecture. For on-premises systems, or IaaS systems with customer-managed operating systems, complexity grows, and attack surfaces increase.
+
+:::image type="content" source="./media/security-adoption-discipline-access-strategy-pathway-complex.png" alt-text="Picture showing user access versus privileged access with potential attack surface." lightbox="./media/security-adoption-discipline-access-strategy-pathway-complex.png":::
+
+### Minimizing attack surface
+
+Creating a sustainable and manageable privileged access strategy requires closing off all unauthorized vectors using a combination of:
+
+- Zero Trust access controls.
+- Protection against direct asset attacks with good security hygiene practices to these systems. This typically includes things like rapid application of security updates/patches, configuring operating systems using manufacturer/industry security baselines, and protecting data-at-rest and in- transit.
+
+:::image type="content" source="./media/security-adoption-discipline-access-strategy-assets.png" alt-text="Picture showing end to end privileged access strategy." lightbox="./media/security-adoption-discipline-access-strategy-assets.png":::
+
+
+## Strategic initiatives
+
+Implementing this strategy requires four complementary initiatives, each with clear outcomes and success criteria. These initiatives work together to prevent attackers from gaining, expanding, or abusing privileged access.
+
+**Initiative** | **Details** | **Success criteria**
+--- | --- | ---
+**Establish end-to-end session security** | Establish explicit Zero Trust validation for privileged sessions, user sessions, and authorized elevation paths. | Each session validates that each user account and device are trusted at a sufficient level before allowing access.
+**Protect and monitor identity systems** | Protect and monitor identity including directories, identity management, admin accounts, and consent grants. | Each of these systems is protected at a level appropriate for the potential business impact of accounts hosted in it.
+**Mitigate lateral traversal** | Protect against lateral traversal with local account passwords, service account passwords, or other secrets. | Compromising a single device won't immediately lead to control of many or all other devices in the environment
+**Response to threats quickly** | Deploy rapid threat response to limit adversary access and time in the environment. | Incident response processes impede adversaries from reliably conducting a multi-stage attack in the environment that would result in loss of privileged access.
Measured by reducing the mean time to remediate (MTTR) of incidents involving privileged access to near zero, and reducing MTTR of all incidents to a few minutes so adversaries don't have time to target privileged access.
+
+## Next steps
+
+- Microsoft Unified offers cybersecurity reference architectures, Zero Trust guidance, and expert-led workshops to help organizations with end to end security architecture. [Learn more](workshop-business-overview.md).
+
+
+ :::image type="content" source="./media/security-adoption-discipline-access-workshop.png" alt-text="Diagram of Microsoft Unified workshops for Access and Identity technology adoption, showing key phases and activities." lightbox="./media/security-adoption-discipline-access-workshop.png":::
+
+- Review [other security disciplines](security-adoption-discipline-overview.md).
\ No newline at end of file
diff --git a/security-docs/zero-trust/security-adoption-discipline-identity-access.md b/security-docs/zero-trust/security-adoption-discipline-identity-access.md
new file mode 100644
index 000000000..0d5e82ccb
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-identity-access.md
@@ -0,0 +1,194 @@
+---
+title: Establish an Access and Identities discipline
+description: Use the Microsoft security adoption model to modernize and secure identity and access across the business, based on Zero Trust principles.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand how I can use the Microsoft security adoption model to modernize and secure identity and access across the business.
+---
+
+# Establish an Access and Identities discipline
+
+This article helps security and technology teams establish and modernize a Security Architecture discipline that provides a clear, end‑to‑end technical vision for security across the organization.
+
+[Security disciplines](security-adoption-discipline-overview.md) are groupings of related security work that help organizations consistently deliver security outcomes across the entire technology estate. Within the security adoption model, disciplines help provide a bridge between [business scenarios](security-adoption-business-scenarios-overview.md) and [technical implementation](implement-overview.md), ensuring that security investments translate into real measurable outcomes as part of the [security adoption model](security-adoption-model.md).
+
+
+
+## Why this discipline?
+
+Access and identity is the security discipline that most people interact with first—and most often. Every user experiences it every time they sign in to a device, access an application, share a file, connect remotely, or use physical credentials to enter a building.
+
+Because access controls sit at the intersection of security and productivity, they directly influence both organizational risk and user experience.
+
+The Access and Identities discipline:
+
+-
+- **Reduces risk** by shaping and governing access paths to business assets, ensuring the right entities have the right access under the right conditions, while preventing abuse by attackers.
+- **Enables productivity** with consistent, low‑friction access that discourages insecure workarounds and shadow IT
+- **Provides a common strategy** that security leaders and practitioners can align to and execute consistently across the organization
+
+This is a strategic priority because identities are the most common entry point for attacks, and because [privileged access](security-adoption-discipline-identity-access-privileged-model.md) compromise dramatically amplifies attack impact. Techniques such as password spray, phishing, and token theft are routinely used to gain an initial foothold. Pass‑the‑hash, pass‑the‑ticket, and similar identity compromise attacks are regularly used to move laterally, escalate privileges, and reach high‑value assets.
+
+Without an effective Access and Identities discipline, organizations face increased risk from:
+
+- **External compromise**: Attackers can rapidly take over legitimate user or service identities, including privileged accounts, and use them to discover and exploit business assets.
+- **Insider abuse and privilege misuse**: Malicious, negligent, or compromised insiders can abuse elevated privileges to access sensitive systems and data.
+- **Productivity loss and insecure workarounds**: Overly restrictive or inconsistent access controls frustrate users and drive the adoption of shadow IT with weaker controls and limited visibility, increasing risk and blast radius.
+
+## Mission and outcomes
+
+An effective Access and Identities discipline is built around two complementary strategic objectives:
+
+- **Secure general access** - Increase baseline security across all organizational assets by consistently enforcing minimum security assurances for everyday access.
+- **Secure privileged access** - Protect access that can have material business impact, including high‑value business assets, IT administrative accounts, workload identities, and artifacts that grant broad or deep control.
+
+Together, these objectives ensure that access security scales with business value and risk, providing strong protection where it matters most, without unnecessarily obstructing routine work.
+
+The following diagram illustrates these two complementary goals:
+
+:::image type="content" source="./media/security-adoption-discipline-access-strategy.png" alt-text="Diagram of two strategic goals for access security: securing general access and securing privileged access." lightbox="./media/security-adoption-discipline-access-strategy.png":::
+
+
+## How to apply this discipline
+
+To apply the Access and Identity discipline effectively, focus on establishing a consistent, identity-centric approach to how access is managed across the organization:
+
+1. **Define an identity-centric access model aligned to business risk**
+ Establish a clear approach for how users, devices, applications, and workloads access organizational resources based on risk and business impact.
+1. **Ensure consistent verification of access across all environments**
+ Apply a uniform approach to validating identity, device, and access conditions regardless of location, application, or network.
+1. **Standardize access controls and policies across the organization**
+ Provide clear guidance to ensure that access decisions are applied consistently and reduce fragmentation across systems and environments.
+1. **Align access management with business scenarios and critical assets**
+ Prioritize access controls that protect high-value assets and support key scenarios such as secure remote work and protection of critical systems.
+1. **Continuously monitor and refine access based on risk and activity**
+ Use insights from access patterns, risk signals, and security events to strengthen controls and reduce exposure over time.
+
+
+## Manage change
+
+Traditional access control models focused on network perimeters, layering identity systems, and VPNs around a trusted internal network. These models no longer meet the needs of modern enterprises that operate across cloud, SaaS, mobile, AI, and hybrid environments. Legacy approaches often result in:
+
+- Fragmented solutions across identity, network, and application layers.
+- Weak or inconsistent privileged access protection.
+- Poor integration with security operations and detection.
+- Gaps that attackers routinely exploit.
+
+
+The following diagram illustrates this limitation:
+
+:::image type="content" source="./media/security-adoption-discipline-access-fragment.png" alt-text="Diagram of legacy access control with isolated systems and gaps in privileged access security." lightbox="./media/security-adoption-discipline-access-fragment.png":::
+
+A modern Access and Identities discipline goes beyond individual technologies. It focuses on business priorities, integration, and completeness across all access paths, while enforcing a single, coherent access strategy. Modern access control must be:
+
+- **Secure:** Explicitly validate users, devices, and workloads using rich signals. Prevent unauthorized privilege escalation, and protect privileged access.
+- **Consistent and comprehensive:** Cover all access paths—human and nonhuman—and apply security assurances uniformly to eliminate gaps and improve user experience.
+- **Integrated:** Use centralized policy and a minimal number of policy engines to enforce controls consistently at scale, avoiding configuration drift.
+- **Identity-centric**: Prioritize identity‑based controls, which provide richer context than network‑only signals. Use network controls as a complementary layer, not the primary trust boundary.
+
+This diagram from the [Enterprise Access Model](security-adoption-discipline-identity-access-enterprise-model.md) illustrates all of the different types of access paths an organization must secure across multiple workloads, multiple clouds, various business sensitivity levels, and access by both people and devices.
+
+:::image type="content" source="./media/security-adoption-discipline-access-enterprise.png" alt-text="Diagram of the Enterprise Access Model showing secure, consistent, and integrated access paths across users, devices, and workloads." lightbox="./media/security-adoption-discipline-access-enterprise.png":::
+
+
+## Discipline roles and collaborators
+
+Planning and delivery of the Access and Identities discipline is typically owned by teams responsible for identity, access, and networking.
+In larger organizations, responsibilities are distributed across formal roles and processes. In smaller organizations, roles might be combined and handled more informally. In all cases, documenting access and identity strategy as it evolves is recommended.
+
+Primary roles include:
+
+- **Access architects**: Define end‑to‑end access strategy and design across identity, networking, application, and platform layers.
+- **Identity and networking engineers and operators**: Implement, operate, and maintain identity systems, access enforcement, and supporting infrastructure.
+
+Architects must understand all access technologies holistically. Engineers typically have deep expertise in identity and/or networking systems.
+
+Key internal collaborators include:
+
+- **Security and enterprise architects**, to align access controls with broader security architecture and priorities
+- **Engineering and operations teams**, who implement access requirements in platforms and workloads**
+- **Security leaders (CISO and delegates)**, who provide direction and oversight
+- **Developers**, who design and build applications using modern identity and access patterns
+
+No single role owns access in isolation. Successful access control depends on shared responsibility and coordination across teams.
+
+## Strategy components
+
+An effective access and identity strategy secures the full lifecycle of authorized actions. Conceptually, this mirrors the structure of a sentence:
+
+- **Identity subject** – who or what is requesting access.
+- **Access verb** – the action being performed.
+- **Access object** – the asset being accessed.
+
+### Identity subject (who)
+
+Access security starts with knowing who or what is requesting access:
+
+- **All identity types**: Secure human user accounts, workload identities, AI agents, applications, service principals, certificates, and cryptographic keys.
+- - **The full identity lifecycle1**: Manage identities from no access to identity creation, through changes and privilege elevation, to deprovisioning and returning to no access when it's no longer required.
+- **Identity sources**: Define which internal and external identity providers are trusted, how identities are governed, and how lifecycle controls are enforced across those sources.
+
+### Access verb (how)
+
+Access enforcement must cover all assets and access paths across the entire access cycle.
+
+- **Comprehensive coverage**: Enforce policy for cloud, on‑premises, SaaS, AI, OT/IoT assets, across interactive access, APIs, and machine‑to‑machine communication.
+- **Intermediary systems**: Secure devices, directories, gateways, VPNs, and access proxies that mediate access.
+- **Consistent policy**: Apply policy uniformly across general access, privileged access, network access, external access, and workload‑level authorization models.
+- **Adaptive access**: Continuously evaluate whether identities are known, trusted, and allowed using real‑time signals, and terminate sessions if risk changes.
+- **Strong authentication**: Enforce phishing‑resistant authentication and mechanisms that mitigate password‑based attacks.
+- **Modern access mechanisms**: Enforce least privilege at the application level and replace legacy perimeter technologies with identity‑centric approaches such as Security Service Edge (SSE).
+
+### Access object (what)
+
+Access policy must reflect business value, sensitivity, and governance requirements:
+
+- **Align policy to business**: Classify assets and align access controls to their value and risk.
+- **Manage control relationships**: Access strategies must account for transitive control relationships in the security graph. If A controls B and B controls C, A effectively controls C—dramatically increasing blast radius.
+- **Reduce technical debt**: Retire insecure legacy protocols and cryptography (such as LM/NTLM) that undermine access assurances. This often requires coordinated action across identity, endpoints, and infrastructure.
+
+
+
+## Alignment with other disciplines
+
+The Access and Identities discipline doesn't operate independently. It aligns closely with other security disciplines, including:
+
+- **Strategy, Integration, and Governance**. Access decisions shape business risk and prioritization.
+- **Security Architecture**: Access controls enforce architectural decisions.
+- **Security Operations**: Identity telemetry and access signals feed detection, investigation, and response.
+- **Endpoint Security**: Device posture directly influences access trust.
+- **Data Security**: Access policies reflect data sensitivity and governance.
+
+This alignment ensures access decisions support end‑to‑end security outcomes, not fragmented controls.
+
+
+## Alignment with technology pillars
+
+The Access and Identities discipline spans all technology pillars and serves as a unifying control layer across them, as shown in this diagram.
+
+:::image type="content" source="./media/security-adoption-discipline-access-pillar.png" alt-text="Diagram of technology pillars showing how access and identity protections span identities, endpoints, and infrastructure." lightbox="./media/security-adoption-discipline-access-pillar.png":::
+
+The discipline aligns as follows:
+
+- **Identities**: Authentication, authorization, lifecycle management, and privilege controls define who can access assets and under what conditions.
+- **Endpoints**: Endpoint posture and credential protection influence access trust decisions. Compromised devices undermine identity controls.
+- **Infrastructure**: Identity systems and administrative interfaces run on infrastructure and require strong privileged access protection.
+- **Apps**: Applications must use modern identity patterns and enforce least‑privilege access for users, APIs, and pipelines.
+- **Data**: Identity‑based access controls govern who can read, modify, or exfiltrate sensitive data.
+- **Network**: Network controls complement identity‑centric access by mitigating legacy attacks and supporting Security Service Edge (SSE) patterns.
+- **AI**: AI agents and services introduce new identity types that require lifecycle management, least privilege, and monitoring.
+
+
+## Next steps
+
+- Microsoft Unified offers cybersecurity reference architectures, Zero Trust guidance, and expert-led workshops to help organizations with end to end security architecture. [Learn more](workshop-business-overview.md).
+
+
+ :::image type="content" source="./media/security-adoption-discipline-access-workshop.png" alt-text="Diagram of Microsoft Unified workshops for Access and Identity technology adoption, showing key phases and activities." lightbox="./media/security-adoption-discipline-access-workshop.png":::
+
+- Review [other security disciplines](security-adoption-discipline-overview.md).
\ No newline at end of file
diff --git a/security-docs/zero-trust/security-adoption-discipline-infrastructure.md b/security-docs/zero-trust/security-adoption-discipline-infrastructure.md
new file mode 100644
index 000000000..0a27b724e
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-infrastructure.md
@@ -0,0 +1,175 @@
+---
+title: Establish an Infrastructure and Networking discipline
+description: Use the Microsoft security adoption model to secure cloud infrastructure, including networks, based on Zero Trust principles.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand how I can use the Microsoft security adoption model to effectively secure cloud infrastructure and networking across the business.
+---
+
+# Establish an Infrastructure Security discipline
+
+This article helps security and technology teams establish and modernize an Infrastructure Security discipline across the company. This discipline focuses on protecting the foundational systems and platforms that underpin the security of systems and data across the organization.
+
+[Security disciplines](security-adoption-discipline-overview.md) are groupings of related security work that help organizations consistently deliver security outcomes across the entire technology estate. Within the security adoption model, disciplines help provide a bridge between [business scenarios](security-adoption-business-scenarios-overview.md) and [technical implementation](implement-overview.md), ensuring that security investments translate into real measurable outcomes as part of the [security adoption model](security-adoption-model.md).
+
+
+## Why this discipline?
+
+The Infrastructure Security discipline helps organizations reduce risk from large‑scale compromise by preventing and limiting damage to datacenters, servers, containers, networks, storage, cloud services, and other resources that store and process sensitive data and workloads.
+
+It's a key strategic priority frequently targeted by threat actors because compromise allows them access to many systems at once. A modern, disciplined approach to infrastructure security limits blast radius, improves resilience, and enables secure operations at scale.
+
+Infrastructure underpins every security outcome. If the cloud, containers, virtualization or other infrastructure platforms are compromised, attackers can rapidly access workloads, data, and identities across the organization.
+
+Without effective infrastructure and networking security, organizations might experience:
+
+- Ransomware and extortion attacks
+- Large‑scale data breaches
+- Regulatory noncompliance
+- Operational outages and service disruption
+
+These impacts translate directly into financial loss, reputational damage, and harm to customers and critical services. Infrastructure security is therefore a strategic priority, not just a technical concern.
+
+## Mission and outcomes
+
+The mission of the Infrastructure Security discipline is to safeguard the foundational systems that support workloads and data across on‑premises, hybrid, and multicloud environments. Outcomes of the mission include:
+
+- Reduced blast radius from infrastructure compromise
+- Consistent security controls across environments
+- Improved resilience against ransomware and service outages
+- Stronger protection for sensitive workloads and data
+- Alignment of infrastructure security with business risk
+
+Infrastructure security reduces risk by preventing, detecting, and limiting damage to datacenters, servers, containers, networks, storage, and cloud services throughout their lifecycle.
+
+
+## How to apply this discipline
+
+To apply the Infrastructure and Networking Security discipline effectively, focus on establishing a consistent approach to securing the platforms and connectivity that support your organization:
+
+- **Define an infrastructure security strategy aligned to business risk**
+ Establish a clear approach for securing platforms, workloads, and network environments in a way that protects critical systems and reduces the most significant risks.
+
+1. **Ensure consistent protection across hybrid and multicloud environments**
+ Apply a unified approach to securing infrastructure across on-premises, cloud, and edge environments to reduce gaps and inconsistencies.
+1. **Establish standardized security configurations and practices**
+ Provide clear guidance to ensure that infrastructure and network controls are implemented consistently across environments and workloads.
+1. **Align infrastructure security with business-critical services and scenarios**
+ Prioritize protections for the systems and services that support critical business operations and key scenarios such as secure remote work and protection of critical assets.
+1. **Continuously monitor and improve infrastructure security posture**
+ Use insights from vulnerabilities, misconfigurations, and operational signals to strengthen protections and reduce risk over time.
+
+
+
+## Manage change
+
+The Infrastructure Security Technology Strategy defines how an organization applies modern tools and architectures to protect its foundational systems where critical data resides.
+
+- Strategy focuses on implementing Zero Trust principles, advanced threat protection, automated patching, and continuous monitoring to ensure confidentiality, integrity, and availability of data across hybrid environments.
+- Strategy aligns technology investments with risk reduction goals, enabling secure connectivity, resilience against cyberattacks, and compliance with regulatory standards.
+- Without a clear strategy, organizations face fragmented security controls, increased vulnerabilities, and higher risks of data breaches, service outages, and regulatory penalties.
+
+Modernization of this discipline is focused on:
+
+- Continuously improving infrastructure security throughout the lifecycle of govern, identify, protect, detect, respond, and recover.
+- Implementing security controls such as Zero Trust architecture, automated patching, and continuous monitoring to enhance visibility and address evolving threats/compliance requirements.
+
+These efforts ensure confidentiality, integrity, and availability of data by reducing attack surfaces, preventing unauthorized access, and maintaining resilience against disruptions.
+
+Technology infrastructure is highly complex, has many moving parts, is constantly evolving, and must stay secure against persistent and evolving threats. This means that effective infrastructure security must be:
+
+- **Comprehensive** - Controls must address the various technical elements of infrastructure including networks, endpoints (servers, containers, and more), data, apps, and more to avoid providing threat actors an unguarded access path they can exploit. This requires using a combination of well-know security techniques and the integration of advanced automation and technology as it becomes available.
+- **Consistent and Rigorous** - Security controls must be applied consistently and rigorously across all instances of each technology to avoid providing threat actors an opportunity to exploit vulnerabilities in overlooked or undiscovered resources.
+- **Continuously Improved** - Both the infrastructure itself and the threat actors are constantly evolving, so all aspects of security must continuously evolve as well including threat models, security architectures and controls, how security is integrated into infrastructure management and automation, and more.
+
+Change management is critical. Infrastructure operators must be involved early and consistently—security controls that ignore operational reality fail or are bypassed.
+
+## Discipline roles and collaborators
+
+The Infrastructure Security discipline typically requires close collaboration between technical and security teams. These roles must:
+
+- Work together to ensure that security controls are embedded across infrastructure layers to maintain confidentiality, integrity, and availability of data.
+- Are responsible for planning, designing, and operating secure foundational systems (networks, compute, storage, and cloud platforms) where critical data resides.
+
+In larger organizations, dedicated specialists typically own infrastructure security responsibilities. In smaller organizations, roles might be combined with other technical roles.
+
+Primary Roles:
+
+- **Security Architect** – Designs secure architectures for on-premises and cloud infrastructure, applying Zero Trust principles and integrating identity, network, and platform security.
+- **Infrastructure Engineering and Operations** – Implements and manages secure configurations, patching, monitoring, and compliance for servers, networks, and cloud workloads. Maintain secure configurations and enforce compliance across infrastructure components.
+- **Network Engineer** – Focuses on secure connectivity, segmentation, and protection of data in transit across hybrid environments.
+
+
+Key internal collaborators include:
+
+- **Enterprise and Solution Architects** – Ensure security requirements are integrated into infrastructure designs and modernization initiatives.
+- **Security Strategy, Integration, and Governance** – Provides governance and oversight for security controls, aligning infrastructure security with organizational risk management. Helps prioritize projects and vulnerabilities based on organizational risk and impact.
+- Developers and Application Teams – Collaborate to ensure infrastructure supports secure application deployment and data protection.
+- CISO and Security Leadership – Define strategic priorities, risk tolerance, and compliance objectives for infrastructure security.
+
+Infrastructure architects must understand how identity, network, and platform security intersect to protect workloads effectively.
+
+## Alignment with other disciplines
+
+Infrastructure and Networking security works in concert with other SAF disciplines:
+
+- Access and Identities – Secures privileged and service access to infrastructure
+- Security Operations (SecOps) – Detects and responds to infrastructure‑based attacks
+- Data Security – Protects sensitive data hosted and processed on infrastructure
+- Security Architecture and Governance – Aligns controls with risk and business priorities
+
+This alignment ensures infrastructure security supports end‑to‑end security outcomes rather than operating as an isolated silo.
+
+## Alignment with technology pillars
+
+## Infrastructure security and technology pillars
+
+Executing the strategy of the infrastructure security discipline requires security controls across multiple technology pillars:
+
+:::image type="content" source="./media/security-adoption-discipline-infrastructure.png" alt-text="Infrastructure Security - mapping to technology pillars" lightbox="./media/security-adoption-discipline-infrastructure.png":::
+
+Alignment with technology pillars includes:
+
+
+- **Identities**: Identity controls form the foundation of all access control.
+ - Just as you can't form a sentence without a subject and object, you can't establish reliable access policies that determine who can access what if you don't have accounts and identities assigned to employees, partners, customers, AI agents, computers, applications, microservices, and more.
+ - Attackers regularly try to compromise and abuse accounts, credentials, tokens, and other identity artifacts to gain access to business assets in the organization (often prioritizing privileged accounts like IT admins to get access to many or all digital assets in the organization).
+- **Endpoints**: Access control assurances rely on endpoint security to be effective. Attackers who compromise an endpoint can impersonate accounts that sign onto the endpoint and can steal credentials, tokens, and other identity artifacts for later attacks. Retiring legacy authentication protocols and cryptography often requires updating and reconfiguring endpoints.
+- **Infrastructure**: The organization's infrastructure hosts identity systems (such as Active Directory Domain Controllers, LDAP servers, federation servers, and more), so any compromise of these assets can result in a compromise of many or all accounts and identities in the organization. Additionally, IT administrators must follow identity and access best practices for privileged accounts used to manage infrastructure assets (including infrastructure as code (IAC) and other automation). Retiring legacy authentication protocols and cryptography often requires updating and reconfiguring infrastructure.
+- **Apps**: Applications are a key store of value for the organization and are commonly used as entry points by threat actors to gain access to other assets. All apps must follow access and identity security best practices including commercial Software as a Service (SaaS) and mobile apps, custom developed apps, CI/CD processes for development, and more.
+- **Data**: Data is a key store of value for the organization and often targeted by attackers for intellectual property theft, encryption to gain leverage for extortion or ransomware, planning future attacks, and other purposes. Security best practices must be followed rigorously because access and identity are the primary means of protecting data.
+- **Networking**. Network controls are foundational to access control. While network was once the dominant access control technology and skill, the utility and importance of network controls diminished as assets are increasingly on cloud providers, mobile devices, and other environments outside of the organization's network. Access and Identity can no longer primarily focus only network controls, but must maintain basic controls to block older attacks and integrate network enforcement into modern controls like security service edge (SSE).
+- **AI**: AI apps and agents must have identities to govern what they can access. Identities must be carefully designed to enforce the least privilege principle and monitor for anomalous activity. AI also increases the volume and quality of all attacks, further amplifying the need to follow security best practices like phishing resistant authentication and more. Access and Identity can also take advantage of AI to automate discovery of policy misconfigurations and other issues.
+
+## Microsoft resources
+
+### Workshop
+
+Microsoft Unified offers expert-led workshops to help organizations modernize their Infrastructure Security strategy, architecture, and technology. These workshops include:
+
+- **Architecture and strategy workshops** - The *Security Adoption Framework (SAF) - Architecture Design Session: Infrastructure and Development Security* workshop focuses on accelerating development security modernization and integration with infrastructure security. This workshop is available as a less than four-hour summary/discussion focused on key learnings and best practices.
+- **Technology adoption workshops** - Microsoft Unified has workshops to help organizations learn about, plan, implement, and optimize the use of Microsoft infrastructure and networking technologies including Microsoft Entra and Microsoft Intune.
+
+
+### Technology
+
+Microsoft offers technology solutions that enable and accelerate modernization of infrastructure security.
+
+**Technology** | **Details**
+--- | ---
+**Microsoft Defender for Cloud** | Provides extended detection and response (XDR) and posture management capabilities to monitor and secure your 'hybrid of everything' infrastructure across Azure, AWS, GCP, and on-premises resources (including VMs, Networks, Kubernetes/Containers, SQL, Storage, IoT/OT, & more). Key capabilities within Microsoft Defender for Cloud include:
- [*Defender for Servers*](/azure/defender-for-cloud/defender-for-servers-overview) - provides recommendations to improve and remediate security posture, protects machines against real-time security threats and attacks with Defender for Endpoint integration, and offers agentless scanning for vulnerabilities.
- [*Defender For Containers*](/azure/defender-for-cloud/defender-for-containers-introduction) - cloud-native solution to enhance, monitor, and maintain the security of your containerized assets (Kubernetes clusters, nodes, workloads, registries, images, and more) and their applications across multicloud and on-premises environments.
- [*Defender for SQL*](/azure/defender-for-cloud/defender-for-sql-introduction) - helps discover and mitigate potential database vulnerabilities with vulnerability assessment and alerts on anomalous activities that might indicate threats to your databases.
- [*Defender for Storage*](/azure/defender-for-cloud/defender-for-storage-introduction) - detects potential threats to storage accounts with malware scanning and sensitive data threat detection across Azure Blob Storage, Azure Files, and Azure Data Lake Storage.
- [*Defender for Databases*](/azure/defender-for-cloud/defender-for-databases-overview) - helps protect database estates from threats and vulnerabilities with threat protection and security management for Azure SQL, open-source databases, and Cosmos DB.
- [*AI Security Posture Management*](/azure/defender-for-cloud/ai-security-posture) - discovers generative AI applications, identifies vulnerabilities, and reduces risks with built-in recommendations and attack path analysis for AI workloads.
+[**Microsoft Sentinel**](/azure/sentinel/overview) | Cloud native SIEM + SOAR + Data Lake solution that includes detection and response for infrastructure components.
+[**Azure Arc**](/azure/azure-arc/overview) | Enables unified governance and management across on-premises data centers, multiple clouds, and edge components by projecting your existing non-Azure and/or on-premises resources into Azure Resource Manager.
+[**Microsoft Entra**](/entra/fundamentals/whatis) | Supports strong identities for developers as well as identities for the application and avoiding roll your own identities and crypto
+[**Microsoft Intune**](/intune/intune-service/fundamentals/what-is-intune) | Supports with cloud-based endpoint management solution for securing developer workstations with mobile device management (MDM) and mobile application management (MAM)
+[**Microsoft Defender XDR**](/defender-xdr/microsoft-365-defender) | Supports with detection and response capabilities for developer workstations, CI/CD systems, servers, containers, and more that are required for a secure development environment.
+**Microsoft Azure** | Supports with security capabilities in the cloud infrastructure that should be leveraged for software design and implementation including [Azure Firewall](/azure/firewall/overview), [Azure WAF](/azure/web-application-firewall/overview), [DDoS Protection](/azure/ddos-protection/ddos-protection-overview), [Azure Key Vault](/azure/key-vault/general/overview), [Azure Bastion](/azure/bastion/bastion-overview), [Azure Lighthouse](/azure/lighthouse/overview), and [Azure Backup](/azure/backup/backup-overview).
+
+Next steps
+
+[Learn how](security-adoption-discipline-iot.md) OT/IoT security integrates into the Infrastructure and Networking discipline.
\ No newline at end of file
diff --git a/security-docs/zero-trust/security-adoption-discipline-iot.md b/security-docs/zero-trust/security-adoption-discipline-iot.md
new file mode 100644
index 000000000..f227b6826
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-iot.md
@@ -0,0 +1,240 @@
+---
+title: Integrate OT/IoT security into the Infrastructure/Networking discipline
+description: Use the Microsoft security adoption model to secure OT/IoT assets and resources across the business, based on Zero Trust principles.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand how I can use the Microsoft security adoption model to secure OT/IoT assets across the business.
+---
+
+# Establish an OT/IoT discipline
+
+This article outlines the OT/IoT Security discipline. It focuses on establishing or modernizing security for specialized Internet of Things (IoT) and Operational Technology (OT) devices, while preserving operational continuity and safety.
+
+[Security disciplines](security-adoption-discipline-overview.md) are groupings of related security work that help organizations consistently deliver security outcomes across the entire technology estate. Within the security adoption model, disciplines help provide a bridge between [business scenarios](security-adoption-business-scenarios-overview.md) and [technical implementation](implement-overview.md), ensuring that security investments translate into real measurable outcomes as part of the [security adoption model](security-adoption-model.md).
+
+
+## Why OT/IoT security?
+
+OT/IoT security addresses systems with unique safety, availability, and reliability constraints.
+
+OT and IoT systems increasingly appear in modern attack paths as entry points, lateral movement paths, and high‑impact targets. The key challenge is that most OT environments are composed of legacy (“brownfield”) systems that are fragile, unsupportable, or difficult to modify. Common constraints include:
+
+- Software that can't easily be updated.
+- Operating systems or hardware that's no longer supported.
+- Vendors ending product support or gone out of business.
+- Regulatory or safety requirements that make changes costly or impractical.
+
+Without a modern OT/IoT security discipline, organizations face:
+
+- Increased risk of production outages and safety incidents.
+- Targeted attacks, including ransomware, on industrial control systems.
+- Regulatory violations (for example, NERC CIP, IEC 62443).
+- Physical damage and potential harm to human safety.
+- Operational downtime, and long‑term operational and reputational damage.
+
+Because these systems often support critical services, OT/IoT security is essential to operational resilience and public safety.
+
+
+## Mission and outcomes
+
+The mission is to protect OT systems and IoT devices that control physical processes or collect critical operational data. Outcomes of the mission include:
+
+- Improved visibility into all OT/IoT assets.
+- Isolation of OT/IoT environments from IT environments and the internet.
+- Keep operations resilient and compliant.
+- Secure remote and vendor access without disrupting operations.
+- Early detection of OT‑specific threats.
+- Reduced likelihood and impact of outages, safety incidents, and physical damage.
+- Compliance with industry and regulatory requirements.
+
+The following diagram from the [Microsoft Cybersecurity Reference Architecture (MCRA)](microsoft-reference-architecture.md) illustrates the range of OT and IoT Devices that must be secured.
+
+:::image type="content" source="./media/internet-of-things-devices.png" alt-text="OT and IoT device types" lightbox="./media/internet-of-things-devices.png":::
+
+## How to apply this discipline
+
+To apply the OT/IoT discipline effectively, focus on establishing a coordinated approach to securing connected devices and operational environments while maintaining safety and availability:
+
+1. **Define an OT/IoT security strategy aligned to operational risk**
+ Establish a clear approach for identifying, prioritizing, and mitigating risks to critical operational processes, industrial systems, and connected devices based on their potential safety and business impact.
+1. **Gain comprehensive visibility into OT and IoT assets**
+ Maintain an accurate inventory of devices, networks, and communication flows to understand what exists in the environment and identify unmanaged or vulnerable systems.
+1. **Segment and protect OT/IoT environments**
+ Implement network segmentation and access controls to isolate critical systems, limit lateral movement, and reduce exposure to threats across IT and OT boundaries.
+1. **Standardize monitoring and threat detection for OT/IoT**
+ Apply consistent monitoring and detection capabilities across connected devices and industrial systems to identify anomalies, unsafe conditions, and potential compromises.
+1. **Align OT/IoT security with operational requirements and safety priorities**
+ Ensure that security controls support operational continuity and safety requirements, prioritizing protections for critical processes and minimizing disruptions to industrial operations.
+1. **Continuously improve through insights and operational feedba**
+ Use learnings from incidents, device telemetry, and operational metrics to strengthen visibility, improve detection, and refine security controls over time.
+
+## Manage change
+
+OT and IoT Security modernization focuses on improving organizational ability to discover, monitor, and protect specialized OT/IoT devices that often aren't included in IT security efforts, controls, or scope. Unlike IT environments, most OT/IoT systems are long-live, safety-critical, and difficult to change.
+
+Key change principles include:
+
+- **Visibility**: Use passive monitoring to discover and understand OT/IoT assets and communications.
+- **Isolation**: Segment and isolate OT environments to reduce exposure before applying other controls.
+- **Operational safety**: Ensure security controls don't disrupt real‑time operations or safety systems.
+- **Procurement**: Embed security requirements in purchasing decisions.
+- **Alignment**: Make security sustainable by aligning people, processes, and technology. For example, train operations, update procedures, and consistently enforce controls.
+-
+
+## Modernization strategy
+
+The OT/IoT security strategy combines near‑term risk reduction with long‑term structural improvements to reduce the likelihood and impact of cybersecurity incidents that could cause human harm, physical damage, or business disruption.
+
+Unlike IT security, OT/IoT security has few viable security controls. Security strategy must acknowledge constraints, focus on consistently and effectively executing available on practical, sustainable controls without disrupting safety or availability.
+
+
+## Strategic priorities
+
+The unique OT/IoT security constraints require focusing on a small number of short-term and long-term strategic priorities:
+
+- **Short Term - Monitor** - Use ***passive*** monitoring of network data to inventory devices and identify anomalous activities that may represent an attack. Note that *Actively* scanning for software vulnerabilities can cause some remote systems to crash, sometimes requiring a site visit to a distant or uninhabited remote location to physically restart the system.
+- **Short Term - Isolate** - Isolate OT and IoT devices from direct internet access and from other internet connected devices, including standard user IT devices and networks.
+- **Short Term - Other Controls _(as applicable)_** - Design and implement other controls that are available to secure the systems which may include physical isolation of highly sensitive systems, application of IT best practices such as software updates (if available), and more.
+- **Long Term - Purchase or Replace** - Procurement policy requires ability to secure devices for their full operational lifetime
+
+The specific mix of controls will vary based on device types, operational constraints, and procurement cycles.
+
+This diagram shows key priorities.
+
+:::image type="content" source="./media/internet-of-things-challenges.png" alt-text="Shows strategic security strategies for OT/IoT security" lightbox="./media/internet-of-things-challenges.png":::
+
+### Short-term - Isolate OT/IoT environments
+
+Effective isolation requires more than just simple network segmentation with firewall rules to block traffic. Achieving effective isolation against threats that doesn't disrupt operations requires a comprehensive and thoughtful approach implemented consistently over time.
+
+The approach should include:
+
+ - **Modeling business processes, technology, and threats**: Discover and document OT/IoT systems. How they're used in business workflows, how the technology is configured, and how threats actors might gain access.
+ - **Accounting for people, process, and technology** - Take a holistic approach. For example:
+
+ - **For technology**, block unauthorized communications, detect threats, and establish rigorous security controls for all bridging/transit devices.
+ - **For processes**, establish, monitor, and update organizational policy, business and technical procedures, and governance to sustain assurances over time.
+ - **For people**, train all stakeholders on what, why, and how to execute procedures.
+
+ - **Apply to all layers** - Don't restrict analysis, design, and implementation to only one control such as networking. Consider the whole system, including identities and access, network connectivity, physical access, operating systems, and apps.
+ - **Secure transient devices** - Device access to isolated OT/IoT environments must be strongly secured to ensure the safety of fragile environments. Apply rigorous people, process, and technology controls to:
+ - All devices that are permanently connected to the environment, such as monitoring workstations.
+ - Devices that transit in or out, such as vendor maintenance laptops. Ensure you follow [privileged device principles](security-adoption-scenario-privileged-access.md).
+
+This diagram shows key points for isolating high value assets.
+
+:::image type="content" source="./media/internet-of-things-isolation.png" alt-text="Key aspects of isolating high value assets" lightbox="./media/internet-of-things-isolation.png":::
+
+### Long-term - purchase or replace
+
+Ensure OT/IoT security and productivity increase over time by including their requirements in procurement policy. Without this step, OT/IoT operations costs and risks will grow over time.
+
+
+The diagram compares the outcome with and without the inclusion of security requirements.
+
+:::image type="content" source="./media/internet-of-things-outcomes.png" alt-text="Compares security outcomes" lightbox="./media/internet-of-things-outcomes.png":::
+
+- In **A**, the organization makes a large purchase without security requirements. The example shows a support contract ending early, and a vendor closing down. This might incur unbudgeted support expenses, and elevated risk.
+- In **B** the organization includes security requirements during the procurement. Negotiation considers key factors that include:
+
+ - The vendor provides lifetime updates, or provides more modern operating systems for equipment in order to close a deal.
+ - The vendor provides lifetime support. Or at least are willing to extend regular support or provide a discount to close a deal.
+ - The vendor must follow sound software development practices to reduce design flaws and risk early.
+ - The vendor is subject to checks that estimate the ability of the vendor to provide continuity and stay in business.
+ - Plans are in place in case the vendor goes out of business.
+
+
+### Get value
+
+Early evaluation of requirements helps you to maximize value from equipment and mitigate future risk. When you have this information early, it guards against:
+
+- Vendor motivation to address security requirements post-purchase.
+- The need to negotiate updates and support at a later date, which might be more difficult or costly.
+
+Obviously, security requirements must be balanced with other business priorities and tradeoffs.
+
+### Replacement
+
+Be proactive in asking for updates, upgrades, and replacement systems and equipment.
+
+- Don't assume that the cost of replacing a legacy system is always too expensive.
+- Consider the business and security benefits or upgrade or replacement.
+- Productivity gains from newer equipment might offset upgrade costs.
+- Consider the hidden cost of legacy systems in terms of maintenance, business agility, and security risk and operational disruption.
+- Perform a full analysis of lifetime cost for legacy maintenance versus upgrade.
+
+
+## Discipline roles and collaborators
+
+OT and IoT security roles protect OT/IoT devices and systems. They ensure that security controls are implemented while maintaining operations and safety. In smaller organizations, these responsibilities might be combined into infrastructure or SecOps roles. Larger enterprises might have dedicated OT/IoT specialists.
+
+Primary roles include:
+
+- **Security architects** – Design secure architectures for OT environments, applying Zero Trust principles while respecting air-gap requirements and operational constraints.
+- **OT engineering and operations** - Secure the industrial control systems (ICS), supervisory control and data acquisition (SCADA) environments, and the programmable logic controllers (PLCs) used to control and monitor physical processes.
+
+ These roles implement and manage security monitoring, network segmentation, and threat detection without disrupting business operations.
+
+- **IoT professionals** - Integrate IoT devices and data into business workflows, services, and custom applications.
+
+Key internal collaborators include:
+
+- **Front line workers (Business operations and engineering teams)** – Maintain production systems and ensure that operational processes run smoothly. They integrate logging and telemetry into security incident and event management (SIEM) and security systems.
+- **Front line workers (vendor management)** – Oversee third-party access to OT systems.
+- **Infrastructure, platform, networking engineering/ops teams** – Coordinate network segmentation and connectivity between IT/OT environments.
+- **SecOps** – Monitor OT/IoT threats and respond to incidents.
+- **Security compliance management, compliance and audit team** – Ensure compliance with industry-specific regulations (NERC CIP, IEC 62443, NIST CSF).
+- **CISO, security directors/managers** – Define strategic priorities, risk tolerance, and compliance objectives for OT/IoT security.
+
+No role operates in isolation. Security professionals must understand cybersecurity principles ***and*** OT/IoT operational requirements.
+
+Safety and availability often take precedence over traditional security controls in OT environments, requiring the balance of security with operational needs.
+
+## Integration with other disciplines
+
+OT and IoT security must integrate tightly with other disciplines:
+
+- **Infrastructure security** – OT/IoT security is a specialized subset focused on industrial systems.
+- **SecOps** – The SecOps team needs training, defined processes, and technology to detect and respond to OT/IoT attacks, avoiding blind spots.
+- **Security posture management** - These teams must include IoT/OT devices into discovery and posture prioritization/mitigation efforts. This helps identify OT/IoT risk, including attack surfaces and potential access paths.
+
+## Integration with technology pillars
+
+Executing the strategy of the OT and IoT security discipline requires security controls across multiple technology pillars.
+
+- **Identities**: Identity controls for OT/IoT environments must account for machine identities, service accounts used by automation systems, and human operators who require access to industrial controls.
+- **Endpoints**: OT endpoints including industrial workstations, engineering stations, and operator terminals require specialized security to protect these specialized systems without impeding real-time operations.
+- **Infrastructure**: OT infrastructure including industrial control systems, SCADA servers, industrial data historians, and PLCs require visibility and protection while maintaining operational requirements and air-gap architectures where appropriate.
+- **Apps**: Applications that interface with OT/IoT devices must be secured to prevent unauthorized control of physical systems. This includes human-machine interfaces (HMI), SCADA applications, and industrial software.
+- **Data**: Operational data from sensors, control systems, and industrial processes must be protected both at rest and in transit, while maintaining the integrity critical for safe operations.
+- **Networks**: Network segmentation between IT and OT environments is critical, along with monitoring of industrial protocols (Modbus, OPC, DNP3) and secure remote access for vendors and operators.
+- **AI**: AI and machine learning can enhance OT security through anomaly detection in industrial processes, predictive maintenance, and automated threat identification while respecting operational constraints.
+
+
+## Microsoft resources
+
+
+### Technologies
+
+Microsoft offers technology solutions that enable and accelerate modernization of OT and IoT security.
+
+This includes both primary enablement technology and key enabling technologies.
+
+**Technology** | **Details**
+--- | ---
+[**Microsoft Defender for Endpoint**](/defender-for-iot/enterprise-iot) | Enterprise IoT in the Microsoft Defender portal provides support for Enterprise IoT security. [Review license information for Defender for Endpoint and Defender XDR](/defender-xdr/protect-against-iot-ot-threats#enterprise-iot-device-protection-in-defender-for-endpoint-and-defender-xdr).
+[**Microsoft Entra**](/entra/fundamentals/whatis) | Provides identity management for OT operators, engineers, and service accounts accessing industrial systems.
+[**Microsoft Intune**](/intune/intune-service/fundamentals/what-is-intune) | Secures OT workstations and engineering stations used to manage industrial systems.
+[**Microsoft Defender XDR**](/defender-xdr/microsoft-365-defender) | Provides detection and response capabilities for OT workstations and IT systems connected to operational environments (via Microsoft Defender for IoT).
+[**Microsoft Sentinel**](/azure/sentinel/overview) | A SIEM solution that correlates OT security alerts with IT security events for comprehensive threat detection.
+**Microsoft Azure** | Provides secure cloud infrastructure for OT data analytics, remote monitoring, and secure connectivity including [Azure IoT Hub](/azure/iot-hub/about-iot-hub), [Azure Firewall](/azure/firewall/overview), and [Azure Private Link](/azure/private-link/private-link-overview),
+[**Microsoft Azure Sphere**](/azure-sphere/product-overview/what-is-azure-sphere) | Provides a comprehensive IoT solution that provides a secured, connected microcontroller unit (MCU), a custom Linux-based OS, and a cloud-based security service.
+
+## Next steps
+
+[Learn about the infrastructure and networking discipline](security-adoption-discipline-infrastructure.md).
\ No newline at end of file
diff --git a/security-docs/zero-trust/security-adoption-discipline-overview.md b/security-docs/zero-trust/security-adoption-discipline-overview.md
new file mode 100644
index 000000000..c78d0390c
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-overview.md
@@ -0,0 +1,87 @@
+---
+title: Overview - Security disciplines
+description: Learn about security disciplines in the Microsoft security adoption model.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+#customer intent: As a business leader or security adopter, I want to understand which organizational disciplines are involved in planning, design, and deployment of business scenarios and outcomes.
+---
+
+# Overview - security disciplines
+
+This article provides an overview of security disciplines in the [Microsoft security adoption model](security-adoption-model.md).
+
+Security disciplines are **structured areas of accountability** that help organizations translate business security goals into coordinated action across the enterprise. They provide a consistent way to organize strategy, architecture, and operations to manage risk and protect critical business outcomes.
+
+Rather than treating security as isolated controls or individual tools, security disciplines organize processes, skills, and technologies into repeatable capability areas. This helps ensure that security investments deliver measurable, end‑to‑end outcomes, not fragmented improvements.
+
+Collectively, the security disciplines form a complete security operating model that enables:
+
+- Clear security strategy and governance,
+- Coherent, end‑to‑end architectures.
+- Consistent technical implementation and operations.
+
+Security disciplines are applied through business scenarios, such as securing remote work or protecting critical assets. These scenarios define where security efforts should be focused to reduce risk and support the business.
+
+> [!TIP]
+> Microsoft offers a rich set of security adoption workshops - the *Security Adoption Framework (SAF) workshops*. Our structured adoption model, including security discipline guidance, that we describe here aligns with the expert-led guidance available in the workshops. Learn more about our [SAF workshops](workshop-business-overview.md).
+
+## Security disciplines in adoption
+
+In our [security adoption model](security-adoption-model.md), security disciplines provide an organizational structure between business scenarios and technical implementation.
+
+- [**Business scenarios**](security-adoption-business-scenarios-overview.md) define **why** security investment is needed and what outcomes matter.
+- Security disciplines define ownership and accountability across teams, clarifying **who** is responsible for delivering each area of security capability across the organization.
+- [Technical solutions](implement-overview.md) define **how** security is implemented across specific [technology pillars](deploy/overview.md).
+
+:::image type="content" source="./media/disciplines.png" alt-text="Diagram showing how disciplines bridge business outcomes and technical implementation, organized by discipline type." lightbox="./media/disciplines.png":::
+
+## How to use security disciplines
+
+Security disciplines are used throughout in our structured adoption model. They align to Zero Trust guidance to support different audiences:
+
+- Business leaders and program owners use disciplines to understand how security business scenarios come to life to protect assets and manage business risk.
+- Security leaders and architects use disciplines to shape end‑to‑end designs and ensure consistency across technology pillars.
+- Implementation and operations teams use disciplines to guide tooling choices, control deployment, detection, and ongoing improvement.
+
+
+
+## Discipline categories
+
+Each security discipline fits into one of three categories, based on the type of decisions it supports and when it is applied in the security lifecycle.
+
+- **Planning and oversight disciplines**: These disciplines establish direction, alignment, and accountability across the entire security program. They define what success looks like and how progress is measured and governed.
+- **Technical strategy disciplines**: These disciplines define how security is designed and implemented technically. They provide architectural direction that guides control selection, tooling, and execution across multiple technology areas.
+- **Operational disciplines**: These disciplines define how security runs day to day, including continuous visibility, detection, response, and improvement as threats and environments change.
+
+
+The diagram below illustrates how security categories and disciplines, and how they align across technology pillars.
+
+:::image type="content" source="./media/security-adoption-disciplines.png" alt-text="Diagram of security disciplines guiding security adoption." lightbox="./media/security-adoption-disciplines.png":::
+
+## Security disciplines
+
+The following table shows the disciplines, the category they belong to, and the technology pillars that they're focused on protecting.
+
+**Disciplined/Category** | **Discipline** | **Pillar**
+--- | --- | ---
+**[Security Strategy, Integration, and Governance](security-adoption-discipline-strategy.md)**
Planning and oversight. | Establishes the overall security vision, priorities, policies and success measures. It ensures security efforts are aligned to business goals and risk tolerance, and that progress is measurable and governed. | All pillars.
+**[Security Architecture](security-adoption-discipline-architecture.md)**
Planning and oversight. | Ensures that security controls, technologies, and processes work together as a cohesive system. It aligns architecture decisions across identity, data, applications, infrastructure, and operations to deliver consistent outcomes. | All pillars.
+**[Access and Identity](security-adoption-discipline-identity-access.md)**
Technical strategy | Secures how users, devices, applications, and workloads access organizational assets. This discipline drives a consistent, identity‑centric approach using Zero Trust principles across all access paths, including networking and privileged access. | Identity, networks, endpoints.
+**[Infrastructure Security](security-adoption-discipline-infrastructure.md)**
Technical strategy | Ensures that the workloads and platforms that run the business are secure across hybrid and multicloud environments for new development and legacy apps. | Infrastructure.
+**[Development Security](security-adoption-discipline-development.md)**
Technical strategy | Ensures applications and services are designed, built, and maintained securely as pat of a DevSecOps approach and a security development lifecycle (SDL). This includes secure coding practices, and application security testing. | Apps.
+**[Data Security](security-adoption-discipline-data.md)**
Technical strategy | Protects data assets such as intellectual property, trade secrets, and regulated information. This discipline applies security controls throughout the full data lifecycle, regardless of where data is stored or how it moves. It is a critical enabler of safe Generative AI usage. | Data.
+**[OT/IoT Security](security-adoption-discipline-iot.md)**
Technical strategy | Secures OT/IoT systems that interact with physical processes and the physical world, including industrial control systems and SCADA environments. | Endpoints.
+**[Security Posture Management](security-adoption-discipline-posture.md)**
Operational | Continuously discovers, measures, and prioritizes security risks. It helps organizations focus remediation efforts on the most impactful vulnerabilities and attack paths. | All pillars.
+**[SecOps](security-adoption-discipline-security-operations.md)**
Operational | Detects, responds to, and recovers from active threats. This discipline focuses on rapid response, to minimize the time attackers have access after compromise, and thus limiting their business impact. | All pillars.
+
+
+## Next steps
+
+- [Get started](security-adoption-model.md) with security adoption.
+- [Select a business scenario](security-adoption-business-scenarios-overview.md).
+- [Learn about Microsoft's security workshops](workshop-business-overview.md)
+
diff --git a/security-docs/zero-trust/security-adoption-discipline-posture.md b/security-docs/zero-trust/security-adoption-discipline-posture.md
new file mode 100644
index 000000000..04fe3961b
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-posture.md
@@ -0,0 +1,202 @@
+---
+title: Establish a Security Posture discipline
+description: Use the Microsoft security adoption model to optimize security posture across the business, based on Zero Trust principles.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand how I can use the Microsoft security adoption model to optimize security posture across the business.
+---
+
+# Establish a Security Posture discipline
+
+This article helps security and technology leaders establish or modernize a Security Posture Management discipline. This discipline focuses on continuously reducing the organizational exposure to attacks by identifying and eliminating the most likely attack paths to critical assets.
+
+[Security disciplines](security-adoption-discipline-overview.md) are groupings of related security work that help organizations consistently deliver security outcomes across the entire technology estate. Within the security adoption model, disciplines help provide a bridge between [business scenarios](security-adoption-business-scenarios-overview.md) and [technical implementation](implement-overview.md), ensuring that security investments translate into real measurable outcomes as part of the [security adoption model](security-adoption-model.md).
+
+
+## Why this discipline
+
+Most successful cyberattacks don’t begin with advanced exploits. They start by abusing well-known, easily exploitable weaknesses—often in identity, endpoints, infrastructure, applications, or configuration hygiene.
+
+The Security Posture discipline exists to prevent attacks before they occur, complementing the Security Operations (SecOps) discipline, which focuses on detection, investigation, and response after compromise.
+
+- Security Posture reduces opportunity for attackers.
+- Security Operations limits impact when prevention fails.
+
+Together, they form a complete security operating model.
+
+Without a dedicated Security Posture discipline, organizations often treat posture management as:
+
+- A periodic vulnerability scan.
+- A compliance checkbox.
+- A collection of disconnected remediation projects.
+
+This approach leaves systemic weaknesses in place until attackers exploit them.
+
+This diagram illustrates the complementary nature of Security Posture Management and Security Operations:
+
+:::image type="content" source="./media/security-adoption-discipline-posture.png" alt-text="Diagram showing Security Posture Management focuses on preventing attacks (left of bang) while Security Operations manages incidents that occur (right of bang)." lightbox="./media/security-adoption-discipline-posture.png":::
+
+
+
+
+## Mission and outcomes
+
+Reduce the likelihood and impact of cyberattacks by continuously identifying and eliminating the most exploitable risks across the organization’s technology estate.
+
+Organizations that mature this discipline achieve:
+
+- Continuous discovery of assets across the modern estate.
+- Prioritized visibility into exploitable vulnerabilities and attack paths.
+- Faster, more effective remediation by asset-owning teams.
+- Reduce attack surface and blast radius.
+- Improved resilience against business disruption.
+
+Security posture acts as the operational extension of governance, translating enterprise risk priorities into day-to-day remediation work.
+
+
+## How to apply this discipline
+
+To apply the Security Posture Management discipline effectively, focus on establishing a continuous, risk-driven approach to understanding and improving your organization’s security posture:
+
+1. **Define a posture management strategy aligned to business risk**
+ Establish a clear approach for identifying, measuring, and prioritizing security risks based on their potential impact on the business.
+1. **Ensure continuous visibility across the environment**
+ Maintain an up-to-date understanding of assets, configurations, and exposures across identities, devices, applications, infrastructure, and data.
+1. **Standardize how security risks are assessed and prioritized**
+ Provide clear guidance to ensure that vulnerabilities, misconfigurations, and risks are evaluated consistently and addressed based on impact.
+1. **Align posture management with business priorities and critical assets**
+ Focus remediation efforts on the most important risks affecting high-value assets and key business scenarios.
+1. **Continuously improve posture through measurement and remediation**
+ Use insights from assessments, risk trends, and remediation efforts to reduce exposure and strengthen security over time.
+
+
+## Manage change
+
+Modern Security Posture management represents a shift from static vulnerability reporting to continuous risk reduction.
+
+**Traditional approach** | **Modern discipline**
+--- | ---
+Periodic vulnerability scans | Continuous asset and risk discovery.
+Compliance-driven prioritization | Threat-informed prioritization.
+Security-owned findings | Shared accountability with engineering teams and business owners of systems.
+One-time remediation | Continuous remediation and improvement.
+Patch by exception | Patch by default.
+
+
+
+The following diagram shows the key elements of the Security Posture discipline.
+
+:::image type="content" source="./media/security-adoption-discipline-posture-mission.png" alt-text="Diagram showing Security Posture Management mission with key elements: continuously discover assets, identify and prioritize vulnerabilities, and enable mitigation." lightbox="./media/security-adoption-discipline-posture-mission.png":::
+
+### Key principles
+
+Key modernization principles include:
+
+- **Enablement**: Go beyond tools and reports. Equip engineering and operations teams with guidance, context, automation, and education to reduce risk as part of their normal work.
+- **Scope**: Address weaknesses across multiple dimensions:
+ - **Functional** - Address Design and implementation flaws.
+ - **Configuration** -Address misconfiguration and configuration drift over time.
+ - **Operational** - Address administrative and operational practices that enable abuse (for example, weak credential handling).
+- **Operations**: Make posture improvement a continuous engineering activity—not a one-time cleanup. This requires sustained collaboration, cultural change, and incremental progress.
+
+This discipline requires cultural change, sustained collaboration, and incremental improvement rather than one-time remediation projects.
+
+## Security posture strategy
+
+An effective security posture strategy focuses on three continuous activities:
+
+1. **Discover assets**: Continuously identify assets across the entire modern estate, including:
+ - Identity systems
+ - Endpoints
+ - SaaS applications
+ - Cloud and on-premises infrastructure
+ - OT, IoT, and emerging platforms
+
+ This requires close collaboration with asset ownership, configuration, and platform teams.
+1. **Identify and prioritize exploitable risk**: Focus on vulnerabilities and attack paths that are:
+ - Cheap for attackers to exploit.
+ - Reliable at scale.
+ - Common entry points for multistage attacks.
+
+ Threat intelligence and real-world attack patterns should inform prioritization—not severity scores alone.
+
+1. **Enable mitigation**: work with asset-owning teams to:
+ - Integrate remediation into existing workflows.
+ - Reduce friction and repeat effort.
+ - Track progress against risk reduction goals.
+
+ Security Posture succeeds when remediation becomes faster and easier than ignoring risk.
+
+## Discipline roles and collaborators
+
+Security Posture is inherently cross-functional.
+
+Primary roles include:
+
+- **Engineering and Operations teams**: Technology and Security Managers, Security and Automation Engineers accountable for implementing mitigations and maintaining hygiene across:
+ - Identity and access
+ - Networking
+ - Endpoints and user productivity
+ - Infrastructure and platforms (cloud, on-premises, CI/CD)
+ - Data
+ - AI
+ - OT environments
+
+
+- **Architecture Roles**: Design the systems and controls the Security Posture discipline monitors and improves:
+ - Enterprise Architect
+ - Security Architect
+ - Infrastructure, identity, application, data, and AI architects.
+ - Data and Artificial Intelligence (AI) architects.
+
+- **Security Strategy, Integration, & Governance (All Others)**: Provide direction and support through:
+
+ - Risk prioritization and metrics
+ - Compliance and policy alignment
+ - Security education and engagement
+
+- **Threat Intelligence and SecOps**: Inform prioritization based on attacker behavior, active campaigns, and emerging techniques.
+
+
+## Alignment with other disciplines
+
+Security Posture Management works closely with other disciplines:
+
+- **SecOps**: Prevention complements detection and response.
+- **Security Strategy, Integration, and Governance**: Risk prioritization and metrics.
+- **Security Architecture**: Consistent control placement.
+- **Access and Identities**: Reducing identity-based attack paths.
+- **Infrastructure**, **Development**, and **Data Security**: Eliminating systemic weaknesses.
+
+Together, these disciplines create a cohesive security operating model.
+
+
+## Alignment with technology pillars
+
+Security Posture spans all technology pillars:
+
+- **Identities** – This pillar is a top-priority for security posture because identity is a High-risk entry point that's foundational to nearly all attacks. Almost all multistage attacks rely on identity attacks, such as pass-the-hash, ticket, and other methods, to laterally traverse and gain access to additional organizational assets. These attacks often use privileged accounts associated with IT administrators or administrative service accounts.
+- **Endpoints**: Endpoints are a common attacker foothold and staging environment. It's critical to quickly find and fix endpoint vulnerabilities.
+- **Infrastructure**: Rapidly finding and mitigating infrastructure vulnerabilities is important since infrastructure has broad impact due to shared dependencies for hosted workloads and data.
+- **Apps**: Rapidly finding and mitigating these vulnerabilities is important because threat actors often target email, collaboration, line of business, and other apps to enter and laterally traverse across an organization to access business assets.
+- **Data**: Data provides a high-value target for theft, extortion, and disruption. Attackers often target data for intellectual property theft, encryption to gain leverage for extortion or ransomware, planning future attacks, and other purposes.
+- **Networks**: Threat actors attack operations that rely on network connectivity. Network security controls restrict communication paths, constrain attacker movement and detect abnormal flows.
+- **AI**: Emerging AI attack surfaces require new discovery and protection capabilities.
+
+The discipline builds consistent skills, tooling, and processes across all pillars.
+
+## Next steps
+
+Microsoft Unified offers expert-led workshops to help organizations accelerate modernization of Security Posture Management strategy, architecture, and technology. These workshops include:
+
+- **Architecture and strategy workshops** - The Security Adoption Framework (SAF) – Chief Information Security Officer (CISO) Workshop* workshop covers security posture management as part of a modern and effective security strategy and program.
+- **Technology adoption workshops** - The *Onboarding Accelerator - Microsoft Security Exposure Management* engagement accelerates adoption of Microsoft Security Exposure Management.
+
+Contact your customer success account manager for more information on Microsoft-led workshops.
+
+
diff --git a/security-docs/zero-trust/security-adoption-discipline-security-operations-common-issues.md b/security-docs/zero-trust/security-adoption-discipline-security-operations-common-issues.md
new file mode 100644
index 000000000..781318496
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-security-operations-common-issues.md
@@ -0,0 +1,285 @@
+---
+title: Avoid common issues in SecOps modernization
+description: Understand common antipatterns in security operations modernization.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to identity common antipatterns to avoid during SecOps modernization
+---
+
+# Avoid antipatterns in SecOps modernization
+
+
+As you develop the [Security Operations (SecOps) discipline](security-adoption-discipline-security-operations.md) use this article to identify, avoid, and correct common SecOps antipatterns.
+
+
+This guidance helps identify, avoid, and correct common SecOps antipatterns for anyone planning or participating in SecOps modernization.
+
+
+## What is a SecOps antipattern?
+
+An **antipattern** is common recurring behavior that's ultimately ineffective. Antipatterns undermine effectiveness or actively increase risk, and are frequently responsible for slow response times, analyst burnout, repeated incidents, and higher business impact.
+
+In SecOps, antipatterns typically emerge when teams prioritize tools, data, or organizational silos over measurable security outcomes. Left uncorrected, these behaviors slow detection and response, obscure attacker activity, and hinder organizational learning from incidents.
+
+Avoiding SecOps antipatterns helps organizations:
+
+- Detect and contain attacks faster.
+- Reduce operational noise and analyst fatigue.
+- Improve collaboration across security, IT, and engineering teams.
+- Turn incidents into durable risk reduction rather than repeated work.
+
+Use the antipatterns in this article to learn from known mistakes rather than repeating them.
+
+## Avoid antipatterns
+
+Every SecOps antipattern grows from a tool‑first mindset. High‑performing SecOps programs start by:
+
+- Clearly defining the SecOps mission.
+- Identifying outcomes and success metrics.
+- Aligning people and processes before technology.
+- Building learning loops that improve prevention and response over time.
+
+Our [structured security adoption model](security-adoption-model.md) helps you to avoid antipattern pitfalls by anchoring SecOps decisions to business outcomes rather than tool accumulation.
+
+
+## Common SecOps antipatterns
+
+This visual shows common SecOps antipatterns.
+
+:::image type="content" source="./media/security-adoption-discipline-operations-issues.png" alt-text="Screenshot of common SecOps antipatterns diagram." lightbox="./media/security-adoption-discipline-operations-issues.png":::
+
+The following antipatterns appear repeatedly across organizations of all sizes. While they differ in form, they share a common root cause: misalignment between the SecOps mission and day‑to‑day execution.
+
+### Wearing a blindfold
+
+Without data, SecOps can't investigate what happened or why it happened.
+
+:::image type="content" source="./media/security-adoption-discipline-operations-visibility.png" alt-text="Diagram for SecOps antipattern 'Wearing a Blindfold'.":::
+
+When SecOps lacks the telemetry required to detect or investigate attacks, incidents unfold without visibility or accountability.
+
+Without logs, there's no reliable way to:
+
+- Detect attacker activity
+- Reconstruct timelines
+- Identify root cause
+- Prevent attackers from returning using the same techniques
+
+This often stems from cost concerns, unclear ownership, privacy uncertainty, or lack of clarity about which logs matter most.
+
+#### How to correct
+
+Visibility is not optional. Start with a minimal, prioritized logging baseline tied directly to your highest‑risk attack scenarios, such as identity compromise, endpoint access, or control‑plane changes. Ensure analysts can access and use this data, then expand deliberately.
+
+#### Key practices
+
+Key best practices to avoid this antipattern:
+
+- **Define use cases** for attack scenarios that lead to business damage. ideally in coordination with security architects to ensure a coordinated approach to prevention and detection.
+- **Prioritize scenarios** Prioritize high-risk scenarios so that you enable logging for activities tied to high-impact threats first.
+- **Establish a log baseline:** Define essential data sources (identity, endpoint, cloud control plane) mapped to the top attack scenarios.
+- **Validate ingestion:** Confirm logs are flowing and available for use by analysts and automation.
+- **Address ownership:** Assign accountability for log configuration, retention, and cost management.
+- **Continuously improve:** Add telemetry in phases, ensuring each new source supports actionable detection or investigation.
+
+### Collection isn't detection
+
+Collecting more data does not automatically improve security.
+
+:::image type="content" source="./media/security-adoption-discipline-operations-collection.png" alt-text="Diagram for SecOps antipattern 'Collection isn't detection'.":::
+
+This antipattern occurs when organizations ingest large volumes of telemetry without clear detection goals. The result is alert fatigue, high storage costs, and critical signals buried in noise.
+
+Telemetry is an enabler, not the goal. Detection is about distinguishing attacker behavior from normal activity—and that requires relevance, not volume.
+
+#### How to correct
+
+Align every data source to a defined detection or investigation outcome. If a log doesn't materially help detect or respond to an attack, it's an operational liability.
+
+#### Key practices
+
+Key best practices to avoid this antipattern:
+
+Detections are about separating threat actor behavior (abnormal) from regular user and system behavior (normal), so quality depends less on volume and more on relevance.
+
+- **Align goals:** Define specific detection outcomes for every major data source. Map data sources to specific protection goals.
+- **Avoid data sprawl:** Eliminate redundant or low-value logs that don't support detection or compliance requirements.
+- **Establish responsibility:** Assign responsibility for data quality, normalization, schema consistency, and retention.
+- **Measure detection value:** Track detections produced per data source to ensure investment aligns with operational impact.
+- **Tune continuously:** Periodically review analytics, playbooks, and ingestion pipelines to maintain relevance and reduce noise.
+
+### Keeping secrets from family
+
+When SecOps insights remain trapped inside the SOC, the organization gets stuck in a cycle of repeated incidents.
+
+:::image type="content" source="./media/security-adoption-discipline-operations-secrets.png" alt-text="Diagram for SecOps antipattern 'Keeping secrets from family'.":::
+
+If incident learnings aren't shared:
+
+- Architects can’t fix systemic weaknesses
+- Engineers can’t prioritize preventive controls
+- Leaders lack the evidence needed to justify change
+
+SecOps becomes reactive firefighting instead of a learning function.
+
+#### How to correct
+
+If insights aren't captured and shared during alert and incident management and response, weaknesses are exploited again and again, and opportunities for improvement are missed.
+
+Effective SecOps requires closing these loops and making sure that information is shared with people who can perform root cause analysis and implement prevention, improved logging, and other measures as needed.
+
+Establish lightweight, repeatable mechanisms to share incident insights with architecture, engineering, and leadership teams.
+
+#### Key practices
+
+
+Key best practices to avoid this antipattern:
+
+
+- **Convert incidents into technical threat intelligence:** Ensure indicators of compromise and other findings feed detection and prevention strategies.
+- **Establish cross-functional incident reviews:** Involve IT, architecture, and security teams in short, structured post-incident reviews to identify and prioritize preventative action.
+- **Integrate lessons into workflows:** Use sprint retrospectives or maintenance windows to implement improvements identified during incident handling.
+- **Document and share outcomes:** Maintain visible, organization-wide records of mitigations, configuration updates, and detection changes.
+- **Foster a culture of collaboration:** Encourage open dialogue across teams to ensure operational insights inform strategic defense improvements.
+- **Balance speed with reflection:** Allocate time to analyze resolved incidents before shifting to new priorities, ensuring each event contributes to long-term resilience.
+
+### Network isn't the only source of truth
+
+Modern attacks routinely bypass traditional network perimeter control points using identity abuse, cloud APIs, SaaS integrations, social engineering (trickery), and other attacks.
+
+
+:::image type="content" source="./media/security-adoption-discipline-operations-network.png" alt-text="Diagram explaining that networks aren't the only source of truth.":::
+
+Organizations that rely primarily on network telemetry miss:
+
+- Token abuse and credential theft
+- Control‑plane manipulation
+- Application‑to‑application attacks
+- Data exfiltration via approved channels.
+
+Organizations that diversify telemetry start correlating all of the different data sources to illuminate the whole story across identity sign-ins, conditional access outcomes, endpoint sensor telemetry, cloud control plane events, data access patterns, network anomalies, and more.
+
+#### Key practices
+
+Correcting this problem is critical. It begins by acknowledging the importance of this shift and investing in new tooling and education to expand SecOps skills.
+
+Key best practices to avoid this antipattern include:
+
+- **Broaden beyond network:** In addition to network tools, include tools and signals for identity, endpoint, application, data, and others to capture modern attack paths.
+- **Correlate sources**: Correlate network data with identity and cloud signals
+- **Prioritize identity and control plane:** Monitor sign-in patterns, token usage, and privileged operations alongside network traffic.
+- **Adopt Zero Trust principles:** Treat every request as untrusted. Verify explicitly by using all available signals, not just network indicators.
+- **Continuously validate:** Review detection gaps regularly and adjust collection strategies to keep up with continuously evolving attacker techniques.
+
+### Not invented here
+
+When SecOps teams default to building custom tools, they waste time and increase fragility.
+
+:::image type="content" source="./media/security-adoption-discipline-operations-invented.png" alt-text="Diagram for SecOps antipattern 'Not Invented Here'.":::
+
+Custom solutions require constant maintenance as environments, attackers, and platforms change. Valuable engineering cycles are consumed maintaining commodity detections instead of improving real risk reduction.
+
+#### How to correct
+
+Correcting this problem is critical and begins with recognition that custom work should be the exception, not the default.
+
+#### Key practices
+
+Key best practices to avoid this antipattern include:
+
+- **Adopt "configure before customize":** Use vendor tools and analytics for common threats and fall back on custom engineering for unique business risks.
+- **Audit custom content:** Regularly review homegrown detections and parsers to identify redundancy or fragility.
+- **Measure maintenance cost:** Track time spent fixing bespoke solutions versus improving detection coverage.
+- **Leverage vendor updates:** Stay current with vendor-provided analytics and threat intelligence to reduce duplication.
+- **Focus on differentiation:** Direct custom development toward scenarios that benefit from tailored detection logic.
+
+### Shiny object syndrome
+
+SecOps teams often focus on advanced attack techniques while foundational capabilities remain immature.
+
+:::image type="content" source="./media/security-adoption-discipline-operations-shiny.png" alt-text="Diagram for SecOps antipattern 'Network isn't the only source of truth'.":::
+
+This results in:
+
+- Weaknesses in basic core detections and incident response capabilities.
+- Diluted SecOps effectiveness because:
+ - Common attack techniques impact organizations far more than advanced techniques.
+ - SecOps often struggle to handle advanced cases when foundational detections, automation, or hygiene controls are still immature.
+
+The outcome is a cycle of wasted resources and increased risk.
+
+#### How to correct
+
+Correcting this pattern is critical and begins with recognition that new technology and side quests don't create effectiveness - operational discipline and maturity does.
+
+#### Key practices
+
+Key best practices to avoid this antipattern:
+
+- **Prioritize fundamentals first:** Ensure incident response processes and common attack detection capabilities are mature before pursuing advanced detection and SecOps functions.
+- **Define evaluation criteria:** Require clear use-case alignment, measurable value, and integration potential for any new tool or investment.
+- **Operationalize before expanding:** Fully deploy and measure existing technologies before introducing extra layers of complexity.
+- **Align innovation to outcomes:** Focus innovation efforts on solving defined gaps or improving time-to-detect and time-to-respond metrics.
+- **Establish review checkpoints:** Periodically assess whether pilot projects and emerging tools transitioned to production value.
+
+### One tool to rule them all
+
+No single tool can detect or respond to the full spectrum of modern attacks.
+
+:::image type="content" source="./media/security-adoption-discipline-operations-tool.png" alt-text="Diagram for SecOps antipattern 'One tool to rule them all'.":::
+
+The appeal is understandable. A single tool promises simplicity and visibility. But modern attacks exploit multiple layers. However, reliance on only a security information and event management (SIEM) system, endpoint detection and response (EDR) solution, or a firewall leaves spots with low visibility across identity, cloud, data, etc.
+
+A SIEM full of logs is powerful, but without identity signals, endpoint telemetry, and cloud control plane events, you miss critical context. Similarly, EDR alone can't detect credential abuse or SaaS data exfiltration. Effective defense requires a layered approach where tools work together, sharing data and automating response.
+
+The goal isn't to abandon platform consolidation, it's to avoid the trap of thinking one tool equals complete protection. A mature SOC builds on a unified foundation and extends it with complementary capabilities.
+
+#### How to correct
+
+Correcting this misconception is critical and begins with recognition that no single product can provide complete detection across the full attack surface.
+
+Key best practices to avoid this antipattern:
+
+- **Think in layers:** Combine identity, endpoint, network, and cloud telemetry for full-spectrum detection.
+- **Leverage platform integration:** Use Microsoft's security ecosystem to unify signals and automate response across domains.
+- **Validate coverage:** Regularly assess which attack techniques are addressed and where gaps remain.
+- **Align tools to use cases:** Ensure each capability supports a defined detection or response objective.
+- **Design for interoperability:** Even within a platform, document how components share data and coordinate actions.
+
+### Toolapalooza!
+
+Accumulating tools faster than teams can integrate or operationalize them increases complexity without improving outcomes.
+
+:::image type="content" source="./media/security-adoption-discipline-operations-tool-overload.png" alt-text="Diagram for SecOps antipattern 'Toolapalooza!'.":::
+
+Each new product promises better visibility or faster response, but without a unifying strategy, the result is Toolapalooza—an overgrown toolset where analysts must move between multiple consoles, query languages, and alert queues to perform even simple investigations. This fragmentation increases cognitive load, slows response, and creates unguarded sides as critical data remains trapped within individual products.
+
+
+The remedy is a deliberate, outcome-driven tooling strategy. Each technology should have a defined purpose, mapped to a specific business or operational outcome - such as reducing mean time to detect, accelerating investigation, or improving containment consistency.
+
+Consolidate tools where overlap exists, and use automation to bridge necessary systems rather than adding new layers of manual effort. Simplifying the toolset doesn't mean sacrificing capability; it means focus on the tools that demonstrably advance detection, response, and recovery effectiveness.
+
+#### Key practices
+
+Correcting this problem is critical and begins with recognition that more tools don't equal more security.
+
+Key best practices to avoid this antipattern:
+
+- **Inventory**: Start by conducting a full inventory of your existing tools and mapping each one to the outcomes it actually supports.
+- **Define tool purpose and value:** Map each platform to explicit operational outcomes and retire tools that lack measurable impact.
+- **Consolidate where practical:** Prefer integrated solutions that reduce context-switching and centralize visibility.
+- **Focus on process before product:** Establish clear workflows and detection priorities before introducing new technology.
+- **Automate integration:** Use APIs, playbooks, and orchestration to connect tools and streamline analyst experience.
+- **Regularly review tooling portfolio:** Conduct annual or quarterly assessments to identify redundancy and confirm alignment with security strategy.
+
+
+
+## Next steps
+
+- [Review the SecOps discipline](security-adoption-discipline-security-operations.md)
+- [Get started](security-adoption-business-scenarios-overview.md) with recommended business scenarios for security outcomes.
\ No newline at end of file
diff --git a/security-docs/zero-trust/security-adoption-discipline-security-operations-incidents.md b/security-docs/zero-trust/security-adoption-discipline-security-operations-incidents.md
new file mode 100644
index 000000000..22ffdd83e
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-security-operations-incidents.md
@@ -0,0 +1,204 @@
+---
+title: Plan for incident response in the security adoption model.
+description: Understand incident response planning.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want plan our SecOps approach to incident response.
+---
+
+# Plan incident response
+
+This article helps with designing incident response solutions for all roles involved in planning or design, including security operations (SecOps) leaders and architects, IT leaders, and business stakeholders.
+
+Incident response is a core capability of the [SecOps](security-adoption-discipline-security-operations.md) discipline.
+
+Effective incident response enables organizations to investigate, contain, and recover from active cyberattacks while minimizing business, operational, legal, and reputational impact—aligned with Zero Trust principles.
+
+
+
+## Incident response overview
+
+Incident response is the practice of investigating and remediating active attack campaigns against your organization.
+
+Incident response has the largest direct influence on critical SecOps metrics, particularly:
+
+- **Mean Time to Acknowledge (MTTA)**. The time it takes your team to acknowledge an alert or incident after generation.
+- **Mean Time to Remediate (MTTR)**. The time it takes to fix a security incident after acknowledgement.
+
+Reducing these metrics lowers organizational risk and limits attacker impact.
+
+Successful incident response depends on close collaboration between incident responders, threat hunting, threat intelligence, IT operations, legal, communications, and leadership teams.
+
+## Incident response playbooks
+
+Incident response playbooks provide scenario‑specific, step‑by‑step guidance that helps SecOps teams respond quickly and consistently to common attack techniques.
+
+Playbooks are a critical planning output. They're developed, reviewed, and validated before incidents occur so responders can execute investigations and containment actions under pressure without having to design workflows in real time.
+
+Microsoft publishes incident response playbooks based on best practices from Microsoft Incident Response, with guidance for common attack scenarios, including:
+
+- Phishing
+- Password spray
+- App consent grant abuse
+- Compromised or malicious applications
+
+Each incident response playbook includes:
+
+**Playbook** | **Details**
+**Prerequisites** | Required logging, roles, permissions, and configuration needed before an investigation can begin.
+**Workflow** | A recommended investigation flow that clarifies sequencing and dependencies.
+**Checklist** | A task‑oriented checklist that supports execution, especially in regulated or audited environments.
+**Investigation steps** | Detailed, step‑by‑step guidance tailored to the specific attack technique.
+
+Playbooks complement, but don't replace, incident response plans, recovery procedures, or executive decision‑making processes. Instead, they operationalize your incident response strategy by turning detections into repeatable, high‑confidence response actions.
+
+## Principles for effective response
+
+Regardless of the specific tools or processes you use, effective incident response requires consistent application of the following principles.
+
+- **Stay calm and focused**: Security incidents are disruptive and emotionally charged. Maintain focus on the highest-impact actions first.
+- **Balance urgency with precision**: Act quickly to contain threats, but validate actions to avoid unintended damage, loss of evidence, or incomplete remediation.
+- **Do no harm**: Ensure response actions don't:
+
+ - Destroy forensic evidence
+ - Cause unnecessary business disruption
+ - Prevent root-cause analysis and learning
+- **Involve legal early**: Legal guidance is critical for:
+ - Law enforcement involvement
+ - Regulatory and privacy notifications
+ - External communications
+ - Preserving privilege
+- **Control information sharing**: Public or customer-facing communications should occur only with legal guidance, to avoid liability and misinformation.
+- **Get help when needed**: Large or sophisticated attacks often require deep, specialized expertise, including external responders, vendors, or professional services.
+
+Incident response is similar to treating a critical medical condition: the system is critically important, can't be shut down, and is too complex for any single individual to fully understand.
+
+
+## Balance speed and risk
+
+During incidents, SecOps teams must consistently balance:
+
+- **Speed vs. accuracy** – Acting fast without escalating impact
+- **Transparency vs. liability** – Sharing information appropriately with investigators, leadership, and customers
+
+It's important to follow recommended actions that reduce risk, and avoid common pitfalls, while meeting stakeholder expectations.
+
+## Technical response best practices
+
+Key goals during technical incident response include:
+
+- Identify the scope of the attack
+- Identify persistence mechanisms
+- Determine the attacker’s objective, when possible
+
+Persistent attackers often return if their objectives aren't fully disrupted.
+
+Recommended practices include:
+
+- **Avoid uploading files to public scanners**: Adversaries monitor services like VirusTotal for discovery of targeted malware.
+- **Carefully consider system modifications**: Only make changes when the risk of inaction outweighs the business impact. Document all incident-driven changes for rollback during recovery.
+- **Ruthlessly prioritize investigation**: Focus analysis on resources the attacker actually used or modified. Full forensic coverage is often infeasible.
+- **Share information deliberately**: Ensure internal teams and approved external investigators share findings under legal guidance.
+- **Integrate deep system expertise**: Include platform, application, and infrastructure experts—not only security generalists.
+- **Plan for reduced capacity**: Assume 50% of staff operating at 50% efficiency due to stress and fatigue.
+- **Manage expectations**: In some incidents, identifying the initial access vector may be impossible due to deleted or unavailable telemetry.
+
+## Operations response best practices
+
+Operational coordination is equally critical.
+
+Key goals include:
+
+- Maintaining focus on business-critical assets
+- Establishing role clarity and decision authority
+- Managing business and operational impact
+
+Recommended practices:
+
+- **Use an Incident Command System (ICS)**: If no standing crisis organization exists, ICS provides a temporary structure.
+- **Preserve daily SecOps operations**: Detection, triage, and monitoring must continue during investigations.
+- **Avoid panic-driven purchases**: Do not acquire tools you cannot deploy and operate during the incident.
+- **Escalate to platform owners and vendors**: Ensure access to deep expertise for operating systems, applications, and core infrastructure.
+- **Define information flows early**: Set expectations for updates to executives and stakeholders.
+
+## Technical recovery best practices
+
+Recovery should be deliberate, consolidated, and fast.
+
+Key goals include:
+
+- Limit scope so recovery can occur within 24 hours when possible
+- Avoid distractions not directly tied to recovery
+
+Recommended practices:
+
+- **Do not reset all passwords at once**: Prioritize known compromised accounts, especially administrator and service accounts. Use staged resets for users when necessary.
+- **Consolidate recovery actions**: A coordinated “Big Bang” remediation limits attacker adaptation.
+- **Use existing tools first**: Leverage tools already deployed and understood.
+- **Avoid tipping off the attacker**: Assume attackers may have access to production data and email.
+
+Microsoft’s Security Operations Center uses a nonproduction Microsoft 365 tenant for secure IR collaboration.
+
+## Operations recovery best practices
+
+Key goals include:
+
+- Clear plan ownership
+- Controlled scope
+- Continuous stakeholder communication
+
+Recommended practices:
+
+- **Designate a recovery lead**: Centralized decision-making prevents confusion.
+- **Understand limits**: Bring in external expertise when teams are overwhelmed or inexperienced.
+- **Capture lessons learned**: Update SecOps playbooks, procedures, and role-specific guidance.
+
+Executive and board communications are more effective when planned and rehearsed in advance.
+
+## Incident response process for SecOps
+
+### Decide and act
+
+When tools such as Microsoft Defender XDR or Microsoft Sentinel create an incident:
+
+- MTTA ends when an analyst takes ownership
+- MTTR begins when remediation starts
+
+Based on confidence and scope, analysts choose between:
+
+- Clean as you go – Focus on early-stage incidents.
+- Large scale remediation – Focus on entrenched adversaries with persistence.
+
+Partial remediation often alerts the attacker and escalates damage.
+
+Common remediation actions include:
+
+- Endpoints – Isolate and reimage
+- Servers and applications – Coordinate remediation with owners
+- User accounts – Disable, reset credentials, expire tokens, validate MFA
+- Service accounts – Coordinate with owners and IT operations
+- Email – Remove malicious messages and preserve originals
+- Other actions – Revoke app tokens, reconfigure services
+
+
+### Post-incident cleanup
+
+Effective incident response is incomplete without institutional learning.
+Post-incident activities include:
+
+- Recording Indicators of Compromise (IoCs)
+- Addressing unknown or unpatched vulnerabilities
+- Enabling or improving logging and telemetry
+- Updating security baselines
+- Improving response processes and playbooks
+
+These improvements reduce manual effort and shorten response times in future incidents.
+
+## Next steps
+
+[Review](security-operations-playbook-phishing.md) a sample phishing playbook.
\ No newline at end of file
diff --git a/security-docs/zero-trust/security-adoption-discipline-security-operations-roles.md b/security-docs/zero-trust/security-adoption-discipline-security-operations-roles.md
new file mode 100644
index 000000000..5a4770eb1
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-security-operations-roles.md
@@ -0,0 +1,125 @@
+---
+title: Understand SecOps roles in the Microsoft security adoption model.
+description: Understand Secops roles and responsibilities.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand the roles and teams involved in SecOps.
+---
+
+# Understand SecOps roles
+
+As you develop a [Security Operations (SecOps)](security-adoption-discipline-security-operations.md) discipline, this article explains the roles, responsibilities, and internal partnerships required to operate an effective, modern SecOps model aligned to Zero Trust principles.
+
+SecOps is a specialized discipline focused on detecting, investigating, and responding to active threats in near real-time. It operates in continuous conflict with adversaries who actively adapt their techniques.
+
+This guidance is intended for anyone planning or participating in SecOps modernization, including security leaders, SecOps practitioners, architects, engineers, and partner teams.
+
+## Why roles and operating models matter
+
+SecOps outcomes depend as much on people and collaboration as on technology. Even the most advanced detection and response tooling is ineffective without:
+
+- Clear ownership during incidents
+- Structured escalation paths
+- Strong partnerships with teams that design, run, and understand the environment.
+
+While SecOps is a dedicated security function, it relies heavily on the expertise of engineering, operations, and business teams that manage systems and processes across the organization.
+
+A clear operating model ensures:
+
+- Incidents are handled by the right roles at the right time.
+- Escalations are predictable and efficient.
+- Learnings from incidents translate into improved security posture,
+
+## SecOps roles and operating model
+
+These SecOps role definitions are based directly on The Open Group [Security Roles and Glossary Standard](https://publications.opengroup.org/s252), providing a common vocabulary and structure that scales from small teams to large, distributed security operations centers (SOCs).
+
+In smaller organizations, these responsibilities might be combined into a few roles. In larger organizations, they're typically separated into specialized teams. Regardless of size, the functions and outcomes remain consistent.
+
+SecOps roles and responsibilities are illustrated in this diagram:
+
+:::image type="content" source="./media/security-adoption-discipline-operations-roles.png" alt-text="Diagram showing SecOps roles and responsibilities from The Open Group Security Roles and Glossary standard." lightbox="./media/security-adoption-discipline-operations-roles.png":::
+
+In larger SecOps teams, specialized roles might be broken into dedicated teams. This diagram illustrates how these roles work together:
+
+:::image type="content" source="./media/security-adoption-discipline-operations-roles-model.png" alt-text="Diagram showing SecOps roles organized into an operating model." lightbox="./media/security-adoption-discipline-operations-roles-model.png":::
+
+## Core SecOps roles
+
+- **Security Operations (SecOps) Manager**: Provides leadership and oversight for the SecOps function. Supports SecOps teams, aligns work to business priorities, and continuously improves effectiveness.
+- **Triage (Tier 1) Analyst**: Acts as the first responder for alerts and incidents. This role rapidly handles well‑understood attack patterns and escalates complex cases for deeper investigation.
+- **Investigation (Tier 2) Analyst**: Leads response for complex or high‑impact incidents. This role investigates multi‑stage attacks, coordinates containment actions, and refines detection logic based on real incidents.
+- **Threat Hunter (Tier 3)**: Proactively searches for attackers who evaded detections. Threat hunters reduce attacker dwell time and contribute deep expertise during major incidents.
+- **Detection Engineer**: Designs, tests, and improves detections to reduce areas without full visibility. This role limits an attacker’s ability to operate undetected and improves detection and investigation procedures for analysts.
+- **SecOps Platform and Data Engineer**: Ensures that SecOps tooling and data pipelines are reliable, scalable, and continuously evolving. This role underpins the effectiveness of all other SecOps functions.
+- **Threat Intelligence Analyst**: Collects and analyzes threat information from internal and external sources and converts it into actionable insights for SecOps, security leadership, and partner teams.
+- **Incident Coordination and Management**: Coordinates technical and business response during major incidents. This role manages communications, decision‑making, and cross‑functional execution during crises.
+- **Attack Simulation**: Tests organizational readiness through realistic simulations. Surfaces gaps across people, process, and technology. These simulations can take many forms and formats, including:
+ - *Penetration testing* – simulation of a single operation to attempt compromise of an asset or the organization (often provided by an external organization).
+ - *Red teaming* - simulation of persistent threat actor conducting multiple long-term operations.
+ - *Purple teaming* – joint simulated attack operations where defenders (blue) and simulated attackers (red) work closely together to accelerate learning for both roles.
+ - *Discussion-based simulation (tabletop exercise)* – structured simulation exercise for multiple roles to talk through a realistic attack scenario (sometimes supplemented by technical simulations).
+- **Reverse Engineering/Digital Forensics (specialized roles)**: Highly specialized roles that analyze malware, artifacts, and evidence. Digital forensics specialists support legal and regulatory requirements by handling evidence with approved procedures and maintaining chain of custody.
+
+## How SecOps roles work together
+
+These roles operate as a layered model, where:
+
+- Triage handles volume and speed
+- Investigation and hunting handle complexity and depth
+- Engineers improve the system continuously
+- Leadership and coordination ensure alignment and resilience
+
+This structure ensures scale without sacrificing quality.
+
+## SecOps key internal partners
+
+SecOps can't operate effectively in isolation. Successful security operations depend on deep integration with teams that design, build, and operate the environment.
+
+SecOps data and insights—especially threat intelligence—are most valuable when they inform prioritization decisions across the organization.
+
+### Technical engineering/operations
+
+These teams assist with investigation, containment, and recovery during incidents, and use SecOps insights to prioritize preventive controls.
+Common partners include:
+
+- Identity
+- Network
+- Endpoints
+- Infrastructure and platforms (cloud, on‑premises, CI/CD)
+- Data and AI
+- Operational Technology (OT)
+
+### Architecture roles
+
+Architects design the systems SecOps monitors and defends, and incorporate lessons learned from incidents into future designs.
+
+Key roles include:
+
+ - Enterprise Architects
+ - Security Architects
+ - Infrastructure Architects
+ - Data and AI Architects
+ - Access Architects (identity, networks etc.)
+ - Solution Architects
+ - Software and Application Architects
+
+### Application and product development roles
+
+These teams design and maintain the applications SecOps must detect and protect.
+
+They support SecOps by:
+
+- Assisting with investigation and remediation during incidents
+- Ensuring applications generate appropriate telemetry
+- Using SecOps intelligence to prioritize security improvements
+
+## Next steps
+
+Learn more about [security roles in the Open Group standard](https://publications.opengroup.org/standards/security/s252).
+
diff --git a/security-docs/zero-trust/security-adoption-discipline-security-operations.md b/security-docs/zero-trust/security-adoption-discipline-security-operations.md
new file mode 100644
index 000000000..88ebafbe4
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-security-operations.md
@@ -0,0 +1,189 @@
+---
+title: Use the Microsoft security adoption model to modernize SecOps
+description: Use the Microsoft security adoption model to modernize security operations, based on Zero Trust principles.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand how I can use the Microsoft security adoption model to modernize security operations
+---
+
+# Establish a SecOps discipline
+
+This article helps security and technology teams establish and modernize a Security Operations (SecOps) discipline that helps organizations detect, investigate, and respond to active threats that bypass preventive controls.
+
+[Security disciplines](security-adoption-discipline-overview.md) are groupings of related security work that help organizations consistently deliver security outcomes across the entire technology estate. Within the security adoption model, disciplines help provide a bridge between [business scenarios](security-adoption-business-scenarios-overview.md) and [technical implementation](implement-overview.md), ensuring that security investments translate into real measurable outcomes as part of the [security adoption model](security-adoption-model.md).
+
+## What's SecOps?
+
+SecOps maintain and restore the security assurances of the system as live adversaries attack it. The NIST Cybersecurity Framework describes the SecOps functions of Detect, Respond, and Recover well.
+
+- **Detect** - SecOps must detect the presence of adversaries in the system, who are incentivized to stay hidden in most cases, allowing them to achieve their objectives unimpeded. This can take the form of reacting to an alert of suspicious activity or proactively hunting for anomalous events in the enterprise activity logs.
+- **Respond** - Upon detection of potential adversary action or campaign, SecOps must rapidly investigate to identify whether it's an actual attack (true positive) or a false alarm (false positive) and then enumerate the scope and goal of the adversary operation.
+- **Recover** - The ultimate goal of SecOps is to preserve or restore the security assurances (confidentiality, integrity, availability) of business services during and after an attack.
+
+### Risk mitigation
+
+The most significant security risk most organizations face is from human attack operators.
+
+With notable exceptions, risk from automated/repeated attacks have been mitigated significantly for most organizations by signature and machine learning based approaches built into anti-malware.
+
+While human attack operators are challenging to face because of their adaptability, they're operating at the same "human speed" as defenders, which help level the playing field.
+
+SecOps has a critical role to play in limiting the time and access an attacker can get to valuable systems and data. Each minute that an attacker has in the environment allows them to continue to conduct attack operations and access sensitive or valuable systems.
+
+
+## Why this discipline?
+
+Not all attacks can be prevented. Even with strong security architecture and posture management that blocks most attacks, threat actors sometimes gain initial access to environments.
+
+SecOps focuses on managing those active attacks and security incidents, limiting the damage attackers can cause after compromise. Effective SecOps reduces risk by:
+
+- Detecting malicious activity quickly.
+- Shortening attacker dwell time.
+- Containing lateral movement and impact.
+- Supporting recovery and organizational resilience.
+
+Within the security adoption model, SecOps represents the post‑compromise, reactive side of security, complementing security posture management, which focuses on proactive risk reduction and attack prevention.
+
+:::image type="content" source="./media/security-adoption-discipline-operations.png" alt-text="Diagram of Security Operations and Security Posture Management showing their complementary roles in risk reduction." lightbox="./media/security-adoption-discipline-operations.png":::
+
+Without an effective SecOps discipline, attackers who gain access can operate undetected, escalate privileges, move laterally, and inflict maximum business damage.
+
+## Mission and outcomes
+
+The mission of the SecOps discipline is to limit the business impact of cyberattacks by rapidly detecting, investigating, and responding to threats across the modern technology estate.
+
+Regardless of team size or operating model, mature SecOps delivers these outcomes:
+
+- **Rapid threat response** – Timely detection and containment of threats across identities, endpoints, infrastructure, applications, and data
+- **Shared threat intelligence** – Centralized signals and insights that inform analysts, automation, and downstream security controls
+- **Proactive threat discovery** – Threat hunting and attack simulation to uncover emerging techniques and attacker behavior
+
+SecOps teams may range from a single individual to large globally distributed 24/7 operations, and functions may be partially or fully outsourced. Regardless of structure and size, the outcomes remain the same.
+
+### Adopt Zero Trust in SecOps
+
+Security Operation (SecOps) is foundational to a Zero Trust strategy. Zero Trust assumes compromise and focuses on minimizing impact when controls fail. SecOps turns that assumption into action by continuously detecting, investigating, and responding to threats across the environment.
+
+In a Zero Trust model, prevention alone is insufficient. Organizations must expect attackers to bypass controls and rely on SecOps to identify malicious activity early, contain attacks quickly, and generate insights that improve security posture over time.
+
+Within our security adoption model, SecOps guidance focuses on the operational capabilities required to support Zero Trust across the organization, including monitoring, detection, investigation, response, automation, and continuous learning.
+
+- **Centralize detection and visibility**: Integrate logs and telemetry from across the environment—including identities, endpoints, applications, and infrastructure—into a centralized detection and investigation capability. This ensures SecOps has consistent, cross‑domain visibility to detect compromise early and understand attacker behavior.
+- **Automate response and containment**: Use orchestration and automation to execute repeatable response actions, such as isolating compromised devices or disabling risky accounts. Automation reduces response time, lowers analyst cognitive load, and ensures consistent execution under pressure.
+- **Proactively hunt for threats**: Treat threat hunting as a core SecOps capability. Use hypothesis‑driven hunting and advanced analytics to find attacker activity that evades automated detections, reducing dwell time and uncovering gaps in controls.
+- **Manage alerts and incidents effectively**: Tune detections to reduce noise and ensure analysts focus on meaningful alerts. Standardize investigation and response workflows using playbooks so incidents are handled consistently and efficiently.
+- **Continuously reduce exposure based on risk**: Use attack‑path analysis and exposure insights to identify conditions that could enable compromise. Prioritize remediation based on business impact and likelihood, so effort is focused where it matters most.
+- **Continuously evolve SecOps processes**: Regularly review detections, playbooks, and response outcomes based on real incidents and threat intelligence. Feed these learnings back into SecOps strategy to ensure capabilities adapt as attackers, technologies, and business priorities change.
+
+
+By aligning SecOps to Zero Trust principles, organizations move from reactive incident handling to a resilient operating model where every incident strengthens detection, response, and prevention across the enterprise.
+
+
+## How to apply this discipline
+
+To apply the SecOps discipline effectively, focus on establishing a coordinated approach to detecting, responding to, and recovering from threats across the organization:
+
+1. **Define a threat detection and response strategy aligned to business risk**
+ Establish a clear approach for identifying, prioritizing, and responding to threats based on their potential business impact.
+1. **Ensure consistent detection and response across the environment**
+ Apply a unified approach to monitoring, investigation, and response across identities, devices, applications, and infrastructure.
+1. **Standardize processes for detection, response, and recovery**
+ Provide clear guidance to ensure incidents are handled consistently, reducing response time and limiting impact.
+1. **Align SecOps with business priorities and critical scenarios**
+ Prioritize detection and response efforts to focus on protecting critical assets and minimizing the impact of security incidents.
+1. **Continuously improve through insights and feedback**
+ Use learnings from incidents, threat intelligence, and operational metrics to strengthen detection capabilities and improve response over time.
+
+
+## Manage change
+
+SecOps modernization is a continuous improvement journey, not a one-time tooling deployment. The goal is to steadily improve the organization’s ability to reduce attacker impact when compromises occur.
+
+:::image type="content" source="./media/security-adoption-discipline-operations-mission.png" alt-text="Screenshot of security operations mission summary with key actions and Zero Trust alignment highlighted." lightbox="./media/security-adoption-discipline-operations-mission.png":::
+
+A modern SecOps approach aligned with Zero Trust principles emphasizes:
+
+- **Mission alignment** - Prioritizing what matters most to the business when alerts and threats exceed your capacity to respond with humans and automation, including AI.
+- **Continuous learning** - Adapting detections, skills, and processes as threat actors, platforms, and business priorities change.
+- **Collaboration and sharing** - Treating SecOps as a team effort across security, IT operations, engineering, legal, communications, and leadership.
+
+Threat actors tend to reuse techniques that are cheap, effective, and reliable until they fail, so it's critical to capture and share threat intelligence as insights on past attacks. SecOps threat intelligence should directly inform security control design, prioritization, and posture improvement, alongside business and compliance requirements.
+
+
+## Discipline roles and collaborators
+
+The SecOps discipline is typically led by a dedicated SecOps team. In smaller organizations, SecOps responsibilities might be part-time or shared across roles but still require clear ownership.
+
+Primary roles in this discipline typically include:
+
+- SecOps / SOC manager
+- Tier 1 triage analysts
+- Tier 2 investigation analysts
+- Threat hunters (Tier 3)
+- Detection engineers
+- SecOps platform and data engineers
+- Digital forensics and incident response specialists
+- Threat intelligence analysts
+- Incident coordination and management roles
+- Attack simulation specialists (red team, purple team, penetration testing)
+
+Key collaborators include:
+
+- **Technical engineering and operations teams** – Enable logging and support investigation, containment, and recovery of systems they design and run.
+- **Architecture roles** – Continuously improve the design of systems and controls based on incident learnings from SecOps threat intelligence.
+- **Application and product teams** – Update software and services in response to incident insights.
+- **Security Strategy, Integration, and Governance discipline** – Set priorities, metrics, and accountability for SecOps investments. Provide support and coordination during major incidents.
+
+
+Effective SecOps depends on tight feedback loops between incident response and system design.
+
+
+## Alignment with other disciplines
+
+SecOps operates as part of a broader security operating model and is tightly integrated with other disciplines:
+
+- **Security Posture Management discipline**: Focuses on preventing incidents; SecOps manages the incidents that still occur.
+- **Access and Identities discipline**: Identity telemetry is a primary detection and investigation signal.
+- **Data Security discipline**: SecOps investigates data theft, extortion, insider risk, and privacy incidents.
+- **Security Architecture discipline**: Ensures detection and response mechanisms align with intended system design.
+- **Strategy, Integration, and Governance discipline**: Defines SecOps priorities, metrics, and success criteria.
+
+
+## Alignment with technology pillars
+
+The SecOps discipline operates across all technology pillars and must detect and contain attacks wherever they occur.
+
+- **Identities**: This is a top priority for SecOps because identities are primary attack entry points. Almost all multi-stage attacks rely on identity attacks (pass-the-hash/ticket/etc.) to laterally traverse and gain access to more organizational assets, often using privileged accounts associated with IT administrators or administrative service accounts.
+- **Endpoints**: Endpoints are common footholds, a base of operations, and local attack tool storage for attackers. It's critical to quickly locate compromised endpoints to contain damage and gain insights into attackers objectives and capabilities.
+- **Infrastructure**: Effective detection and response are important because threat actors frequently target high-value cloud and on-premises infrastructure assets that enable broad compromise when breached.
+- **Apps**: Rapidly detection and response to attacks on email, collaboration, line of business, and other apps is critical because attackers often use them to enter and laterally traverse an organization to access business assets.
+- **Data**: Attackers often target data for intellectual property theft, encryption to gain leverage for extortion or ransomware, planning future attacks, and other purposes. Additionally, SecOps may be involved in or collaborate on data related investigations related to privacy, insider risk, and others.
+- **Network**: Just like legitimate communications, threat actor communications and attack operations travel over network connections. SecOps focuses on network sensor and data is still valuable for context and containment, even as encryption reduces visibility.
+- **AI**: As AI emerges as an attack surface, new tools and skills are needed for effective detection and investigation. AI attack volume is increasing as threat actors adopt AI technology. SecOps can also take advantage of AI to automate analysis and other processes.
+
+
+## Next steps
+
+Microsoft Unified offers expert-led workshops to help organizations accelerate modernization of Security Posture Management strategy, architecture, and technology. These workshops include:
+
+- **Architecture and strategy workshops** - The Security Adoption Framework (SAF) -Architecture Design Session: Modern Security Operations workshop focuses on accelerating SecOps modernization. This workshop is available as follows:
+
+ - **Topic Summary** - A less than four-hour discussion focused on key learnings and best practices.
+ - **Full Security Architecture Design Session (Security ADS)** - A two-day workshop that provides additional details, a Microsoft case study, maturity model discussions, and reference modernization plans.
+
+- **Technology adoption workshops** - Microsoft Unified has workshops to help organizations learn about, plan, implement, and optimize SecOps.
+
+
+:::image type="content" source="./media/security-adoption-discipline-technical-workshop.png" alt-text="Diagram of Microsoft Unified SecOps workshops showing phases for learning, planning, and implementing security technologies." lightbox="./media/security-adoption-discipline-technical-workshop.png":::
+
+Contact your customer success account manager for more information on Microsoft-led workshops.
+
+
+
+
+
diff --git a/security-docs/zero-trust/security-adoption-discipline-strategy-engage.md b/security-docs/zero-trust/security-adoption-discipline-strategy-engage.md
new file mode 100644
index 000000000..aa8c57031
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-strategy-engage.md
@@ -0,0 +1,141 @@
+---
+title: Engage business leaders on security strategy
+
+description: Use the Microsoft security adoption model to engage business leaders in security strategy, integration, and governance.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand how I can use the Microsoft security adoption model to engage business leaders in security strategy, integration, and governance.
+---
+
+# Engage business leaders on security
+
+This article describes key executive communication techniques for engaging business leaders as you establish and execute on a Security Strategy, Integration, and Governance discipline.
+
+[Security disciplines](security-adoption-discipline-overview.md) are groupings of related security work that help organizations consistently deliver security outcomes across the entire technology estate. Within the security adoption model, disciplines help provide a bridge between [business scenarios](security-adoption-business-scenarios-overview.md) and [technical implementation](implement-overview.md), ensuring that security investments translate into real measurable outcomes as part of the [security adoption model](security-adoption-model.md).
+
+The Security Strategy, Integration, and Governance discipline establishes:
+
+- **A cross‑organizational strategy** for security outcomes and priorities
+- **An integration model** that embeds security into business and technology operations
+- **A governance model** that sustains and continuously improves the security program
+
+As part of establishing this discipline, security leaders must be able to engage business stakeholders effectively. This article provides guidance and actionable insights to help security leaders communicate with business leaders, align priorities, and drive sustained security transformation.
+
+This video from the [CISO Workshop](workshop-business-security-leaders-video.md#engaging-business-leaders-on-security) illustrates the use of communication techniques in action:
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=2e4ab785-460f-4a81-83e7-efabfa6ccd04]
+
+
+
+## Why communicate with business leaders?
+
+Effective security transformation depends on strong alignment between business objectives and security practices. Security leaders must be able to explain security priorities, risks, and tradeoffs in business terms—and help leaders understand their role in protecting the organization’s most critical assets.
+
+Engaging business leaders on security enables organizations to:
+
+- Align security strategy with business objectives and risk tolerance.
+- Build shared understanding of security risks and outcomes.
+- Address communication gaps between security and business teams.
+- Secure executive sponsorship and sustained leadership support.
+- Drive coordinated, organization‑wide security change.
+
+Without this alignment, security initiatives often stall, compete with business priorities, or focus on technical controls that fail to reduce business risk at any meaningful level.
+
+
+## Recognize the changing security context
+
+Security leaders must:
+
+- Recognize that the business context of technology and security is changing rapidly, shaping risk and prioritization.
+- Help business leadership understand the security implications of these changes and help their business colleagues navigate these challenges.
+
+
+Digital transformation and AI fundamentally changed how organizations operate. These shifts introduce continuous change in business models, processes, and assets. As a result:
+
+- The assets that security teams must protection are constantly evolving.
+- Traditional perimeter‑based or compliance‑driven security models no longer meet requirements for cloud adoption, agility, user experience, and AI usage.
+- Threats evolve faster and exploit new dependencies across technology pillars such as identity, data, applications, and infrastructure.
+
+To support modern business operations, organizations must adopt a Zero Trust–based security approach that assumes breach, verifies explicitly, and applies least privilege across all assets.
+
+Transitioning to this model represents a significant organizational change, not just a technical one. Success depends on leadership understanding, buy‑in, and coordinated change management across business, technology, and security teams.
+
+## Manage security expectations
+
+Business leaders aren't always clear on how security works, or what security risk really means. One of the most important responsibilities of security leaders is to set clear, shared expectations about what security can, and can't do.
+
+Business leaders and boards should understand the following core tenets.
+
+**Tenet** | **Details**
+--- | ---
+**Security is everyone's responsibility** | Everyday actions create security risk across the business.
**Individuals** introduce risk through behaviors such as clicking malicious links, mishandling sensitive data, or sharing credentials.
**Business leaders** can unintentionally amplify risk through decisions, such as approving releases without security review or constraining budgets required for basic system maintenance.
**Board members and senior leaders** often have a formal fiduciary duty to management organizational risk, including material damage from security incidents.
+**Most security work isn't done by the security team** | Technology, engineering, and operations teams implement most security controls in practice.
The security team acts as a bodyguard, helping others protect themselves, anticipating risks others may not see, and focusing on high‑impact threats.
In addition, security teams can't protect what they don't understand, making integration with business and technology operations essential.
+**Security is a continuous journey** | Perfect security isn't achievable. Organizations are complex systems that have accumulated technical debt over years that now represents security risk.
Threat actors are persistent, well‑funded, and highly motivated. True resilience requires sustained investment in system quality, modernization, and maintenance.
+
+Establishing strong feedback loops between security, business, and technology teams help leaders prioritize security investments based on real threat activity and real business impact.
+
+## Get the right level of business support
+
+Security transformation requires visible and sustained leadership support. Effective security depends on shared accountability across executives, business units, and technology teams. Security can't be effective if only the security organization is accountable.
+
+A Zero Trust–based approach protects business assets wherever they are and wherever they go. This requires leadership commitment to:
+
+- Identify the organization’s most critical business assets and processes.
+- Protect those assets without sacrificing agility or innovation.
+- Hold decision‑makers accountable for security outcomes in the same way they're accountable for legal, financial, and safety outcomes.
+
+## Communicate in the right language
+
+Security leaders must communicate clearly, simply, and in language their audience understands. Cybersecurity concepts are unfamiliar to many business leaders, and learning accelerates when new ideas connect to existing knowledge.
+
+
+Here are some tips for communicating security to business leaders:
+
+- **Keep it simple**: Distill complexity without denying it exists
+- **Avoid jargon**: Use concepts from risk management, safety, or physical security. If new terms are necessary, explain them plainly.
+- **Use relatable analogies**: Draw on everyday experiences, prior roles, or industry contexts
+- **Personalize where appropriate**: Connect security articles to the audience’s responsibilities, goals, or concerns
+
+## Align with executive perspectives
+
+Different executives engage with security through different lenses. Framing security discussions in ways that align with their specific responsibilities increases understanding and support.
+
+**Role** |**Primary responsibility** | **Zero Trust expectation**
+--- | --- | --- |
+**Chief Executive Officer (CEO)** | Overall organizational performance | An integrated, organization‑wide approach to managing risk and resilience.
+**Chief Marketing Officer (CMO)** | Brand and customer trust | Faster detection, containment, and recovery that limits reputational damage.
+**Chief Information Officer (CIO)** | IT strategy and operations | Security as a platform aligned to business outcomes, not siloed controls.
+**Chief Technology Officer (CTO)** | Technology architecture | Security built into every architecture and design decision. |
+**Chief Operations Officer (COO)** | Operational execution | Clear security governance translated into consistent operational practices.
+**Chief Financial Officer (CFO)** | Financial governance and investment | Defensible security spending with measurable risk reduction.
+
+## Drive alignment with business scenarios
+
+[Business scenarios](security-adoption-business-scenarios-overview.md) provide a common language for aligning strategy, investment, and execution across the organization.
+
+Clear, practical scenarios help bridge the gap between business priorities and security solutions.
+
+By grounding conversations in real outcomes, such as protecting revenue‑generating systems, sustaining operations, or safeguarding sensitive data, leaders can make informed decisions that support both business success and security resilience.
+
+## Next steps
+
+We recommend taking the CISO workshop.
+
+The CISO Workshop helps accelerate modernization of security strategy, integration, and governance. The workshop is available as an expert-led engagement from Microsoft Unified. Workshops available include:
+
+- **CISO Briefing** - A less than four-hour discussion focused on key learnings and best practices.
+- **Full CISO Workshop** - A two-day workshop that provides more details, a Microsoft case study, maturity model discussions, and reference modernization plans.
+
+Contact your customer success account manager for more information.
+
+The CISO workshop is also available for self-service as a series of videos. [Learn more](workshop-business-security-leaders.md):
+
+- The CISO workshop slides for [Engaging security leaders](workshop-business-security-leaders-video.md#engaging-business-leaders-on-security )include a sample narrative and slides that you can use to get started.
+- You can download and customize this [PowerPoint Presentation](https://arch-center.azureedge.net/Microsoft-CISO-Workshop-Security-Strategy-and-Program.pdf) from the CISO Workshop to get started with productively engaging business leaders on security.
+
+
diff --git a/security-docs/zero-trust/security-adoption-discipline-strategy.md b/security-docs/zero-trust/security-adoption-discipline-strategy.md
new file mode 100644
index 000000000..471de4e81
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-discipline-strategy.md
@@ -0,0 +1,167 @@
+---
+title: Establish a Security Strategy, Integration, and Governance discipline
+description: Use the Microsoft security adoption model to modernize security strategy, integration, and governance across the enterprise, based on Zero Trust principles.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand how to use the Microsoft security adoption model to establish a security strategy, integration, and governance across the business.
+---
+
+# Establish Security Strategy, Integration, and Governance
+
+This article describes how to establish or modernize a Security Strategy, Integration, and Governance discipline. This discipline provides direction, coordination, and sustained oversight across a security modernization program, enabling organizations to move beyond fragmented controls toward a cohesive, outcome‑driven security posture.
+
+[Security disciplines](security-adoption-discipline-overview.md) are groupings of related security work that help organizations consistently deliver security outcomes across the entire technology estate. Within the security adoption model, disciplines help provide a bridge between [business scenarios](security-adoption-business-scenarios-overview.md) and [technical implementation](implement-overview.md), ensuring that security investments translate into real measurable outcomes as part of the [security adoption model](security-adoption-model.md).
+
+
+
+
+## Why this discipline?
+
+Many organizations approach security governance through traditional governance, risk, and compliance (GRC) models that prioritize audits and external compliance. While necessary, these classic GRC approaches often fail to manage risks of real-world incidents that cause that operational disruption, data loss, recovery costs, and reputational damage.
+
+The Security Strategy, Integration, and Governance discipline modernizes this model by making security an integral part of organizational decision‑making and operations, rather than a standalone or reactive function.
+
+The discipline brings together three essential elements:
+
+- **Strategy**: Defines security outcomes, priorities, trade-off, and success measures aligned to business objectives, risk tolerance, and regulatory obligations.
+- **Integration**: Embeds security into business strategy, operating models, technology environments, governance processes, and the broader business ecosystem.
+- **Governance**: Sustains and continuously improves the security program through clear decision rights, accountability, measurement, and oversight.
+
+Without effective strategy, integration and governance in place, security programs often lack clear direction and coordination. This gap leads to poor prioritization, inconsistent execution, wasted and duplicate work, increased incident frequency and impact, and elevated organizational risk.
+
+To be effective, this discipline ensures that Zero Trust principles are applied consistently across all security disciplines and across the full security lifecycle. Rather than enabling isolated technical solutions, SIG aligns decisions, controls, and operations to a shared security model.
+
+The following diagram illustrates how the Security Strategy, Integration, and Governance discipline enables security resilience by consistently applying Zero Trust principles across security disciplines and across the full security lifecycle.
+
+:::image type="content" source="./media/security-strategy-governance.png" alt-text="Security Strategy, Integration, and Governance " lightbox="./media/security-strategy-governance.png":::
+
+
+## Mission and outcomes
+
+The Security Strategy, Integration, and Governance discipline provides direction, integration, and oversight across the full lifecycle of the security program. It enables organizations to:
+
+- **Set clear security vision and direction**: Define security outcomes, priorities, and trade‑offs aligned to business objectives, risk tolerance, and regulatory obligations. Establish a shared understanding of what *good* security looks like for the organization, and how success is measured. Update that understanding as needed.
+- **Integrate security into the organization**: Embed security into business planning, technology strategy, architecture, development, operations, and partner ecosystems so it is not treated as an afterthought or standalone function.
+- **Govern security decisions and investments**: Establish decision rights, accountability, policies, standards, and success measures that drive consistent prioritization and execution across security and technology teams.
+- **Enable better, faster business decisions**: Act as a central hub for security risk context, helping leaders balance opportunity, risk, and cost and say “yes, safely” to new initiatives.
+- **Improve prioritization and focus**: Translate business priorities into actionable security strategy, policies, and standards so teams focus on the most important risks rather than the most visible or urgent issues.
+- **Adapt to change**: Continuously update strategy, roadmaps, architectures, and governance to address evolving threats, new technologies (including AI), regulatory changes, and shifting business priorities.
+- **Reduce incident impact**: Improve consistency, coordination, and accountability across the security program, reducing the frequency and severity of incidents and improving recovery outcomes.
+
+
+
+## How to apply this discipline
+
+To apply the Strategy, Integration, and Governance discipline effectively, focus on establishing clear direction, accountability, and alignment across the organization:
+
+1. **Define security strategy aligned to business priorities and risk**
+ Establish clear objectives that reflect organizational goals, critical assets, and the most significant risks to the business
+1. **Establish governance and accountability across teams**
+ Define roles, responsibilities, and decision-making structures to ensure security efforts are coordinated and consistently executed
+1. **Set policies and standards that guide consistent execution**
+ Provide clear expectations that ensure security controls and practices are applied consistently across the organization.
+1. **Align security efforts across disciplines and initiatives**
+ Ensure that architecture, operations, and engineering efforts work toward shared outcomes rather than operating in isolation.
+1. **Measure progress and continuously improve**
+ Use metrics, risk insights, and operational feedback to track effectiveness, drive prioritization, and refine strategy over time.
+
+## Manage organizational change
+
+This discipline helps organizations shift from checkbox compliance toward business‑aligned risk management, while still meeting regulatory obligations.
+
+Modernizing in this way reduces wasted effort on low‑value controls, clarifies accountability, and ensures security decisions are made by the right stakeholders with the right context. Over time, this makes security easier to operate, more effective, and more sustainable.
+
+Organizations can also shed legacy burdens—such as maintaining ineffective controls or informally absorbing accountability for decisions made elsewhere—and replace them with a clearer, more resilient operating model.
+
+
+## Discipline roles and collaborators
+
+This discipline is primarily owned by security leadership responsible for setting direction, integrating security into the organization, and governing execution. In larger organizations, these responsibilities are distributed across formal roles and processes. In smaller organizations, roles may be combined and strategy developed more informally. Regardless of scale, documenting strategy as it evolves is strongly recommended.
+
+Primary roles commonly include:
+
+- Chief Information Security Officer (CISO)
+- Business Information Security Officers (BISO)
+- Security Directors
+- Security Architects
+
+These roles are supported by functions such as security strategy, integration and governance, education and engagement, insider risk management, security posture management, and security compliance management.
+
+Effective delivery depends on close collaboration across the organization:
+
+- **Business leaders** provide context on priorities and risk tolerance.
+- **Technical leaders** integrate security into technology strategies and operating models.
+- **Architecture roles** translate strategy into standards and guardrails and provide feasibility feedback.
+- **Engineering and IT teams** operationalize requirements through implementation and maintenance.
+- **Security operations (SecOps)** provide continuous feedback from incidents, threats, and attacker behavior to inform strategy and governance.
+
+
+## Discipline components
+
+The Security Strategy, Integration, and Governance discipline encompasses a broad set of capabilities that together ensure consistent, measurable security outcomes.
+
+**Capability** | **Details**
+--- | ---
+**Continuous prioritization** | Continually prioritize requirements for:
- **Business alignment**: Ensure that security is a business enabler. Drive the business changes needed for security.
- **Technology alignment**: Align security risk assessment and management with organizational technology.
- **Secure by design and by default**: Ensure that security is an integral aspect of all system and process design.
- **Ensure privacy by design/default**: Ensure that privacy is an integral aspect of all system and process design.
- **Compliant by design/default**: Ensure that compliance is an integral aspect of all system and process design.
+**Continuous planning** | Maintain intentional, regularly updated security roadmaps and success metrics.
+**Business/technology operating model integration** | Embed security into ideation, business requirements definitions, design, build, and operations rather than applying controls after deployment.
+**Enterprise risk integration** | Integrate security into how risk is identified, managed, and reported to leadership, regulators, and stakeholders.
+**Lifecycle and technical debt management** | Manage security risk from outdated, unsupported, and legacy technologies.
+**Strategic security simulations** | Strengthen tabletop and crisis‑management processes through regular simulations.
+**Core governance components** | Define organizational structure, decision rights, accountability, policies, standards, architectures, guardrails, and compliance management.
+**Security intelligence sharing** | Add business context to threat intelligence and share insights across security, business, and technology teams.
+**External risk management** | Manage supply chain, partner, open‑source, and merger and acquisition risks.
+**Education and engagement** | Ensure roles across the organization understand why security matters, what is required, and how to act.
+**Insider risk management** | Manage risks from authorized users who may intentionally or unintentionally cause harm.
+**Security operations oversight** | Provide oversight of posture management, operations, and architecture, and measure whether controls are effectively deployed and sustained.
+
+## Alignment with other disciplines
+
+The Security Strategy, Integration, and Governance discipline works across all of the other security disciplines. Its role is not to replace or duplicate their responsibilities, but to provide oversight that enables, integrates, prioritizes, and monitors consistent outcomes across the security program.
+
+
+**Discipline** | **Role**
+--- | ---
+**End-to-end security architecture** | Translates strategy and policy into a coordinated technical approach. It helps to ensure that strategy is actionable, prioritized, and clearly communicated to technology teams.
+**Technical strategy disciplines** | Ensures technical decisions align to business priorities, risk tolerance, and policy, with trade‑offs made intentionally rather than in isolation.
+**Operational disciplines** | Connects operational signals—incidents, detections, attacker behavior—back to leadership decisions, enabling continuous improvement of strategy and controls.
+
+
+## Alignment with technology pillars
+
+At the technology pillar level, the Security Strategy, Integration and Governance discipline ensures that:
+
+- Controls align with organizational strategy, policy, and standards.
+- Implementation remains consistent over time and doesn't drift.
+- Continuous improvement is driven across strategy, integration, and governance.
+
+It aligns with these technology pillars:
+
+- **Identities**: Defines identity risk priorities, access policies (including privileged access), lifecycle standards, and success measures aligned to Zero Trust.
+- **Endpoints/Infrastructure**: Sets lifecycle, maintenance, and retirement requirements to manage security risk across endpoints and infrastructure platforms.
+- **Apps**: Establishes consistent sourcing, development, deployment, and lifecycle standards across SaaS and custom applications.
+- **Data**: Defines data protection priorities, classification, access models, and governance aligned to business value and risk.
+- **Network**: Ensures network configurations and controls support identity‑centric strategies while managing legacy and modern network risks.
+- **AI**: Updates security strategy, skills, tooling, and governance to address risks introduced by AI usage and AI‑assisted threats.
+
+## Next steps
+
+We recommend taking the CISO workshop.
+
+The CISO Workshop helps accelerate modernization of security strategy, integration, and governance. The workshop is available as an expert-led engagement from Microsoft Unified.
+
+Workshops available include:
+
+- **CISO Briefing** - A less than four-hour discussion focused on key learnings and best practices.
+- **Full CISO Workshop** - A two-day workshop that provides additional details, a Microsoft case study, maturity model discussions, and reference modernization plans.
+
+Contact your customer success account manager for more information.
+
+The CISO workshop is also available for self-service as a series of videos. [Learn more](workshop-business-security-leaders.md)
+
+
diff --git a/security-docs/zero-trust/security-adoption-journey.md b/security-docs/zero-trust/security-adoption-journey.md
new file mode 100644
index 000000000..0d79ecfcc
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-journey.md
@@ -0,0 +1,82 @@
+---
+title: Microsoft security adoption overview
+description: Learn how to apply a standard model to Microsoft security adoption
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a security business leader, I want to understand how I can get started on an organizational security journey.
+---
+
+# Start a security adoption journey
+
+No two organizations are alike, and companies modernize security in different ways depending on their goals and priorities, maturity, culture, and leadership support.
+
+This article describes three common patterns for starting a Zero Trust security adoption journey.
+
+- **Top down** - Start with a high-level strategy. Resolve the strategy into detailed plans, and deliver on those plans.
+- **Build up** - Start with one or more top priority areas to focus on quick wins. Expand to more areas and build out an overall strategy.
+- **Scenario-driven** - Start with a specific business scenario and drive a coherent approach for that scenario across multiple disciplines.
+
+Use this guidance to choose a starting point, rather than a pattern. It's important that your starting point enables progress without disrupting critical business operations.
+
+> [!TIP]
+> Microsoft offers a rich set of security adoption workshops - the *Security Adoption Framework (SAF) workshops*. Our structured adoption model guidance aligns with the expert-led guidance from Microsoft Unified delivered in those workshops. Learn more about [SAF workshops](workshop-business-overview.md).
+
+
+## Select a pattern
+
+Before you start note that:
+
+- Adoption patterns aren't mutually exclusive. You can use one pattern, evolve to another, or blend them over time.
+- Most organizations move through more than one pattern over time, and many adopt a blended approach where they use multiple patterns simultaneously.
+- For example, a buildup or scenario‑driven approach often creates the momentum and insight needed to move toward a more comprehensive, strategy‑led adoption.
+
+Whatever pattern you choose, we recommend that you:
+
+- **Decide how you want to modernize**. Most organizations focus on updating existing processes and technologies. A few build a new security program from scratch.
+- **Align the approach**. Align with your organizational priorities, constraints, risk tolerance, and the ability to absorb change.
+- **Continuously adjust**. Continuously gather data to measure what is working, what isn't, and where adjustment is needed.
+- **Support business as usual**. Ensure that you can perform while you transform. Business operations and threat actors don't pause during security modernization. Teams must do their day jobs while they're transforming their approach.
+
+## Top-down
+
+Top-down is a strategy-led approach that starts with and end-to-end vision, and drives coordinated delivery across the organization. To use this pattern:
+
+1. Start at the beginning of the adoption path, and establish a clear strategy aligned to business priorities.
+1. Translate that strategy into architecture, roadmaps, and prioritized technical initiatives.
+1. Deliver consistently across security disciplines and technology pillars.
+
+This approach works well for organizations where CISOs and security leaders have strong executive sponsorship and understand the importance of driving a coordinated change and active collaboration across business, IT, and security teams.
+
+## Build-up
+
+Buildup is an incremental approach that starts with targeted improvements and expands over time. To use this pattern:
+
+1. Start with a high-impact quick win that addresses and urgent risk or operational gap. For example focuses on a specific discipline or pillar to begin.
+1. Demonstrate measurable value of the quick win to build credibility and support.
+1. Expand laterally within the same discipline for another win, or transition to a broader, strategy-led top-down approach.
+
+
+This pattern works well for organizations that currently lack full executive sponsorship for security modernization. Technical and security leaders can use visible wins to reduce risk and build credibility for broader adoption.
+
+## Scenario-driven
+
+Scenario-driven adoption focuses on securing a specific business initiative and uses it to drive cross‑discipline alignment. To use this pattern:
+
+1. Identify a high-priority business scenario.
+1. Secure the scenario across multiple security disciplines.
+1. Use the scenario to exposure dependencies, gaps, and future modernization needs.
+
+This pattern is suitable when there's executive support and funding for a particular security initiative, but not for full security transformation. It helps organizations to connected disconnected programs and siloed efforts, improve collaboration, and defer lower-priority modernization until later.
+
+## Next steps
+
+What you do next depends on the model you're using.
+
+- **Top down**: If you're approaching adoption top down, start by reading about our [structured security adoption path](security-adoption-model.md), and then take a look at the [prioritized business scenarios](security-adoption-business-scenarios-overview.md)
+- **Build up**: If you're looking for a quick win, [pick a business scenario](security-adoption-business-scenarios-overview.md), and then dig into the primary discipline.
+- **Scenario-driven**: To modernize around specific areas, [pick a business scenario](security-adoption-business-scenarios-overview.md), design the scenario across the required disciplines, and then start implementing it.
diff --git a/security-docs/zero-trust/security-adoption-model.md b/security-docs/zero-trust/security-adoption-model.md
new file mode 100644
index 000000000..4af866a61
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-model.md
@@ -0,0 +1,95 @@
+---
+title: Microsoft security adoption model
+description: Learn about the adoption model for Microsoft security.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a Microsoft security platform adopter, I want to understand how an adoption model can help me to modernize, adopt, and implement security across my business
+---
+
+# Follow a security adoption model
+
+
+**Adopting Zero Trust security across your organization** is a complex, multi-year effort spanning business strategy and planning, technical design and architecture, deployment, and operations.
+
+Without a structured approach to adoption, security modernization programs can become fragmented, reactive, and difficult to sustain.
+
+Our *structured security adoption model provides standardized, repeatable, role-aware processes that help you to you plan, prioritize, and implement end-to-end security modernization across hybrid, multicloud, and multi-platform environments.
+
+The adoption model aligns critical business outcomes, security disciplines, and solution implementations so that business leaders, security managers, architects, and practitioners can move forward together at a controlled and sustainable pace across the organization.
+
+
+> [!TIP]
+> Microsoft offers a rich set of security adoption workshops - the *Security Adoption Framework (SAF) workshops*. Our structured adoption model guidance aligns with the expert-led guidance from Microsoft Unified delivered in those workshops. Learn more about [SAF workshops](workshop-business-overview.md).
+
+## Why use an adoption model?
+
+A structured adoption model helps you to:
+
+- **Align with security best practices** - Align with [Zero Trust principles](zero-trust-overview.md), [Microsoft Secure Future Initiative (SFI) patterns](sfi/secure-future-initiative-overview.md), [open standards and guidance](security-zero-trust-frameworks.md), and [other security best practices](security-best-practices-overview.md).
+- **Maximize existing investments** - Get value from your existing tools, before introducing new capabilities.
+- **Deliver an end-to-end security strategy** - Connect business priorities to security architecture, controls, processes, and operations.
+- **Adapt continuously** - Evolve security posture and strategy as threats, business needs, and technologies change.
+- **Prioritize action** - Provide practical role-specific guidance for teams and stakeholders, grounded in best practices, lessons learned, and real-world examples.
+
+This diagram illustrates how these elements come together in an adoption model.
+
+:::image type="content" source="media/adoption-guidance-context.png" alt-text="Diagram showing how the adoption model includes learnings and guidance from Microsoft and external sources." lightbox="media/adoption-guidance-context.png":::
+
+## How the adoption model integrates existing guidance
+
+This adoption model brings together Microsoft security guidance that historically published across multiple frameworks and resources, aligning it into a single, actionable structure.
+
+It integrates and builds on established guidance, and including these content sources:
+
+- [Microsoft Cybersecurity Reference Architecture (MCRA)](microsoft-reference-architecture.md)
+- [Security Development Lifecycle (SDL)](https://www.microsoft.com/securityengineering/sdl/practices).
+- [Zero Trust](workshop-business-overview.md) and [CISO](workshop-business-security-leaders.md) workshops
+- The [Immutable Laws of Security](security-adoption-discipline-architecture-tips.md)
+- [Privileged access/workstation guidance](security-adoption-discipline-identity-access-privileged-model.md).
+- [Incident response playbooks](security-operations-playbook-phishing.md)
+
+By organizing this guidance around common business scenarios, disciplines, and implementation steps, the model helps you move from isolated recommendations to a cohesive approach for planning, implementing, and measuring security improvements. We'll further enrich our adoption model content over time.
+
+## Adoption model structure
+
+The adoption model is built on three core components that help organizations move from business intent to detailed implementation:
+
+- **Business scenarios** define typical business outcomes and how security must be adapted to achieve them.
+- **Security disciplines** define how teams organize, plan, and operate to modernize security and achieve business outcomes.
+- **Technology pillars** describe organizational assets and resources that we want to secure. For example identity, devices, and data.
+
+
+:::image type="content" source="media/adoption-navigation-structure.png" alt-text="Diagram showing overall structure of the Microsoft Security Adoption Framework (SAF)." lightbox="media/adoption-navigation-structure.png":::
+
+Each component of the adoption model targets a specific audience and role.
+
+**Section** | **Primary audience** | **Aim**
+--- | --- | ---
+**[Business scenarios](security-adoption-business-scenarios-overview.md)** | Business leaders | Identify, define, and communicate critical business outcomes that security must support.
Translate business priorities into actionable security goals that guide planning and decision-making.
Provide practical, repeatable guidance for business outcomes, with clear paths to the roles and disciplines involved in delivering the outcome.
+**[Security disciplines](security-adoption-discipline-overview.md)** | Security leaders and teams, IT leaders, designers, architects. | Bridge business scenarios and security deployment/implementation.
Ensure that security investments and priorities translate into measurable outcomes through clear planning, architecture, and operational practices.
Business scenarios usually map to multiple security disciplines.
+**[Technology pillars](implement-overview.md)** | Technical and security implementers and partners. | Define what types of assets must be secured, and where Zero Trust principles and security controls must be applied.
Connect security strategy to implementation by grouping related technologies, controls, and capabilities.
Business scenarios are likely to cross multiple technology pillars. For example, if our business outcome is to improve security posture across the enterprise, then we must improve posture across devices, data, infrastructure, networks, and more.
+
+## Adoption guidance
+
+Structured adoption guidance focuses on:
+
+- End-to-end guidance for common business-critical scenarios.
+- Product-agnostic recommendations based on Zero Trust principles, Microsoft best practices, and external frameworks.
+- Detailed implementation guidance using Microsoft security products and services.
+
+
+:::image type="content" source="./media/adoption-model.png" alt-text="Diagram showing how the Security Adoption Framework (SAF) connects the business with security and technology." lightbox="./media/adoption-model.png":::
+
+## Next steps
+
+Review options for [beginning your security adoption journey](security-adoption-journey.md).
+
+
+
+
+
diff --git a/security-docs/zero-trust/security-adoption-roles.md b/security-docs/zero-trust/security-adoption-roles.md
new file mode 100644
index 000000000..9bf66df64
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-roles.md
@@ -0,0 +1,235 @@
+---
+title: Security adoption roles, responsibilities, and accountabilities
+description: List of resources to read about Microsoft's Zero Trust framework
+ms.author: raynew
+author: rayne-wiselman
+ms.topic: article
+ms.service: security
+ms.date: 05/24/2026
+
+#customer intent: As a Microsoft security platform adopter, I want to understand the roles involved in security modernization and adoption.
+---
+
+# Review adoption roles and responsibilities
+
+Adopting a Zero Trust security model is a strategic transformation that affects the entire organization, and requires clear ownership and coordination across business, security, and technology teams. It's not a single technology deployment or a one-time project. Successful adoption and operation depend on sustained leadership and the alignment of roles that plan, implement, and operationalize Zero Trust at scale.
+
+This article describes the key organizational roles involved in Zero Trust adoption and explains how these roles work together to plan, implement, and operationalize Zero Trust at scale.
+
+## Why roles matter in adoption
+
+Zero Trust shifts security from a perimeter-based model to one that continuously verifies users, devices, applications, data, and more. This shift affects business processes, user experiences, IT operations, and risk management.
+
+Without clear roles and responsibilities:
+
+- Security initiatives stall or fragment.
+- Technology teams optimize locally instead of aligning to business and security priorities.
+- Leaders lack visibility into security modernization progress and outcomes.
+
+Defining role ownership helps translate Zero Trust strategy into coordinated action and measurable security improvements across the organization.
+
+## Security is everyone's job
+
+Security is fundamentally a human discipline that manages risk from human threat actors. While automation and AI play important roles, people remain central to security outcomes.
+
+
+- Security is an intrinsic part of every business area. It has fiduciary and risk implications, impacts business capabilities and execution, and all technologies.
+- Security is everyone's job. From the board of directors to technology teams, nontechnical teams such as finance and legal, and information/frontline workers.
+- For effective security risk management, every person must understand security in the context of their role, and actively support security objectives.
+- Since anyone in the organization can create or amplify security risk, everyone must apply security principles in their daily actions and decisions.
+
+This diagram from the [Open Group security roles and glossary standard](https://publications.opengroup.org/s252) illustrates how to delegate security accountability and responsibility across an organization:
+
+:::image type="content" source="./media/adoption-role-delegation.png" alt-text="Illustration of how to delegate security accountability and responsibility through an organization" lightbox="./media/adoption-role-delegation.png":::
+
+### Security is a team sport
+
+Managing security risk effectively requires accountability and collaboration:
+
+- Collaboration between accountable and responsible parties is critical.
+- Making good security decisions requires a healthy and relationship. Accountable decision-makers and security experts must be able to share ideas safely and challenge assumptions.
+
+With these tenets in mind, security risk should be managed in a similar way to financial and legal risk. Each role has policies and education/training that guide their daily decisions, rather than assigning responsibility and even blame to security teams only.
+
+:::image type="content" source="./media/adoption-role-collaboration.png" alt-text="Illustration of how accountable and responsible parties should collaborate" lightbox="./media/adoption-role-collaboration.png":::
+
+## Role definition outcomes
+
+When roles are clearly defined, aligned, and connected:
+
+- Leadership sets priorities and accountability.
+- Business and risk functions align security to outcomes.
+- Architecture and technical leadership design scalable solutions.
+- Engineering and operations implement and sustain security controls.
+- Security operations validate effectiveness.
+- Everyone participates in protecting the organization.
+
+Clear ownership and shared responsibility turn Zero Trust from an aspiration into a durable, measurable security strategy.
+
+## Roles and terminology
+
+Role terminology and definitions are based on the [Open Group Security Roles and Glossary Standard](https://publications.opengroup.org/s252). This graphic illustrates the list of roles.
+
+:::image type="content" source="./media/adoption-role-list.png" alt-text="Illustration of security roles in the Microsoft Security Adoption Framework" lightbox="./media/adoption-role-list.png":::
+
+## Role responsibilities
+
+### Organizational leadership and governance
+
+**Purpose**: Establish organizational direction, priorities, and governance, including decision rights and accountabilities.
+Executive leadership establishes Zero Trust as an organizational priority and creates the conditions for long-term success.
+
+**Accountabilities include**:
+
+- Sponsoring Zero Trust as a business and risk-management strategy.
+- Aligning security objectives with business goals, regulatory obligations, and risk tolerance.
+- Providing sustained funding, staffing, and organizational support.
+- Establishing governance models and accountability structures.
+- Holding leaders responsible for measurable security outcomes.
+
+When leadership treats Zero Trust as a business enabler rather than a technical project, adoption gains momentum and durability.
+
+### Business management and operations
+
+**Purpose**: Embed Zero Trust into day-to-day business execution.
+Business leaders and operational managers ensure that Zero Trust supports productivity, customer trust, and operational resilience.
+
+**Accountabilities include**:
+
+- Integrating Zero Trust requirements into business processes and workflows.
+- Balancing security controls with user experience and operational efficiency.
+- Identifying critical business assets, processes, and data to prioritize protection.
+- Supporting change adoption across teams and functions.
+Measuring business impact of security decisions.
+
+Zero Trust succeeds when security enables business operations instead of being perceived as an obstacle.
+
+### Security-adjacent leadership
+
+**Purpose**: Security-adjacent leadership roles such as Chief of Staff, Chief Product Officer, Chief Compliance/Audit officer align security strategy with enterprise risk, compliance, and privacy objectives.
+
+These roles connect Zero Trust to broader enterprise risk management and assurance functions.
+
+**Accountabilities include**:
+
+- Translating Zero Trust principles into risk, compliance, and privacy requirements.
+- Ensuring alignment with regulatory, legal, privacy, and other industry obligations.
+- Validating controls through audit, assessment, and assurance activities.
+- Advising leadership on risk tradeoffs and residual risk.
+- Coordinating across security, compliance, and governance domains.
+
+Their involvement ensures Zero Trust is defensible, auditable, and aligned with organizational obligations.
+
+### Other cross-functional disciplines
+
+**Purpose**: Non-technical disciplines such as legal, finance, PR, and communications align Zero Trust adoption across nontechnical business support functions. Zero Trust impacts contracts, budgets, communications, and external trust.
+
+**Accountabilities include**:
+
+- Legal: supporting data protection, contracts, regulatory interpretation, and incident management processes.
+- Finance: funding models, cost governance, investment prioritization, and security risk quantification.
+- Communications and PR: internal and external messaging during incidents or changes.
+- HR and people teams: policy enforcement, training alignment, and workforce engagement.
+
+These roles help ensure Zero Trust adoption is sustainable, compliant, and well-communicated.
+
+### Technical leadership
+
+**Purpose**: Translate strategy into executable technical direction.
+Technical leaders bridge business intent and engineering execution.
+
+**Accountabilities include**:
+
+- Defining strategic requirements aligned to Zero Trust outcomes, and approving strategic roadmaps and strategy.
+- Ensuring coordination on Zero Trust approaches across domains and engineering teams.
+- Advising business stakeholders on tradeoff decisions between security, performance, and usability.
+- Ensuring consistency across identity, endpoint, application, data, and infrastructure domains.
+- Supporting modernization of legacy systems.
+
+Strong technical leadership prevents siloed implementations and fragmented security posture.
+
+### Architecture
+
+**Purpose**: Design scalable, coherent solutions that align to Zero Trust principles.
+Security and enterprise architects collaboratively define enterprise-wide architecture and solutions.
+
+**Accountabilities and responsibilities include**:
+
+- Defining target-state Zero Trust architectures.
+- Aligning platforms, services, and workloads to Zero Trust principles and concepts.
+- Identifying architectural gaps, dependencies, and integration points.
+- Providing design guidance and reference patterns.
+- Ensuring solutions scale with business and technology change.
+
+Architecture turns principles into systems that can evolve over time.
+
+### Application and product development
+
+**Purpose**: Build Zero Trust into applications and services by design.
+Development teams play a critical role in enforcing Zero Trust at the application layer.
+
+**Accountabilities include**:
+
+- Designing applications that verify explicitly and enforce least privilege.
+- Integrating identity, access control, and data protection into applications.
+- Supporting secure APIs, service-to-service access, and workload identities.
+- Partnering with security teams to reduce risk without harming velocity.
+- Addressing security early in the development lifecycle.
+- Using secure workstations and CI/CD systems.
+
+Zero Trust is strongest when applications assume no implicit trust.
+
+### Security strategy roles and responsibilities
+
+**Purpose**: Security strategy roles such as security education, insider risk, posture, and compliance management help shape long-term security behavior and maturity.
+These roles focus on people, policy, and sustained security effectiveness.
+
+**Responsibilities include**:
+
+- Defining security strategy, standards, and roadmaps.
+- Managing insider risk and user-related threats.
+- Driving security awareness, education, and culture.
+- Monitoring security posture and driving improvements.
+- Overseeing security compliance and policy enforcement.
+- Measuring maturity and progress against Zero Trust objectives.
+
+They ensure Zero Trust becomes embedded in how the organization operates, not just how it deploys technology.
+
+### Technical engineering and operations
+
+**Purpose**: Implement and operate Zero Trust controls.
+Engineering and operations teams turn designs into functioning systems.
+
+**Responsibilities include**:
+
+- Deploying security controls across identity, devices, applications, data, and infrastructure.
+- Integrating security into operational workflows and platforms.
+- Managing change, testing, and roll out to minimize disruption.
+- Maintaining system reliability, availability, and performance.
+- Continuously improving controls based on feedback and telemetry.
+
+These teams make Zero Trust real and reliable.
+
+### Security operations (SecOps / SOC)
+
+**Purpose**: Apply an asset-centric Zero Trust approach to threat detection and response.
+Security operations teams respond to attacks that evade preventative controls.
+
+**Responsibilities include**:
+
+- Monitoring telemetry and signals across users, devices, and workloads.
+- Detecting threats, policy violations, and anomalous behavior.
+- Responding to incidents and coordinating containment and recovery.
+- Feeding operational insights back into policies, architecture, and automation.
+- Measuring effectiveness through detection, response, and impact metrics.
+
+Zero Trust assumptions are tested and refined through daily operations.
+
+
+## Next steps
+
+- [Select a business scenario](security-adoption-business-scenarios-overview.md), and then review the disciplines and roles associated with the scenario.
+- Alternatively, review the [breadth of disciplines](security-adoption-discipline-overview.md) involved in security adoption.
+
+
+
diff --git a/security-docs/zero-trust/security-adoption-scenario-improve-posture.md b/security-docs/zero-trust/security-adoption-scenario-improve-posture.md
new file mode 100644
index 000000000..cffff2ee0
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-scenario-improve-posture.md
@@ -0,0 +1,120 @@
+---
+title: Strengthen security posture and compliance
+description: Use the Microsoft security adoption model to improve security posture based on Zero Trust principles and security best practices.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand I can use the Microsoft security adoption model to optimize my organizational security posture and compliance
+---
+
+# Strengthen security posture and compliance
+
+This article explains how to strengthen posture and compliance using Zero Trust principles, as part of the Microsoft [security adoption model]((security-adoption-model.md).
+
+This business scenario helps you achieve the following outcome:
+
+**Continuously improve security posture and compliance**
+
+As a business leader, you must meet your fiduciary duty to protect against security risk. Protection must cover security incidents from evolving threats, and meet regulatory compliance requirements, often with the same limited resources.
+
+
+This business scenario is part of our [structured adoption model](security-adoption-model.md) that helps you to achieve business goals using a modern security approach grounded in Zero Trust principles.
+
+
+This guidance helps your organization improve security posture and maintain compliance by continuously identifying risk, prioritizing remediation, and strengthening protection across the organization.
+
+## How this guidance works
+
+This article is part of a [structured adoption model](security-adoption-model.md) that connects security strategy to implementation:
+
+- Start with a [business scenario](security-adoption-business-scenarios-overview.md) like this one to define the outcome you want to achieve.
+- Identity the [security disciplines](security-adoption-discipline-overview.md) that apply to this scenario.
+
+ Use those disciplines to define the required strategy, architecture, processes, and controls for the scenario.
+ Work through each discipline to understand what needs to be planned, designed, and implemented across the organization.
+
+- Use [technical solutions](implement-overview.md) to implement those requirements using Microsoft technologies, applying controls across [technology pillars](deploy/overview.md) such as identity and data.
+
+This approach ensures that security posture improvement and compliance are continuously maintained as part of your overall Zero Trust architecture, rather than as a separate effort.
+
+
+## Why security posture requires a new approach
+
+Organizations face two intersecting challenges: defending against increasingly sophisticated threats while meeting expanding regulatory and compliance obligations.
+
+- **Security posture**: Your security posture represents your organization’s overall ability to prevent, detect, and respond to cyber threats. A strong security posture is measurable, quantifiable, and continuously improving as risks and technologies evolve.
+- **Regulatory compliance**: Regulatory compliance requires adherement to laws, regulations, and industry standards such as GDPR, CCPA, HIPAA, and data residency requirements. Compliance isn't a one‑time effort—it requires sustained controls, evidence, and operational discipline.
+
+You can meet both of these requirements with:
+
+- A systematic approach to implementing security controls
+- Built-in capabilities that often exceed compliance requirements
+- Integrated tools that reduce complexity and operational costs
+- Measurable progress tracking and reporting
+
+## Business value
+
+The value of continuously improving security posture and compliance benefits the entire organization, but is different for different roles.
+
+**Roles** | **Value** |
+--- | ---
+**Business leadership** | Operate with integrated security that aligns to business outcomes without introducing unnecessary friction. Reduce recovery time after security incidents while meeting regulatory and legislative requirements. Limit financial, legal, and reputational impact from security and compliance failures.
+**Technology roles** | Establish a standardized security posture with automated compliance, predictable costs, and reduced operational friction while meeting technology and security requirements.
+**Security roles** | Gain improved visibility and control over organizational risk. Incrementally increase attack friction to reduce attacker return on investment (ROI) and limit blast radius and exposed attack surfaces.
+
+## Align security disciplines
+
+Security disciplines represent the structured areas of accountability required to deliver this business scenario.
+
+- Planning and oversight disciplines define the strategy, governance, and cross‑organization coordination required.
+- Technical strategy disciplines define the architectural, operational, and control capabilities required.
+- Operational disciplines ensure that security controls remain effective over time through monitoring, response, and continuous improvement. They detect misuse, respond to threats, and drive ongoing security posture improvements.
+
+### Planning and oversight disciplines
+
+**Discipline** | **Action**
+--- | ---
+**[Strategy, integration, and governance](security-adoption-discipline-strategy.md)** | Establish governance processes that define security posture and compliance goals, priorities, and risk tolerance. Set measurable objectives and track progress toward security maturity.
+**[End-to-end security architecture](security-adoption-discipline-architecture.md)** | Implement security controls and monitoring across the entire technology estate. Integrate these controls into a unified view for asset owners and managers, and design architectures that are secure by default while supporting compliance requirements.
+
+### Technical strategy disciplines
+
+**Discipline** | **Action**
+--- | ---
+**[Access and identities](security-adoption-discipline-identity-access.md)** | Ensure the organization has an intentional and sound approach to managing access to assets.
Implement identity-based security controls that support Zero Trust principles and provide visibility into access patterns.
+[**Infrastructure security**](security-adoption-discipline-infrastructure.md) | Consistently and effectively apply monitor and apply security controls across all infrastructure assets in the technical estate, including all clouds, on-premises datacenters, and legacy systems.
Establish, monitor, and enforce secure baselines and configuration standards across common operating systems, devices, applications, and other components.
+[**Development security**](security-adoption-discipline-development.md) | Consistently and effectively apply security controls across existing software and new development.
Integrate and automate the inclusion of security controls into development processes.
Establish processes to rapidly correct security flaws that are found anytime during the software lifecycle including after release.
+[**Data security**](security-adoption-discipline-data.md)| Consistently and effectively apply security controls to ensure security and privacy assurances for data assets that store intellectual property, trade secrets, regulated data, and other sensitive data.
Implement controls that meet regulatory requirements and protect against data loss.
+[**OT and IoT security**](security-adoption-discipline-iot.md) | Ensure the organization has an intentional and sound approach for OT/IoT devices that interact with physical processes and the physical world.
+
+### Operational disciplines
+
+**Discipline** | **Action**
+--- | ---
+[**SecOps**](security-adoption-discipline-security-operations.md) | Prioritize monitoring and mitigation based on the most frequent and impactful security incidents, using threat intelligence from SecOps and external sources. Continuously improve detection and response capabilities.
+[**Security posture management**](security-adoption-discipline-posture.md) | Continuously assess, measure, and improve security posture across the organization.
Implement tools like [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management) and Secure Score to track progress.
Prioritize remediation based on risk and business impact.
+
+## Required technology pillars
+
+
+Technology pillars represent the core Microsoft security capabilities that support this business scenario.
+
+
+**Pillar** | **Security Exposure Management** | **GitHub Advanced Security** | **Priva**
+--- | --- | --- | ---
+**Identity** | Microsoft Security Exposure Management identifies identity-related risks including overprivileged accounts, stale credentials, and attack paths that use identity misconfigurations. | GitHub Advanced Security detects hard‑coded credentials and API keys in source code to reduce identity‑based risk caused by credential exposure. Integration with repository access controls ensures only authorized users can modify sensitive code. | Microsoft Priva integrates with Microsoft Entra to track which identities access personal data and supports subject rights requests to help individuals exercise control over their personal information.
+**Endpoints** | Microsoft Security Exposure Management aggregates endpoint vulnerabilities, misconfigurations, and exposure risks, providing a unified view of device security posture. | NA | Microsoft Priva monitors personal data handling on endpoints and helps identify privacy risks from data stored on user devices.
+**Networks** | Microsoft Security Exposure Management maps network attack surfaces, identifies exposed services, and highlights network segmentation gaps that could enable lateral movement. | NA | Microsoft Priva helps identify when personal data moves across network boundaries and supports data transfer assessments for cross-border compliance.
+**Apps** | Microsoft Security Exposure Management discovers application vulnerabilities, risky configurations, and shadow IT to help secure the application attack surface. | Code scanning (SAST) in GitHub Advanced Security identifies security vulnerabilities and coding errors before release, reducing the number of exploitable flaws in deployed applications. Security campaigns and Copilot Autofix help teams remediate issues at scale, supporting consistent application security standards.| Microsoft Priva discovers personal data across Microsoft 365 applications and provides visibility into how personal information is used within collaboration tools.
+**Data** | Microsoft Security Exposure Management identifies data exposure risks including overshared files, sensitive data in vulnerable locations, and data-related attack paths. | Secret scanning detects exposed credentials, tokens, and connection strings in repositories, while push protection helps prevent new leaks before they're committed. This reduces the risk of data access via leaked secrets and supports compliance with data protection requirements.| Microsoft Priva provides privacy-focused capabilities including personal data discovery, privacy risk management, subject rights request automation, and consent management.
+**Infrastructure** | Microsoft Security Exposure Management provides visibility into cloud and on-premises infrastructure vulnerabilities, misconfigurations, and compliance gaps across multicloud environments. | Dependency scanning and dependency review identify known vulnerabilities in open‑source components and configuration files before infrastructure or applications are deployed, reducing inherited risk and supporting secure‑by‑default infrastructure posture.| Microsoft Priva extends privacy visibility to data stored across cloud infrastructure, helping organizations maintain privacy compliance in multicloud environments.
+**AI** | Microsoft Security Exposure Management applies AI to model attack paths, prioritize risks based on exploitability and business impact, and provide intelligent recommendations for posture improvements. | GitHub Advanced Security scans AI‑assisted and human‑written code alike, helping teams maintain security standards as AI accelerates development. AI‑assisted remediation accelerates fixing vulnerabilities without bypassing security controls.| Microsoft Priva supports privacy compliance for AI workloads by helping organizations understand how personal data is used in AI training and inference scenarios.
+
+
+## Next steps
+
+[Review security disciplines](security-adoption-discipline-overview.md).
diff --git a/security-docs/zero-trust/security-adoption-scenario-minimize-impact.md b/security-docs/zero-trust/security-adoption-scenario-minimize-impact.md
new file mode 100644
index 000000000..70247c561
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-scenario-minimize-impact.md
@@ -0,0 +1,116 @@
+---
+title: Minimize business damage from security incidents
+description: Use the Microsoft security adoption model to minimize impact from security threats based on Zero Trust principles and security best practices.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand I can use the Microsoft security adoption model to minimize impact and damage from security incidents.
+---
+
+# Minimize damage from security incidents
+
+This article explains how to strengthen posture and compliance using Zero Trust principles, as part of the Microsoft [security adoption model](security-adoption-model.md).
+
+This business scenario helps you achieve the following outcome:
+
+**Minimize business damage from security incidents**
+
+As a business leader, you know attacks are inevitable. What matters is how quickly you can detect, contain, and recover from security incidents quickly to reduce operational disruption, financial loss, and reputational impact.
+
+This guidance helps your organization to reduce the business impact of security incidents by strengthening resilience, improving response effectiveness, and accelerating recovery across the enterprise.
+
+## How this guidance works
+
+This article is part of a [structured adoption model](security-adoption-model.md) that connects security strategy to implementation:
+
+- Start with a [business scenario](security-adoption-business-scenarios-overview.md) like this one to define the outcome you want to achieve.
+- Identity the [security disciplines](security-adoption-discipline-overview.md) that apply to this scenario.
+
+ Use those disciplines to define the required strategy, architecture, processes, and controls for the scenario.
+ Work through each discipline to understand what needs to be planned, designed, and implemented across the organization.
+
+- Use [technical solutions](implement-overview.md) to implement those requirements using Microsoft technologies, applying controls across [technology pillars](deploy/overview.md) such as identity and data.
+
+This approach ensures that security incident response and recovery are integrated into your overall Zero Trust architecture, enabling faster detection, containment, and recovery.
+
+## Why minimizing attack damage requires a new approach
+
+Security success is attacker failure, but you can't guarantee that you stop every attack. Because you inevitably experience damage from successful cybersecurity attacks, it's critical to focus on building resilience by ensuring that you can:
+
+- **Prevent** as many attacks as possible.
+- **Respond** effectively when they happen to limit damage, and rapidly recover business assets and services.
+- **Learn** to apply lessons learned and continuously increase resilience.
+
+:::image type="content" source="./media/security-adoption-minimize-damage-success.png" alt-text="Diagram showing security success equals attacker failure through a continuous cycle of prevent attacks, respond and recover when attacks succeed, and learn to improve resilience" lightbox="./media/security-adoption-minimize-damage-success.png":::
+
+
+
+
+## Business value
+
+The value of investing in minimizing business damage benefits the entire organization, but differs by role.
+
+
+| **Roles** | **Value** |
+| --- | --- |
+| **Business leadership** | Reduces business disruption, downtime, and risk from security incidents by limiting the frequency and severity of breaches and improving recovery speed. Faster restoration of operations and data integrity minimizes regulatory and reputational impact while reducing the number of incidents that require public disclosure. Security becomes an enabler of business agility, ensuring execution and investment decisions are informed by risk context rather than constrained by incidents. |
+| **Technology roles** | Reduces operational friction while meeting security and technology requirements by automating controls and standardizing access and recovery processes. Lower incident frequency and impact decrease the effort required for remediation and rebuild activities, enabling teams to focus on delivering reliable, scalable services that support remote and hybrid work. |
+| **Security roles** | Increases attacker friction and reduces attacker return on investment by enforcing consistent, identity‑centric controls across users, devices, and applications. Improved visibility and automation reduce repetitive “groundhog day” incidents, allowing security teams to spend less time on recurring containment tasks and more time on proactive risk reduction and resilience. |
+
+## Align security disciplines
+
+Security disciplines represent the structured areas of accountability required to deliver this business scenario.
+
+- Planning and oversight disciplines define the strategy, governance, and cross‑organization coordination required.
+- Technical strategy disciplines define the architectural, operational, and control capabilities required.
+- Operational disciplines ensure that security controls remain effective over time through monitoring, response, and continuous improvement. They detect misuse, respond to threats, and drive ongoing security posture improvements.
+
+### Planning and oversight disciplines
+
+**Discipline** | **Action**
+--- | ---
+**[Strategy, integration, and governance](security-adoption-discipline-strategy.md)** | Set up cross-team processes and governance to guide the prevention, response, and learning across the security, technology, and business teams.
+**[End-to-end security architecture](security-adoption-discipline-architecture.md)**| Ensure that technical controls and capabilities are integrated to rapidly apply lessons learned across the organization. This integration includes establishing effective security controls across all processes, people, and technology - both existing technology and new technology like Artificial Intelligence.
Require the logging of activity and detection of anomalous activity (potential attacks) to enable effective response and recovery.
Prioritize security activities using threat intelligence insights from SecOps.
+
+### Technical strategy disciplines
+
+**Discipline** | **Action**
+--- | ---
+**[Access and identities](security-adoption-discipline-identity-access.md)** | Establish strong controls, such as multifactor authentication and phishing-resistant credentials, to prevent well-known attack techniques.
Support the logging of activity and detection of anomalous activity (potential attacks) to enable effective response and recovery.
Prioritize security activities using threat intelligence insights from SecOps.
+[**Infrastructure security**](security-adoption-discipline-infrastructure.md) | Establish strong controls to prevent well-known attack techniques across all infrastructure assets in the technical estate, including multicloud and on-premises datacenters.
Support the logging of activity and detection of anomalous activity (potential attacks) to enable effective response and recovery.
Prioritize security activities using threat intelligence insights from SecOps.
+[**Development security**](security-adoption-discipline-development.md)| Establish strong controls to prevent well-known attack techniques across all new development and existing applications.
Support the logging of activity and detection of anomalous activity (potential attacks) to enable effective response and recovery.
Establish processes to rapidly support attack investigations, recovery, and integration of fixes for security flaws.
Prioritize security activities using threat intelligence insights from SecOps.
+[**Data security**](security-adoption-discipline-data.md)| Establish strong controls to prevent the loss, encryption, alteration, or other security or privacy impact to data assets that store intellectual property, trade secrets, regulated data, and other sensitive information.
Support the logging of activity and detection of anomalous activity (potential attacks) to enable effective response and recover
Prioritize security activities using threat intelligence insights from SecOps.
+[**OT and IoT security**](security-adoption-discipline-iot.md) | Establish strong controls to prevent successful attacks on these assets, which directly interact with physical processes and the physical world and can cause life, safety, financial, and other negative impacts.
Support the logging of activity and detection of anomalous activity (potential attacks) to enable effective response and recovery.
Prioritize security activities using threat intelligence insights from SecOps.
+
+### Operational disciplines
+
+**Discipline** | **Action**
+--- | ---
+[**SecOps**](security-adoption-discipline-security-operations.md) | Establish a continuous learning approach to improve SecOps response and share threat intelligence insights on top attack techniques and threat actors. This approach enables improvements to focus on the highest business impact attacks, the most frequently seen attacks, and others that disproportionately affect SecOps, security, and technology staff.
+[**Security posture management**](security-adoption-discipline-posture.md) | Establish a continuous learning approach to integrate threat intelligence insights from SecOps and business context to monitor and help technology teams mitigate high vulnerabilities with high business impact that disproportionately impact business risk.
+
+
+
+## Required technology pillars
+
+Technology pillars represent the core Microsoft security capabilities that support this business scenario.
+
+**Technology pillar** | **Defender XDR** | **Microsoft Sentinel**
+--- | --- | ---
+**Cross-pillar** | Correlates signals for Defender for Endpoint, Defender for Identity, Defender for Office 365, and Defender for Cloud Apps to detect, investigate, and respond to threats as coordinated incidents. | Ingests and analyzes data across technology pillars from Microsoft and third-party sources to enable centralized detection, investigation, and automated response.
+**Identity** | Defender for Identity detects hybrid identity issues such as credential misuse, lateral movement, and privilege abuse. These identity signals are correlated within Defender XDR to detect and respond to attacks. |Ingests identity logs from Microsoft Entra and external providers to identify suspicious authentication and account behavior.
+**Endpoints** | Microsoft Defender for Endpoint detects, investigates, and responds to threats on devices. These endpoint signals are correlated within Defender XDR to detect and respond to attacks. | Correlates endpoint telemetry from Microsoft and third-party sources to detect attacks and track activity across devices.
+**Networks** | Correlates network-related signals across endpoints, identities, applications, and infrastructure to detect network-based threats. | Analyzes network logs and flow data from multiple sources to detect command-and-control activity and network attacks.
+**Apps** | Microsoft Defender for Office 365 protects email and collaboration tools from phishing, malware, and business email compromise attacks. Microsoft Defender for Cloud Apps provides visibility and control over SaaS/cloud apps. | Monitors activity across Microsoft and third-party SaaS applications to detect anomalous behavior and threats.
+**Data** | Microsoft Defender XDR correlates signals with Microsoft Purview to detect sensitive data exposure and potential data exfiltration across workloads. | Analyzes data access and movement patterns across sources to detect exfiltration and insider risks.
+**Infrastructure** | Microsoft Defender for Cloud detects threats and misconfigurations across cloud and hybrid workloads. These signals are correlated within Defender XDR to detect infrastructure-based attacks. | Ingests infrastructure telemetry across cloud and on-premises environments to detect compromised resources and attacks.
+**AI** | Applies AI-driven investigation and automated attack disruption across correlated signals to accelerate detection and response. | Applies analytics and machine learning to prioritize threats and reduce noise across large-scale data sets.
+
+
+## Next steps
+
+[Review security disciplines](security-adoption-discipline-overview.md).
diff --git a/security-docs/zero-trust/security-adoption-scenario-privileged-access.md b/security-docs/zero-trust/security-adoption-scenario-privileged-access.md
new file mode 100644
index 000000000..3c1103f72
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-scenario-privileged-access.md
@@ -0,0 +1,147 @@
+---
+title: Secure and govern privileged admin access to critical systems
+description: Use the Microsoft security adoption model to secure and govern privileged admin access to critical systems across the organization.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand how to use the Microsoft security adoption model to secure and govern privileged admin access across the business.
+---
+
+# Secure and govern privileged access
+
+This article explains how to secure and govern privileged access using Zero Trust principles, as part of the Microsoft [security adoption model](security-adoption-model.md).
+
+Use this guidance to achieve the following business outcome:
+
+**Secure privileged access as a key outcome of protecting critical assets**
+
+As a business leader, you must ensure that the systems, data, and access pathways that drive your organization are protected against targeted and high-impact threats. Not all assets carry equal importance. Some represent concentrated risk and require stronger, more focused protection.
+
+A key outcome of protecting critical business assets is securing the privileged access that controls them. Privileged identities and access pathways represent concentrated risk because they provide administrative control over critical systems and data. If compromised, they can enable widespread impact across the organization.
+
+This guidance helps your organization reduce risk by strengthening control over privileged access, ensuring that your most sensitive systems and data are only accessible through tightly governed and securely enforced access pathways.
+
+## How this guidance works
+
+This article is part of a [structured adoption model](security-adoption-model.md) that connects security strategy to implementation:
+
+- Start with a [business scenarios](security-adoption-business-scenarios-overview.md) like this one to define the outcome you want to achieve.
+- Identity the [security disciplines](security-adoption-discipline-overview.md) that apply to this scenario.
+
+ Use those disciplines to define the required strategy, architecture, processes, and controls for the scenario.
+ Work through each discipline to understand what needs to be planned, designed, and implemented across the organization.
+
+- Use [technical solutions](implement-overview.md) to implement those requirements using Microsoft technologies, applying controls across [technology pillars](deploy/overview.md) such as identity and data.
+-
+This approach ensures that security investments are focused on the assets that matter most to the business and that access to those assets is consistently controlled to reduce the risk of high-impact compromise.
+
+## Privileged access
+
+Privileged access refers to administrative identities and roles that have elevated control over an organization's most critical systems.
+
+A small number of highly trusted accounts are responsible for managing access to most or all business assets because they administer powerful systems such as identity platforms, cloud control planes, infrastructure, and security controls. These accounts can change configurations, grant access, and directly influence large portions of the organizational security posture.
+
+ These accounts can modify configurations, grant access, and directly impact the organization’s security posture.
+
+Because of this level of control, privileged accounts are among the most valuable targets for attackers. If compromised, they allow adversaries to:
+
+- Bypass security controls.
+- Move laterally across systems.
+- Take control of critical business assets.
+
+Many modern cyberattacks, including ransomware and targeted intrusions, focus on gaining privileged access early.
+
+Today’s hybrid and cloud-based environments increase both the likelihood and impact of compromise. To reduce this risk, organizations need a modern privileged access strategy that:
+
+- Protects administrative identities.
+- Secures administrative access paths.
+- Applies Zero Trust controls consistently across identities, devices, infrastructure, and operations.
+
+The following diagram illustrates how a privileged access strategy creates a separate access channel and secures it at a higher level for these privileged accounts, devices, and more.
+
+:::image type="content" source="./media/end-to-end-approach.png" alt-text="Diagram showing security success equals attacker failure through a continuous cycle of prevent attacks, respond and recover when attacks succeed, and learn to improve resilience." lightbox="./media/end-to-end-approach.png":::
+
+
+
+## Why privileged access requires a new approach
+
+Privileged access underpins every other security control. If an attacker gains control of privileged accounts, they can undermine all other defenses.
+
+Traditional assumptions, such as trusted networks or trusted devices, no longer hold in distributed, cloud‑centric environments. Attackers exploit multiple entry points, and escalate privileges across identities, devices, or access paths. Attacks have evolved from isolated data theft to rapid, multi‑stage incidents that disrupt core business operations.
+
+At the same time, organizations operate across cloud services, on‑premises systems, remote work environments, and third‑party integrations. This complexity increases exposure when privileged access isn't tightly controlled.
+
+## Use a Zero Trust approach
+
+Because privileged access attacks are both high‑impact and high‑likelihood, they must be treated as a top security priority.
+
+A modern approach applies Zero Trust principles, where administrative access is tightly controlled and continuously verified:
+
+- **Least privilege** – Administrators receive only the permissions required for specific tasks.
+- **Explicit verification** – Access decisions validate the identity, device, and context of each privileged session.
+- **Assume breach** – Security architecture limits the ability of attackers to move laterally or escalate privileges.
+
+Rather than relying on individual tools, organizations must adopt a coordinated strategy that secures:
+
+- Identities.
+- Devices
+- Access pathways
+- Monitoring and response
+
+## Business outcomes
+
+Implementing a modern privileged access strategy delivers measurable business outcomes.
+
+- **Reduce the risk of high-risk breaches**: Privileged accounts enable broad system access. Securing them significantly reduces the likelihood and impact of human-operated ransomware and large‑scale disruption.
+- **Control administrative attack paths**: Limiting and isolating privileged access paths makes it harder for attackers to escalate privileges. By strictly controlling administrative pathways, organizations make it more difficult and costly for attackers to move across the environment.
+- **Protect high‑value systems and devices**: Protecting identity and administrative systems, and securing devices reduces the risk of compromise from less secure devices and systems.
+- **Strengthen governance and compliance**: Privileged access controls provide visibility into privileged access use and risk management. This visibility support auditing, accountability, and alignment with compliance requirements.
+
+ Structured security levels simplify adoption, reduce configuration errors, and provide consistent control enforcement across the organization.
+
+- **Improve detection and response**: Privileged access monitoring enables faster detection of suspicious activity, reducing adversary dwell time and operational risk.
+- **Implement consistently**: Our adoption model provides simple security levels to reduce configuration errors and avoid operational gaps with consistent control enforcement across the organization.
+- **Support secure digital transformation**: A robust privileged access strategy enables secure cloud adoption, secure remote work, and modern platform architectures, without increasingly organizational risk.
+
+## Align security disciplines
+
+Security disciplines represent the structured areas of accountability required to deliver the **Secure critical business assets** business scenario.
+
+- Planning and oversight disciplines define the strategy, governance, and cross‑organization coordination required.
+- Technical strategy disciplines define the architectural, operational, and control capabilities required.
+- Operational disciplines ensure that security controls remain effective over time through monitoring, response, and continuous improvement. They detect misuse, respond to threats, and drive ongoing security posture improvements.
+
+
+
+
+### Planning and oversight disciplines
+
+**Discipline** | **Action**
+--- | ---
+**[Strategy, integration, and governance](security-adoption-discipline-strategy.md)** | Define the organizational strategy, policies, and governance processes that ensure privileged access controls are implemented consistently and aligned with business risk and compliance requirements.
+**[End-to-end security architecture](security-adoption-discipline-architecture.md)** | Design an integrated security architecture that connects identity, devices, infrastructure, and monitoring controls to securely manage privileged access across the entire environment.
+
+### Technical strategy disciplines
+
+**Discipline** | **Action**
+--- | ---
+**[Access and identities](security-adoption-discipline-identity-access.md)** | Ensure privileged identities are tightly governed so that only authorized users can obtain elevated access, and only for the time and scope required.
+[**Infrastructure security**](security-adoption-discipline-infrastructure.md)** | Protect the systems, devices, and management environments from which privileged access is performed to prevent compromise of administrative sessions.
+
+
+### Operational disciplines
+
+**Discipline** | **Action**
+--- | ---
+[**SecOps**](security-adoption-discipline-security-operations.md) | Monitor and investigate privileged activity to quickly detect, contain, and respond to misuse or compromise of administrative access.
+[**Security posture management**](security-adoption-discipline-posture.md) | Continuously assess privileged access configurations and exposure to identify risks, enforce best practices, and drive ongoing security improvement.
+
+## Next steps
+
+[Learn how relevant disciplines work together](security-adoption-discipline-identity-access-privileged-model.md) to design a privileged access architecture.
+
+
diff --git a/security-docs/zero-trust/security-adoption-scenario-remote-work.md b/security-docs/zero-trust/security-adoption-scenario-remote-work.md
new file mode 100644
index 000000000..d693b45d0
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-scenario-remote-work.md
@@ -0,0 +1,116 @@
+---
+title: Enable secure remote work
+description: Use the Microsoft security adoption model to enable secure remote work based on Zero Trust principles.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand I can use the Microsoft security adoption model to allow people to do their job securely from anywhere
+---
+
+# Enable secure remote work
+
+This article explains how to enable secure remote work using Zero Trust principles, as part of the Microsoft [security adoption model]((security-adoption-model.md).
+
+
+This business scenario helps you achieve the following outcome:
+
+**Enable people to do their job securely from anywhere**.
+
+As a business leader, you must ensure that employees can securely access the systems, data, and applications they need to work from any location. Remote work expands the attack surface by operating outside traditional network boundaries, increasing exposure to identity-based attacks, compromised devices, and unauthorized access.
+
+A key outcome of enabling secure remote work is ensuring that employees can securely access organizational resources without increasing the risk of unauthorized access or disruption. This requires consistent verification of users, devices, and access conditions to ensure that only trusted access is allowed.
+
+This scenario focuses on establishing secure, consistent access to applications and data across remote and hybrid environments, ensuring that employees can work productively while organizational resources remain protected and governed.
+
+This enables employees to work from anywhere while reducing the risk of data exposure, operational disruption, and unauthorized access.
+
+## How this guidance works
+
+This article is part of a [structured adoption model](security-adoption-model.md) that connects security strategy to implementation:
+
+- Start with a [business scenarios](security-adoption-business-scenarios-overview.md) like this one to define the outcome you want to achieve.
+- Identity the [security disciplines](security-adoption-discipline-overview.md) that apply to this scenario.
+
+ Use those disciplines to define the required strategy, architecture, processes, and controls for the scenario.
+ Work through each discipline to understand what needs to be planned, designed, and implemented across the organization.
+
+- Use [technical solutions](implement-overview.md) to implement those requirements using Microsoft technologies, applying controls across [technology pillars](deploy/overview.md) such as identity, endpoints, and data.
+
+This approach ensures that users can work from anywhere while access to organizational resources is continuously verified and protected, reducing risk without limiting productivity.
+
+## Why hybrid remote work requires a new approach
+
+Remote work is a powerful business enabler, but it also introduces new and expanded security risks. To manage these risks while unlocking business value, organizations must take a modern, identity‑centric approach to security that protects users, devices, applications, and data wherever access occurs. To succeed organizations must:
+
+- **Modernize traditional security:** Traditional perimeter-based security blocks productivity and is ineffective for remote and hybrid work environments. Organizations must ensure that users, devices, applications, and data are protected regardless of where or how they're accessed.
+- **Secure user access:** Use multifactor authentication (MFA), Conditional Access policies, and device compliance checks to ensure only authorized users and healthy devices can access corporate resources.
+- **Empower the workforce:** Provide employees with the flexibility to work productively from home, office, or on the go without compromising security, improving satisfaction and retention.
+
+This scenario is foundational for modern organizations seeking to support distributed work while maintaining strong security and operational resilience.
+
+## Business value
+
+The value of secure remote work varies by role, but benefits the entire organization.
+
+| **Roles** | **Value** |
+| --- | --- |
+|**Business leadership**| Secure remote work enables business continuity and resilience by allowing employees to work productively from any location without increasing security or compliance risk. By shifting from perimeter-based security to an identity- and data-centric Zero Trust model, organizations reduce the likelihood of data breaches and regulatory violations while maintaining agility during disruptions. This approach supports workforce flexibility, protects organizational reputation, and enables expansion without geographic constraints.|
+|**Technology roles**| Secure remote work provides a scalable, centralized framework to manage and protect a distributed environment. Identity, device, and application–based controls improve visibility across users and endpoints, while automated policy enforcement reduces operational overhead. Centralized management and automation simplify access control, accelerate incident response and recovery, and enable IT teams to support remote work reliably without increasing complexity or operational risk.|
+|**Security roles**| Secure remote work allows security teams to modernize architecture and operations using Zero Trust principles, enabling business agility while improving visibility into risk and threats. Comprehensive identity, device, and application telemetry deliver actionable insights beyond traditional network data. Asset- and data-centric controls protect sensitive information across all locations, reducing the likelihood of breaches and regulatory violations through strong identity verification, device health validation, and contextual access enforcement.|
+
+## Align security disciplines
+
+Security disciplines represent the structured areas of accountability required to deliver this business scenario.
+
+- Planning and oversight disciplines define the strategy, governance, and cross‑organization coordination required.
+- Technical strategy disciplines define the architectural, operational, and control capabilities required.
+- Operational disciplines ensure that security controls remain effective over time through monitoring, response, and continuous improvement. They detect misuse, respond to threats, and drive ongoing security posture improvements.
+
+### Planning and oversight disciplines
+
+**Discipline** | **Action**
+--- | ---
+**[Strategy, Integration, and Governance](security-adoption-discipline-strategy.md)** | Define clear business and security objectives for secure remote work, aligned with organizational priorities and risk tolerance.
Ensure cross-functional alignment across IT, security, HR, and business units.
Jointly define measurable goals, success criteria, and cross-team processes to guide implementation and maturity.
Establish governance structures to oversee policy enforcement, compliance, and decision-making throughout the remote work lifecycle.
+**[Security Architecture](security-adoption-discipline-architecture.md)** | Ensure the organization has an end-to-end architecture that enables and secures remote work (access and identities).
Ensure response and recovery capabilities are updated (Security Operations).
Ensure data is appropriately protected (Data Security), and more.
Ensure all components are interoperable, scalable, and adaptable to evolving threats and business needs.
+
+### Technical strategy disciplines
+
+**Discipline** | **Action**
+--- | ---
+**[Access and Identities](security-adoption-discipline-identity-access.md)**| Implement strong authentication (MFA), centralized identity management, and Conditional Access policies to verify users and devices before granting access.
Ensure least privilege and just-in-time access for sensitive roles.
Secure access to applications through modern authentication, session controls, and runtime protections.
Ensure apps are onboarded to identity platforms and monitored for anomalous behavior.
+**[Data Security](security-adoption-discipline-data.md)** | Classify and protect sensitive data using encryption, labeling, and data loss prevention.
Ensure data remains secure across devices, locations, and applications, with persistent access controls.
+**[Infrastructure security](security-adoption-discipline-infrastructure.md)** | Secure cloud and on-premises infrastructure with segmentation, encryption, and continuous monitoring.
Apply Zero Trust controls to all network paths and administrative interfaces.
+**[Development security](security-adoption-discipline-development.md)**| Ensure that development standards require the use of modern authentication protocols to remove the need for retrofitting security onto older protocols and mechanisms.
+**[OT and IoT security](security-adoption-discipline-iot.md)** | Carefully consider business needs for remotely accessing these systems versus potential security risk of current remote access solutions and potential improvements to them.
+**Application security** | Secure access to applications through modern authentication, session controls, and runtime protections.
Ensure apps are onboarded to identity platforms and monitored for anomalous behavior.
+
+### Operational disciplines
+
+**Discipline** | **Action**
+--- | ---
+[**SecOps**](security-adoption-discipline-security-operations.md) | Continuously monitor remote devices, identities, and applications without traditional firewall and network intrusion detection or prevention system (IDS/IPS) telemetry.
Update automation, incident response playbooks, and threat hunting processes to use extended detection and response (XDR) capabilities.
+[**Security posture management**](security-adoption-discipline-posture.md)| Monitor software vulnerabilities, security configurations, and operational practices across the environment.
Use tools like Microsoft Security Exposure Management and Secure Score to track progress and compliance, remediate gaps, and ensure alignment with Zero Trust principles.
+
+## Required technology pillars
+
+Technology pillars represent the core Microsoft security capabilities that support this business scenario.
+
+
+**Technology pillar** | **Microsoft Entra** | **Microsoft Intune**
+--- | --- | ---
+**Cross-pillar** | Enforces access decisions using identity, authentication, and risk signals across all technology pillars. | Provides device compliance and security signals that are used to enforce access decisions across all technology pillars.
+**Identity** | Manages identities, authentication, and identity protection, including risk detection and Conditional Access policy evaluation. | Integrates with Microsoft Entra to ensure only authenticated users can enroll and manage devices.
+**Endpoints** | Evaluates device state through Conditional Access and enforces access policies based on device trust and risk. | Configures, secures, and monitors devices across platforms, enforcing compliance and security baselines.
+**Networks** | Microsoft Entra Internet Access and Microsoft Entra Private Access are Security Service Edge (SSE) technologies that converge network, identity, and endpoint access controls so you can secure access to any app or resource, from anywhere. | Enables network access control through compliance policies and integrates with Microsoft Entra for network-aware Conditional Access decisions. Microsoft Tunnel for Mobile ensures secure, least‑privilege access to internal apps from anywhere.
+**Apps** | Microsoft Entra Conditional Access protects applications by enforcing access controls and app protection policies. Conditional Access App Control integrates with Microsoft Defender for Cloud Apps to monitor and control user sessions in real time. | Enforces mobile application management (MAM) and app protection policies to secure application usage on devices.
+**Data** | Microsoft Entra Conditional Access works with sensitivity labels to enforce access requirements based on data classification, helping ensure that only authorized users on compliant devices can access sensitive content. | Applies data protection policies such as encryption, data loss prevention, and selective wipe on managed devices.
+**Infrastructure** | Microsoft Entra Workload ID helps secure the applications, service principals, and managed identities used to access your apps and infrastructure. | Extends management and security policies to cloud PCs, virtual desktops, and hybrid endpoints.
+**AI** | Microsoft Entra Agent ID extends the comprehensive security capabilities of Microsoft Entra to agents, enabling organizations to build, discover, govern, and protect agent identities. | Microsoft Intune applies AI-driven insights through endpoint analytics to proactively identify device health issues, optimize user experience, and recommend security improvements.
+
+## Next steps
+
+[Learn how to implement secure remote work](deploy/identity.md) to design a privileged access architecture.
diff --git a/security-docs/zero-trust/security-adoption-scenario-secure-ai.md b/security-docs/zero-trust/security-adoption-scenario-secure-ai.md
new file mode 100644
index 000000000..ca32af42d
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-scenario-secure-ai.md
@@ -0,0 +1,125 @@
+---
+title: Adopt and secure AI and data
+description: Use the Microsoft security adoption model to rapidly adopt and secure AI based on Zero Trust principles.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand I can use the Microsoft security adoption model to quickly adopt and secure AI, including data.
+---
+
+# Accelerate and secure AI adoption
+
+This article explains how to rapidly and securely adopt AI using Zero Trust principles, as part of the Microsoft [security adoption model](security-adoption-model.md).
+
+This business scenario helps you achieve the following outcome:
+
+**Rapidly and securely adopt AI technology**
+
+As a business leader, you're under pressure to adopt AI quickly for competitive advantage, while protecting your organization from new and evolving risks.
+
+This business scenario is part of our [structured adoption model](security-adoption-model.md) that helps you to achieve business goals using a modern security approach grounded in Zero Trust principles.
+
+This guidance helps organizations adopt AI quickly and confidently while maintaining strong security, protecting sensitive data, and preserving business resilience.
+
+
+## How this guidance works
+
+This article is part of a [structured adoption model](security-adoption-model.md) that connects security strategy to implementation:
+
+- Start with a [business scenarios](security-adoption-business-scenarios-overview.md) like this one to define the outcome you want to achieve.
+- Identity the [security disciplines](security-adoption-discipline-overview.md) that apply to this scenario.
+
+ Use those disciplines to define the required strategy, architecture, processes, and controls for the scenario.
+ Work through each discipline to understand what needs to be planned, designed, and implemented across the organization.
+
+- Use [technical solutions](implement-overview.md) to implement those requirements using Microsoft technologies, applying controls across [technology pillars](deploy/overview.md) such as identity and data.
+
+This approach ensures that AI adoption is secured as part of your overall Zero Trust architecture, rather than as a separate effort.
+
+
+## Why AI adoption requires a new approach
+
+Generative AI technologies and AI agents are powerful business enablers, but they also introduce new classes of risk. These include (but aren't limited to):
+
+- Acceleration and amplification of existing cybersecurity risk using AI.
+- Unintended data exposure causing loss of intellectual property (IP) and competitive advantage.
+- Alteration of data, records, or processes through attacks such as data poisoning.
+
+## Secure AI adoption
+
+To enable AI safely while managing these risks, organizations must do two things in parallel:
+
+- **Secure AI technology** - Adopt new security controls and practices designed for AI, while reprioritizing existing security investments. For example:
+
+ - Classify and protect sensitive data to prevent unauthorized disclosure through AI models, applications, or users.
+ - Apply Zero Trust principles to AI identities, access, and data flows.
+ - Extend security monitoring and controls to AI-enabled workloads and agents.
+
+- **Use AI to improve security** — Use AI to increase the speed, scale, and effectiveness of security operations, including:
+ - Security posture management.
+ - Vulnerability discovery and mitigation.
+ - Incident detection, investigation, and response.
+ - Skills enablement for security and IT teams.
+
+Both are required. Securing AI reduces risk, while using AI for security helps teams keep pace with the increased attack volume and sophistication driven by AI
+
+
+## Business value
+
+The value of rapidly and securely adopting AI differs by role, but benefits the entire organization.
+
+| **Roles** | **Value** |
+| --- | --- |
+| **Business leadership** | Capture new opportunities and efficiencies while limiting AI-related risks such as IP loss, reputational damage, and operational disruption. |
+| **Technology roles** | Reduce incident frequency, impact, and recovery effort while lowering friction for security and compliance requirements. |
+| **Security roles** | Improve the effectiveness and efficiency of security operations by using AI to detect threats faster, prioritize risks more accurately, and automate time‑consuming tasks. |
+
+## Align security disciplines
+
+Security disciplines represent the structured areas of accountability required to deliver this business scenario.
+
+- Planning and oversight disciplines define the strategy, governance, and cross‑organization coordination required.
+- Technical strategy disciplines define the architectural, operational, and control capabilities required.
+- Operational disciplines ensure that security controls remain effective over time through monitoring, response, and continuous improvement. They detect misuse, respond to threats, and drive ongoing security posture improvements.
+
+
+### Planning and oversight disciplines
+
+**Discipline** | **Action**
+--- | ---
+**[Strategy, integration, and governance](security-adoption-discipline-strategy.md)** | Establish or update cross-team processes to ensure a coordinated approach across security, technology, and business teams, including:
Define a clear strategy for securing AI and using AI for security.
Update governance, policies, and processes to address AI‑specific risks.
Continuously learn and adapt as AI capabilities and threats evolve.
+**[End-to-end security architecture](security-adoption-discipline-architecture.md)** | Ensure that security architecture and technical controls and capabilities include controls for AI technologies and AI usage.
Drive an integrated approach that allows lessons learned in one area to be rapidly applied across the organization, keeping pace with the speed of AI-driven change.
+
+
+### Technical strategy disciplines
+
+**Discipline** | **Action**
+--- | ---
+**[Access and identities](security-adoption-discipline-identity-access.md)** | Ensure AI agents and applications use managed, secure identities.
Apply least‑privilege access, informed by business priorities and threat intelligence.
Enable comprehensive logging and anomaly detection to support rapid response and recovery.
+[**Infrastructure security**](security-adoption-discipline-infrastructure.md)| Use threat modeling to evaluate and mitigate risks introduced by AI infrastructure and AI‑enabled applications.
Apply AI to enhance vulnerability discovery, prioritization, and remediation.
Ensure robust logging and detection capabilities.
+[**Development security**](security-adoption-discipline-development.md) | Evaluate application risks introduced by AI components, including both traditional software vulnerabilities and social engineering or prompt‑based manipulation.
Use AI to accelerate vulnerability discovery and remediation, guided by business risk and threat intelligence.
Support the logging of activity and detection of anomalous activity (potential attacks) to enable effective response and recovery.
+[**Data security**](security-adoption-discipline-data.md)| Classify and label sensitive data to prevent AI models from ingesting or exposing it inappropriately.
Extend data security controls—such as data loss prevention (DLP) to cover AI applications and agents.
Ensure visibility and monitoring for data‑related threats.
Support the logging of activity and detection of anomalous activity (potential attacks) to enable effective response and recovery.
+[**OT and IoT security**](security-adoption-discipline-iot.md) | Apply threat modeling to AI interactions with OT/IoT systems, especially where AI affects physical processes.
Prioritize protections and monitoring based on business impact and threat intelligence.
Support the logging of activity and detection of anomalous activity (potential attacks) to enable effective response and recovery.
+
+### Operational disciplines
+
+**Discipline** | **Action**
+--- | ---
+[**SecOps**](security-adoption-discipline-security-operations.md) | Prepare for higher quality and higher volume of established attack techniques.
Integrate AI analysis to amplify and augment human activities and skills for investigating, hunting for, and simulating threats.
Use AI to increase skills readiness of junior analysts. Prioritize security activities using business priorities and threat intelligence insights.
+[**Security posture management**](security-adoption-discipline-posture.md) | Focus on rapidly building and maturing this discipline to address increasing quality and volume of attacks accelerated by AI.
Integrate use of AI to more quickly analyze data, identify mitigations, and increase skills readiness of posture management professionals.
+
+## Required technical pillars
+
+Technology pillars represent the core Microsoft security capabilities that support this business scenario.
+
+**Pillar** | **Purview** | **Github Advanced Security**
+--- | --- | ---
+**AI** | Microsoft Purview provides AI security and governance capabilities including AI Hub for visibility into AI usage, sensitivity labels for AI-generated content, and compliance controls for Copilot and other AI services. | GitHub Advanced Security applies AI-powered code analysis through Copilot Autofix to automatically suggest security fixes for identified vulnerabilities, accelerating remediation.
+
+## Next steps
+
+[Learn how to secure Microsoft Copilot](copilots/apply-zero-trust-copilots-overview.md).
\ No newline at end of file
diff --git a/security-docs/zero-trust/security-adoption-scenario-secure-assets.md b/security-docs/zero-trust/security-adoption-scenario-secure-assets.md
new file mode 100644
index 000000000..4038b435d
--- /dev/null
+++ b/security-docs/zero-trust/security-adoption-scenario-secure-assets.md
@@ -0,0 +1,116 @@
+---
+title: Identify and protect critical business assets
+description: Use the Microsoft security adoption model to secure critical assets based on Zero Trust principles and security best practices.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want to understand I can use the Microsoft security adoption model to protect my critical organizational resources and assets.
+---
+
+# Identify and protect critical business assets
+
+This article explains how to identify and protect critical business assets using Zero Trust principles, as part of the [Microsoft security adoption model](security-adoption-model.md).
+
+This business scenario helps you achieve the following outcome:
+
+**Identify and protect critical business assets**
+
+As a business leader, you must ensure that the systems, data, and operations that drive your organization are protected against targeted and high-impact threats. Not all assets carry equal importance—some represent concentrated risk and require stronger, more focused protection.
+
+A key outcome of protecting critical business assets is securing the privileged access that controls them. Privileged identities and access pathways represent concentrated risk because they provide administrative control over critical systems and data. If compromised, they can enable widespread impact across the organization.
+
+This scenario focuses on ensuring that critical assets are protected and that access to those assets is tightly governed and consistently controlled, so that only trusted and authorized access is allowed.
+
+This enables your organization to reduce the risk of high-impact attacks, protecting business operations, revenue, and reputation from disruption or compromise.
+
+## How this guidance works
+
+This article is part of a [structured adoption model](security-adoption-model.md) that connects security strategy to implementation:
+
+- Start with a [business scenarios](security-adoption-business-scenarios-overview.md) like this one to define the outcome you want to achieve.
+- Identity the [security disciplines](security-adoption-discipline-overview.md) that apply to this scenario.
+
+ Use those disciplines to define the required strategy, architecture, processes, and controls for the scenario.
+ Work through each discipline to understand what needs to be planned, designed, and implemented across the organization.
+
+- Use [technical solutions](implement-overview.md) to implement those requirements using Microsoft technologies, applying controls across [technology pillars](deploy/overview.md) such as identity and data.
+
+This approach ensures that security investments are focused on the assets that matter most to the business while access to those assets is consistently governed, reducing the risk of high-impact compromise and strengthening overall organizational resilience.
+
+## Why critical asset protection requires a new approach
+
+Organizations rely on the availability, integrity, and confidentiality of their business systems and data to run their business operations, accept customer revenue, fulfill their mission, and more. When threat actors (cybersecurity attackers) compromise the assurances of these system and data assets, organizations face direct costs as well as risks to life, safety, mission, revenue, reputation, market share, and more.
+
+This diagram illustrates how these business critical assets must be secured at a level greater than others.
+
+:::image type="content" source="./media/security-adoption-protect-critical.png" alt-text="Diagram illustrating two categories of business critical assets: high-value assets with intrinsic business value, and privileged access accounts and systems that control those assets." lightbox="./media/security-adoption-protect-critical.png":::
+
+Not all systems and data carry equal business impact. Business‑critical assets fall into two categories:
+
+- **High value assets** - High‑value assets are systems and data whose compromise could cause severe financial or operational damage, up to and including bankruptcy or insolvency. These assets are often targeted for theft, extortion, or destruction.
+- **Privileged access** - Privileged access represents concentrated risk—identities, accounts, and tools that control high‑value assets. Compromise of privileged access (via IT admin accounts, workstations, and other systems) enables widespread impact and must be protected at the same level or above the level of high‑value assets.
+
+## Business value
+
+The value of securing critical assets benefits the entire organization, but differs by role.
+
+| **Roles** | **Value** |
+| --- | --- |
+| **Business leadership** | Protect the most valuable organizational assets that drive revenue, mission success, and competitive advantage.
Minimize business impact from attacks targeting high-value systems and data.
Ensure privileged access is secured to prevent unauthorized control of critical assets. |
+| **Technology roles** | Focus security investments on the assets that matter most to the business.
Reduce the blast radius of breaches by securing privileged access pathways.
Implement standardized protections for identified critical assets across the technical estate. |
+| **Security roles** | Prioritize security efforts based on business impact rather than technical complexity.
Establish clear visibility into critical assets and privileged access pathways.
Implement defense-in-depth controls for high-value targets most likely to be attacked. |
+
+## Align security disciplines
+
+Security disciplines represent the structured areas of accountability required to deliver this business scenario.
+
+- Planning and oversight disciplines define the strategy, governance, and cross‑organization coordination required.
+- Technical strategy disciplines define the architectural, operational, and control capabilities required.
+- Operational disciplines ensure that security controls remain effective over time through monitoring, response, and continuous improvement. They detect misuse, respond to threats, and drive ongoing security posture improvements.
+
+### Planning and oversight disciplines
+
+**Discipline** | **Action**
+--- | ---
+**[Strategy, integration, and governance](security-adoption-discipline-strategy.md)** | Establish clear strategy, governance, policy, and processes to guide teams on identifying and prioritizing business critical assets and privileged access.
Drive a continuous learning approach to continuously improve your ability to identify, protect, detect, respond, recover, and govern business critical assets and privileged access.
Ensure governance drives and monitors cross-team processes to ensure a coordinated approach across security, technology, and business teams.
+**[End-to-end security architecture](security-adoption-discipline-architecture.md)** | Ensure that security architectures explicitly require, include, and prioritize security of privileged access and high value business critical assets.
Ensure technical controls and capabilities are sufficient to mitigate risk across the full security lifecycle (identify, protect, detect, respond, recover, and govern).
Drive an integrated approach across technology teams to prioritize business critical assets and rapidly apply learnings to keep up with attacker evolution.
+
+### Technical strategy disciplines
+
+**Discipline** | **Action**
+--- | ---
+**[Access and identities](security-adoption-discipline-identity-access.md)** | Implement privileged access management with just-in-time and just-enough-access principles.
Secure administrative accounts with phishing-resistant credentials and enhanced monitoring
Ensure critical systems require strong authentication and enforce least-privilege access.
Establish clear visibility into who has privileged access to critical assets.
+[**Infrastructure security**](security-adoption-discipline-infrastructure.md) | Harden and closely monitor infrastructure hosting critical business applications and data.
Implement network segmentation to isolate high-value assets.
Deploy enhanced logging and anomaly detection for privileged access to critical infrastructure.
Establish secure baselines and configuration management for critical systems.
+[**Development security**](security-adoption-discipline-development.md)| Prioritize security testing and threat modeling for applications that process or access critical business data.
Implement secure development practices and supply chain security for business-critical applications.
Establish application-level controls to protect sensitive data and prevent unauthorized access.
+[**Data security**](security-adoption-discipline-data.md) | Classify and label critical business data to enable appropriate protection controls.
Implement data loss prevention, encryption, and access controls aligned with data criticality.
3. Monitor for unusual data access patterns and potential exfiltration of high-value information.
+[**OT and IoT security**](security-adoption-discipline-iot.md)| Identify IoT and OT systems that are business critical or can impact physical safety.
Implement network segmentation and enhanced monitoring for these systems.
Secure privileged access to operational technology management platforms.
+
+### Operational disciplines
+
+**Discipline** | **Action**
+--- | ---
+[**SecOps**](security-adoption-discipline-security-operations.md) | Prioritize monitoring and response for critical assets and privileged access.
Implement enhanced threat hunting and detection for attacks targeting high-value systems.
Establish accelerated incident response procedures for breaches involving critical assets.
Use threat intelligence to anticipate attacks on valuable targets.
+[**Security posture management**](security-adoption-discipline-posture.md) | Continuously assess security posture of critical assets and privileged access pathways.
Prioritize vulnerability remediation based on asset criticality and business impact.
Monitor compliance with security baselines for high-value systems.
Track and report on the security status of business-critical assets to leadership.
+
+## Required technology pillars
+
+Technology pillars represent the core Microsoft security capabilities that support this business scenario.
+
+**Pillar** | **Purview** | **Entra**
+--- | --- | ---
+**Identity** | Microsoft Purview integrates with Conditional Access to enforce identity-based access controls on sensitive data through sensitivity labels and data loss prevention policies. | Microsoft Entra provides Conditional Access, and identity governance to ensure that only authorized users and services can access sensitive data.
+**Endpoints** | Microsoft Purview Endpoint DLP extends data protection policies to endpoints, preventing unauthorized data transfers and ensuring sensitive information stays protected on devices. | Microsoft Entra Enforces device-based access controls, ensuring only compliant and trusted devices can access protected data.
+**Networks** | Microsoft Purview monitors data movement across network boundaries and integrates with network security tools to detect and prevent data exfiltration. | Microsoft Entra applies location and network-based access conditions through Conditional Access policies.
+**Apps** | Microsoft Purview applies sensitivity labels and DLP policies across Microsoft 365 apps, SaaS applications, and on-premises file shares to ensure consistent data protection. | Microsoft Entra controls access to applications using single sign-on (SSO), application registration, and access policies.
+**Data** | Microsoft Purview provides the core data security capabilities including sensitivity labeling, data classification, data loss prevention, information barriers, and records management. | Microsoft Entra enforces access decisions using RBAC, Privileged Identity Management (PIM), and just-in-time access for sensitive operations.
+**Infrastructure** | Microsoft Purview extends data governance and protection to cloud infrastructure through integration with Azure services, multicloud environments, and on-premises data stores. | Microsoft Entra governs administrative access to cloud resources through role assignments, access reviews, and privileged role protections.
+**AI** | Microsoft Purview provides AI security and governance capabilities including AI Hub for visibility into AI usage, sensitivity labels for AI-generated content, and compliance controls for Copilot and other AI services. | Microsoft Entra secures access to AI services by enforcing identity verification, access policies, and governance over who can access and configure AI workloads.
+
+
+## Next steps
+
+[Learn about protecting privileged access](security-adoption-scenario-privileged-access.md).
\ No newline at end of file
diff --git a/security-docs/zero-trust/security-best-practices-overview.md b/security-docs/zero-trust/security-best-practices-overview.md
new file mode 100644
index 000000000..7144b1628
--- /dev/null
+++ b/security-docs/zero-trust/security-best-practices-overview.md
@@ -0,0 +1,62 @@
+---
+title: Microsoft security best practices overview
+description: Overview of Microsoft security best practices
+ms.author: raynew
+author: rayne-wiselman
+ms.topic: article
+ms.service: security
+ms.subservice: zero-trust
+ms.date: 05/24/2026
+
+#customer intent: As a Microsoft security adopter, I want to understand the range of security best practices that drive Microsoft security guidance.
+---
+
+
+# Microsoft security best practices
+
+Microsoft security best practices are designed to help organizations protect their digital estates by reducing risk, improving resilience, and enabling secure productivity.
+
+- At the core of these best practices is the [Zero Trust security model](zero-trust-overview.md). Zero Trust assumes that threats exist both inside and outside the network, and emphasizes verifying every access request, enforcing least privilege access, and segmenting resources as we assume breach.
+
+Zero Trust principles are reinforced through a combination of engineering best practices, frameworks, benchmarks, and assessment tools.
+
+## Best practices and recommendations
+
+- **[Microsoft's Secure Future Initiative (SFI)](sfi/secure-future-initiative-overview.md)**
+
+ A series of best practices and security learning based on Microsoft's multi-year efforts to increasingly secure the way in which we design, build, test, and operate our products. SFI provides a series of best practice patterns that you can learn from and implement. SFI tackles security by pillars. Objectives for each pillar align to one or more [NIST Cybersecurity Framework functions](sfi/secure-future-initiative-overview.md#sfi-pillars-zero-trust-and-nist).
+
+- **[Microsoft Entra security recommendations](/entra/fundamentals/configure-security)**
+
+ Check identity and app security configuration and posture. Recommendations aligns to SFI themes. These best practices are included in the [Zero Trust Assessment tool](assessment/overview.md).
+
+- **[Microsoft Intune device security recommendations](/intune/intune-service/protect/zero-trust-configure-security)**
+
+ Ensure tenant-level governance and device compliance. Protect data on devices and in transit, and enforce secure access to organizational data. These best practices are included in the [Zero Trust Assessment tool](assessment/overview.md).
+
+- **[Azure networking security best practices](/azure/networking/security/zero-trust-network-security)**
+
+ Assess and harden network posture with Azure DDoS protection, Azure Firewall, Azure Web Application Firewall on Application Gateway or Azure Front Door. These best practices are included in the [Zero Trust Assessment tool](assessment/overview.md).
+
+- **[Data security best practices](/purview/zero-trust-microsoft-purview)**
+
+ Check Microsoft Purview configuration settings for data security posture. These best practices are included in the [Zero Trust Assessment tool](assessment/overview.md).
+
+
+- The **[Microsoft Cloud Security Benchmark (MCSB)](/security/benchmark/azure/overview)**
+
+ Provides a series of best practices and recommendations for improving the security of workloads, data, and services on Azure.
+
+- Other Microsoft Defender products such as [Defender for Cloud](/azure/defender-for-cloud/concept-cloud-security-posture-management) and [Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management), and [Microsoft Purview Compliance Manager](/purview/compliance-manager) also monitor and assess your enterprise security posture, providing actionable security and compliance insights and recommendations.
+
+- External best practices and framework also provide Zero Trust security principles and guidance. [Learn more](security-zero-trust-frameworks.md).
+
+
+## Next steps
+
+Use the links provided in this article to dig more deeply into different types of security best practices. Or:
+
+- To kick off by assessing your current security posture, start with [Zero Trust assessment](assessment/overview.md).
+- To get started with structured adoption, follow our [Zero Trust adoption path](security-adoption-model.md).
+- To dive into critical security outcomes that business leaders typically focus on, start with our [business scenarios](security-adoption-business-scenarios-overview.md).
+To start directly with implementation for business solutions and technical pillars such as devices and data, review [implementing technical solutions](implement-overview.md).
diff --git a/security-docs/zero-trust/security-concept-privileged-access.md b/security-docs/zero-trust/security-concept-privileged-access.md
new file mode 100644
index 000000000..f2918217b
--- /dev/null
+++ b/security-docs/zero-trust/security-concept-privileged-access.md
@@ -0,0 +1,105 @@
+---
+title: Privileged access
+description: Get a primer overview of privileged access
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+ms.topic: concept-article
+#customer intent: As a business leader or security adopter, I want understand the important of privileged access in our security priorities
+---
+
+# Overview - privileged access
+
+Privileged access sits across the [enterprise access model](security-adoption-discipline-identity-access-enterprise-model.md) and provides the only administrative path to the control plane. It defines who can configure systems, manage identities, enforce security, and ultimately shape the organization’s technology environment.
+
+In modern enterprises, a relatively small number of identities - administrators, service accounts, and control plane roles have power and access to most business assets. These identities can:
+
+- Modify access controls
+- Change system configurations
+- Access sensitive data
+- Disable or bypass security protections
+
+Attackers recognize this. Rather than attacking every system individually, they focus on:
+
+- Stealing credentials.
+- Escalating privileges.
+- Moving laterally toward high-value roles.
+
+Once privileged access is obtained, the attacker can operate with speed and scale.
+
+This is why modern security models treat privileged access differently:
+
+- **It must be explicitly controlled**.
+ For example, define privileged roles and onboarding through identity governance and privileged identity management (PIM), requiring approval and time-bound elevation instead of permanent role assignments.
+- **It must be isolated from normal activity**.
+ For example, use separate administrative accounts and dedicated privileged access devices (PAWs) so privileged actions never occur from standard user sessions or unmanaged devices.
+- **It must be continuously monitored**.
+ For example, send privileged sign-ins, role activations, and policy changes to monitoring tools like Microsoft Sentinel to detect unusual usage patterns and trigger alerts or automated response.
+- **It must be agreed that privileged access is a primary target of compromise**.
+ For example, protect all privileged accounts with strong multifactor authentication (MFA), no standing access, and break-glass account controls, assuming attackers attempt credential theft and privilege escalation.
+
+
+Protecting privileged access requires looking beyond just roles and accounts to understanding all components that have privileged access. This includes:
+
+- The identity control plane.
+- Privileged devices, apps, and interfaces.
+- Intermediary systems such as VPNs, PIM, and privileged access management (PAM) systems.
+
+Together, these define how control is exercised—and how it must be protected.
+
+The following graphic illustrates the potential attack surface for privileged access compromise.
+
+:::image type="content" source="./media/security-adoption-discipline-privileged-access-attack.png" alt-text="Diagram showing the potential attack surface for privileged access." lightbox="./media/security-adoption-discipline-privileged-access-attack.png":::
+
+
+
+
+## Identity control plane
+
+The identity control plane is the layer that defines and governs who can hold privileged roles and how those privileges are assigned, elevated, and revoked across the organization. In a privileged access context, it includes privileged identities, role assignments, and approved elevation paths, forming the foundation that all other controls depend on.
+
+Securing the identity control plane ensures that privilege is explicit, time-bound, strongly authenticated, and auditable, preventing unauthorized or uncontrolled access to the systems that ultimately control the entire environment.
+
+The following diagram show that the control plane is centrally managed in cloud services (Microsoft Entra ID, Intune, Defender for Endpoint) and can only be accessed through a privileged access workstation (PAW), enforcing isolation, control, and secure administration of all privileged operations.
+
+:::image type="content" source="./media/security-adoption-discipline-access-privileged-control.png" alt-text="Diagram showing Microsoft technologies that protect the identity control plane." lightbox="./media/security-adoption-discipline-access-privileged-control.png":::
+
+
+### Control plane roles
+
+Microsoft Entra ID has roles and permissions that are identified as privileged.
+
+These roles and permissions can be used to delegate management of directory resources to other users, modify credentials, authentication or authorization policies, or access restricted data. Privileged role assignments can lead to elevation of privilege if not used in a secure and intended manner.
+
+- Review [privileged Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference).
+- [Learn more](/entra/identity/role-based-access-control/privileged-roles-permissions) about viewing and using privileged roles.
+
+## Privileged access workstations
+
+A Privileged Access Workstation (PAW) is a dedicated, hardened device used only for performing administrative tasks. It's separate from regular user devices and is tightly secured to reduce the risk of credential theft, malware, or lateral movement.
+PAWs enforce key protections such as:
+
+- Strong authentication (for example, Windows Hello for Business)
+- Device hardening (Credential Guard, Device Guard, Exploit Guard, AppLocker)
+- Restricted usage (no general browsing or productivity activity)
+
+The goal is to ensure that privileged credentials and actions are never exposed to untrusted environments.
+
+The following diagram shows how the PAW in the only trusted access point into the control plane.
+
+:::image type="content" source="./media/security-adoption-discipline-access-enterprise-privileged-device.png" alt-text="Diagram showing Microsoft technologies that protect privileged devices." lightbox="./media/security-adoption-discipline-access-enterprise-privileged-device.png":::
+
+
+As shown in the diagram, all administrative actions flow through the PAW and are controlled as summarized in the table.
+
+**Control** | **Implementation**
+--- | ---
+**Explicitly controlled** | Administrative access is granted only through policy-based identity controls, requiring strong authentication and approved, time-bound elevation.
Device state must also meet compliance requirements before access is allowed.
+**Isolated from normal activity** | Privileged operations are restricted to a dedicated PAW device with tightly controlled usage and connectivity. The PAW isn't used for general productivity, with restricted internet access and secure remote connectivity to sensitive systems.
+**Continuously monitored** |All identity activity, device state, and endpoint behavior are continuously collected and analyzed, enabling detection of abnormal privileged activity and rapid response.
+**Assumed to be targeted** | The environment is hardened and continuously validated, assuming attackers target privileged access. Devices are kept up to date, secure bootstrapping is enforced.
+
+
+## Next steps
+
+Deploy a [privileged access architecture](adopt/implement-privileged-access.md).
\ No newline at end of file
diff --git a/security-docs/zero-trust/security-operations-playbook-phishing.md b/security-docs/zero-trust/security-operations-playbook-phishing.md
new file mode 100644
index 000000000..14f6b54f1
--- /dev/null
+++ b/security-docs/zero-trust/security-operations-playbook-phishing.md
@@ -0,0 +1,138 @@
+---
+title: Phishing investigation playbook
+description: Understand how to use a phishing investigation playbook.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: MicrosoftGuyJFlo
+ms.author: joflore
+ms.topic: conceptual
+
+#customer intent: As a business leader or security adopter, I want plan our SecOps approach to incident response.
+---
+
+# Phishing investigation playbook
+
+This article demonstrates a phishing playbook. It's part of the incident response playbook guidance in the [Security Operations (SecOps)](security-adoption-discipline-security-operations.md) discipline.
+
+This playbook is intended for all roles responsible for building or executing incident response playbooks, including SecOps analysts, incident responders, identity administrators, and IT operations staff.
+
+Phishing attacks are one of the most common initial access techniques used by adversaries. A successful phishing attack can lead to credential compromise, malware execution, data exfiltration, and lateral movement across identity, email, and endpoint environments.
+
+The guidance in this article describes what to investigate and why. Product‑specific examples (such as Microsoft Defender XDR or Microsoft Sentinel) are provided as reference implementations.
+
+## Before you start
+
+Before starting a phishing investigation, ensure that the following baseline readiness requirements are in place. These prerequisites should be completed before an incident occurs as part of incident response planning.
+
+**Area** | **Requirement** | **Details**
+--- | --- | ---
+**Account information** | Have at least one identifier for the suspected target user | Identifiers can be: user principal name (UPN), email address, or username/alias.
This information is required to correlate email activity, sign‑ins, and downstream actions.
+**Microsoft 365 audit/logging** | Mailbox auditing should be enabled organization‑wide to ensure that mailbox access and actions are recorded. | Verify that mailbox auditing on by default is enabled by running the following command in Exchange Online PowerShell: *Get-OrganizationConfig \| Format-List AuditDisable*/.
A value of False indicates that mailbox auditing is enabled for all mailboxes.
+**Microsoft 365 audit/logging** | Message trace logs are required to identify the original phishing message, deliver status, all recipients, message routing details. | Message trace is available in [Exchange Admin Center](https://admin.exchange.microsoft.com/#/messagetrace), Microsoft Defender portal (Email & collaboration > Exchange message trace).
To work effectively with message trace data, investigators must be able to retrieve and interpret Message‑ID values, which are obtained from raw email headers.
+**Microsoft 365 audit/logging** | Unified audit logs are required to review user and administrative activity across Microsoft 365 workloads. | Ensure investigators can search the unified audit log to review actions such as mailbox access, mail item actions, administrative changes, and sign‑in–related events.
+**Microsoft Entra logs** | Microsoft Entra ID sign‑in and audit logs are retained for a limited period (30 or 90 days, depending on licensing). | To support investigations, historical analysis, and post‑incident review, export logs to a long‑term repository such as Microsoft Sentinel, Azure Monitor, or a third-party SIEM.
+**Permissions** | Ensure investigators have sufficient permissions to access required data without over‑privileging accounts. | Microsoft Entra ID: minimum recommended role is Security Reader.
Defender portal and Microsoft Compliance portal: Security Reader.
These roles provide read‑only access to email, alerts, and audit data.
+**Endpoint visibility** | Microsoft Defender for Endpoint | If Defender for Endpoint is installed, use it to:
- Validate whether users interacted with phishing content.
- Identify payload execution.
- Correlate endpoint activity with email events.
+**Hardware** | A system capable of running PowerShell. |
+**Software** | These PowerShell modules are commonly used during phishing investigations | Microsoft Graph PowerShell SDK
Exchange Online PowerShell module
Microsoft Entra Incident Response PowerShell module.
Ensure all modules are installed and kept up to date.
+
+## Workflow
+
+The phishing investigation workflow follows these high‑level stages:
+
+1. Identify and confirm the phishing message.
+1. Scope the impact and affected users.
+1. Assess user interaction and credential exposure.
+1. Identify downstream activity.
+1. Contain the threat and prevent recurrence
+
+This workflow helps responders move from detection to containment without skipping critical validation steps.
+
+## What to check
+
+Use this checklist as a quality gate during the investigation.
+
+- Identify the phishing email and original Message‑ID
+- Determine all recipients and delivery status
+- Identify whether users interacted with the message
+- Assess credential compromise or malware execution
+- Identify lateral or follow‑on activity
+- Remove malicious messages from mailboxes
+- Reset or secure impacted accounts
+- Improve detections and prevention controls
+
+
+## Investigation steps
+
+### Step 1: Identify the phishing message
+
+1. Obtain the suspected phishing email.
+1. Extract the Message‑ID from the email headers.
+1. Use message trace to determine:
+
+ - When the message was received
+ - Which users received it
+ - Whether it was delivered, blocked, or quarantined
+
+### Step 2: Scope affected users
+
+1. Identify all recipients of the message
+2. Confirm whether the message bypassed filters
+3. Determine whether similar messages were sent using variants of the same campaign
+
+
+### Step 3: Assess user interaction
+
+1. For each affected user, determine whether they:
+
+ - Opened the email
+ - Clicked links
+ - Opened attachments
+ - Submitted credentials
+
+ Correlate email activity with:
+
+ - Microsoft Entra sign‑in logs
+ - Audit logs
+ - Endpoint activity (if available)
+
+
+### Step 4: Identify follow‑on activity
+
+1. If credentials may have been exposed, investigate for:
+
+ - Suspicious sign‑ins
+ - Password spray or brute force activity
+ - OAuth consent grants
+ - Token abuse
+ - Unusual mailbox or collaboration activity
+
+1. If attachments were opened, validate whether any malware executed on endpoints.
+
+### Step 5: Contain and remediate
+
+Based on findings:
+
+1. Remove phishing messages from all mailboxesDisable or reset.
+1. compromised accounts.
+1. Revoke active sessions and tokens.
+1. Block malicious senders, domains, and URLs.
+1. Isolate or remediate impacted endpoints.
+
+### Step 6: Recovery
+
+After containment, focus on restoring normal operations and reducing recurrence risk.
+
+Recovery actions may include:
+
+- Enforcing credential resets and multifactor authentication
+- Reviewing mailbox rules and forwarding settings
+- Improving email filtering and anti‑phishing policies
+- Updating detections and alerts
+- Updating or refining phishing response playbooks
+
+## Next steps
+
+[Learn more](security-adoption-discipline-security-operations.md) about the SecOps discipline.
+
diff --git a/security-docs/zero-trust/security-platform.md b/security-docs/zero-trust/security-platform.md
new file mode 100644
index 000000000..c3a167dba
--- /dev/null
+++ b/security-docs/zero-trust/security-platform.md
@@ -0,0 +1,119 @@
+---
+title: Microsoft security platform technologies
+description: Learn about the products and services in the Microsoft security platform
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+ms.author: raynew
+author: rayne-wiselman
+ms.topic: conceptual
+
+#customer intent: As a security adopter, I want to understand the Microsoft security platform technologies.
+---
+
+# Microsoft security services
+
+This article describes Microsoft security services and how they work together as a unified system to deliver protection across [technology pillars](deploy/overview.md) that include identities, devices, applications, data, AI, and infrastructure.
+
+Modern enterprise security shifted from perimeter-based protection to an identity-driven, cloud-integrated model. Organizations must secure users, devices, applications, and data across hybrid and multicloud environments while continuously adapting to evolving threats.
+
+Microsoft provides an integrated set of cloud-based services that work together to share signals, apply consistent policies, enforce controls, and coordinate detection and response across the environment.
+
+
+## Security outcomes
+
+Integrated Microsoft security delivers the following outcomes:
+
+- **Unified signal visibility**: Telemetry is continuously collected and centralized across identities, devices, applications, data, and infrastructure, and converted into centralized, actionable signals.
+- **Identity-driven decision making**: Access and enforcement decisions are based on identity, device state, risk signals, and session context.
+- **Consistent enforcement**: Zero Trust controls are applied across endpoints, cloud services, and applications at access time and during use.
+- **Integrated detection and response**: Signals and alerts are correlated across domains to detect and respond to threats as unified operations.
+- **Continuous validation and improvement**: Detection and risk signals feed back into policy decisions to strengthen protection over time.
+
+## Core security services
+
+Core security services span multiple technology pillars, each contributing signals, context, and enforcement across the platform.
+
+
+**Pillar
Primary service** | **Protection** | **Primary portal**
+--- | --- | ---
+**Identity and access**
Microsoft Entra
Microsoft Defender for Identity. | Microsoft Entra controls access for users, workloads, and applications. It evaluates identity, device, and session signals to make access decisions.
Defender for Identity monitors hybrid identity infrastructure to detect attacks. | [Microsoft Entra admin center](https://entra.microsoft.com/)
[Microsoft Defender portal](https://sip.security.microsoft.com/)
+**Devices/endpoints**
Microsoft Defender for Endpoint
Microsoft Intune | Defender for Endpoint collects endpoint telemetry and detects threats.
Microsoft Intune assesses device compliance and enforces policy. | [Microsoft Defender portal](https://sip.security.microsoft.com/)
[Microsoft Intune admin center](https://intune.microsoft.com/)
+**Email and collaboration**
Defender for Office 365 | Protects Exchange and collaboration services (Microsoft Teams, SharePoint, OneDrive) from malware, malicious links/attachments, and business email compromise. | [Microsoft Defender portal](https://sip.security.microsoft.com/)
+**Data**
Microsoft Purview | Enforces data protection and data loss prevention (DLP) policies across endpoints and cloud services. | [Microsoft Purview portal](https://sip.purview.microsoft.com/)
+**Infrastructure/cloud workloads**
Microsoft Defender for Cloud | Improves security posture and provides threat detection across cloud and hybrid workloads. | [Microsoft Azure portal](https://ms.portal.azure.com/)
[Microsoft Defender portal](https://sip.security.microsoft.com/)
+**Networks**
Azure networking services | Segment and protect networks. | [Microsoft Azure portal](https://ms.portal.azure.com/)
+**SaaS/cloud apps**
Microsoft Defender for Cloud Apps | Provides visibility into cloud app usage and monitors user activity to detect risky behavior. | [Microsoft Defender portal](https://sip.security.microsoft.com/)
+**Posture/risk**
Microsoft Security Exposure Management | Identifies, prioritizes, and reduces exposure across identities, devices, cloud resources, and applications. | [Microsoft Defender portal](https://sip.security.microsoft.com/)
+**Threat detection/response**
Microsoft Defender XDR | Correlates signals across Defender services and produces unified incidents for investigation and response. | Microsoft Defender portal
+**Security operations**
Microsoft Sentinel | Aggregates telemetry from Microsoft and third-party sources for centralized analysis, investigation, and response. | [Microsoft Azure portal](https://ms.portal.azure.com/)
[Microsoft Defender portal](https://sip.security.microsoft.com/)
+**Developer/app security**
Defender for DevOps (in Defender for Cloud)
GitHub Advanced Security | Secures code, dependencies, and build pipelines, and enforces security governance across DevOps workflows. | [Microsoft Defender portal](https://sip.security.microsoft.com/)
GitHub interface
+
+## Network protection services
+
+The table summarizes Azure networking capabilities and how they directly integrate with other security services. Services are configured in the [Microsoft Azure portal](https://ms.portal.azure.com/).
+
+**Service** | **Protection** | **Integration**
+--- | --- | ---
+**Azure Firewall** | Enforces IP, port, and application rules to control inbound and outbound traffic across subnets, internet, and on-premises networks. Uses Microsoft threat intelligence to block known malicious traffic. | Defender for Cloud evaluates configuration posture.
Diagnostic logs are ingested into Azure Monitor/Log Analytics and analyzed by Microsoft Sentinel for detection and correlation.
+**Azure DDoS Protection** | Mitigates volumetric, protocol, and application-layer attacks. Protects internet-facing resources in virtual networks (VNets) from large-scale flooding attacks. | Metrics and attack telemetry are ingested into Azure Monitor/Log Analytics and can be analyzed in Microsoft Sentinel.
Defender for Cloud provides posture recommendations.
+**Azure VNet** | Provides network isolation, segmentation, and private IP addressing for Azure resources. Enables controlled connectivity between services. | Defender for Cloud evaluates configuration state, including exposure such as public access paths.
+**Network Security Groups (NSGs)** | Filters traffic at the subnet and network interface level using allow/deny rules. Restricts unwanted traffic to resources. | NSG flow logs (via Azure Monitor) can be analyzed in Microsoft Sentinel for traffic visibility and detection.
Defender for Cloud evaluates NSG rule configuration.
+**Azure Web Application Firewall (WAF)** | Protects HTTP/HTTPS applications using OWASP rule sets. Helps prevent common web attacks such as SQL injection and cross-site scripting (XSS).| WAF logs are ingested into Azure Monitor/Log Analytics and analyzed by Microsoft Sentinel.
Defender for Cloud evaluates WAF configuration posture.
+**Azure Front Door** | Provides a global entry point for web applications with routing, acceleration, and edge security capabilities. Integrates with WAF for application protection. | Diagnostic logs (Front Door/WAF) are ingested into Log Analytics and analyzed by Microsoft Sentinel.
Defender for Cloud evaluates configuration posture.
+**Azure Application Gateway** | Provides regional load balancing with built-in web application firewall capabilities to protect and route application traffic. | Access and WAF logs are ingested into Log Analytics and analyzed by Microsoft Sentinel.
Defender for Cloud evaluates configuration posture and exposure settings.
+**Azure VPN Gateway** | Provides encrypted IPsec/IKE connectivity between on-premises environments and Azure VNets. Protects data in transit over public networks. | Connection and tunnel logs are ingested into Log Analytics and can be analyzed in Microsoft Sentinel.
Defender for Cloud evaluates configuration posture, including encryption settings.
+**Azure ExpressRoute** | Provides private, dedicated connectivity between on-premises environments and Azure over the Microsoft backbone, avoiding the public internet. | Operational telemetry (such as BGP, circuit status) is available through Azure Monitor and can be analyzed in Microsoft Sentinel.
Defender for Cloud evaluates high-level configuration posture.
+**Azure Bastion** | Provides secure RDP and SSH access to virtual machines through a browser, eliminating the need for public IP exposure. | Diagnostic logs are ingested into Log Analytics and analyzed by Microsoft Sentinel.
Defender for Cloud evaluates reduced VM, but not Azure Bastion configuration directly.
+**Azure Private Link** | Provides private connectivity to Azure PaaS services and customer services using private IP addresses, eliminating public exposure. | Service-level logs (for services accessed via Private Link such as Storage, SQL, Key Vault) are ingested into Log Analytics and analyzed by Microsoft Sentinel.
Defender for Cloud evaluates whether private links are used to reduce exposure.
+**Azure Network Watcher** | Provides network diagnostics, monitoring, and flow-level visibility across Azure resources. | NSG flow logs and diagnostics are ingested into Log Analytics and can be analyzed in Microsoft Sentinel.
Defender for Cloud evaluates underlying resource configuration state such as NSG settings, rather than Network Watcher directly.
+
+## Security workflow
+
+Security services operate as a continuous pipeline. Signals are continuously collected, evaluated, enforced, and used to drive detection and response.
+
+**Pipeline** | **Action** | **Key activity**
+--- | --- | ---
+**Stage 1: Signal collection** | Security services generate telemetry across identities, devices, applications, and infrastructure. | - Defender for Endpoint collects device telemetry.
- Microsoft Intune evaluates device compliance.
- Defender for Identity monitors on-premises identity activity.
- Defender for Cloud Apps monitors SaaS activity.
- Defender for Cloud monitors infrastructure/workload configuration and activity.
+**Stage 2: Policy decisions** | Signals are evaluated to determine access conditions and control actions. | Microsoft Entra Conditional Access evaluates identity risk, device trust, location, and session context.
+**Stage 3: Control enforcement** | Security controls are applied across identity, device, session, data, and network layers. | Enforcement points include:
- Conditional Access (MFA/restrictions)
- Intune (device compliance)
-Defender for Cloud Apps (session control)
- Microsoft Purview (DLP)
- Azure networking (connectivity restrictions).
+**Stage 4: Detection and response** | Signals and alerts are correlated to detect, investigate, and remediate threats. | Microsoft Defender XDR correlates signals from all Defender products into unified incidents.
Microsoft Sentinel centralizes logs, incidents, hunting, and security orchestration, automation, and response (SOAR) across the entire environment—including third-party sources.
+**Feedback loop** | Detection outcomes feed back into policy decisions to continuously improve protection. | Risk and threat signals inform real-time policy updates, enabling adaptive and automated protection.
+
+## Security service integration
+
+Microsoft security services integrate through multiple flows operating as a cohesive pipeline, forming a continuous system of protection.
+
+- **Signals (telemetry)** capture activity across identities, devices, applications, and other resources.
+- **Context (identity, device posture, and data classification)** enriches signals to improve accuracy and decision-making.
+- **Policy** defines what access is allowed or blocked based on evaluated conditions.
+- **Actions** enforce decisions through automated controls and response.
+
+As signals move through the platform, they're enriched, evaluated against policy, and acted on, creating a continuous cycle of protection and response.
+
+### How services integrate
+
+The table summarizes how security services consume signals and context from each out, and what they output and action.
+
+**Service** | **Consumes** | **Outputs**
+--- | --- | ---
+**Microsoft Entra ID** | **Signals**: Authentication activity (sign-ins, risk events). Device compliance status from Microsoft Intune.
**Context**: Device context for access decisions from Defender for Endpoint. Session context for access decisions from Defender for Cloud Apps. | **Actions**: Conditional Access decisions (allow, block, restrict, require controls).
+**Microsoft Intune** | **Signals**: Managed devices inventory, health, compliance state.
**Context**: Identity association from Microsoft Entra ID. | **Outputs**: Device compliance posture to Microsoft Entra ID. Device audit logs to Microsoft Sentinel.
+**Microsoft Purview** | **Signals**: Enterprise data across Microsoft 365, SaaS apps, and on-premises systems.
**Context**: Data classification (sensitivity labels, content inspection, user activity). | **Outputs**: Insider risk and data loss protection (DLP) alerts to Defender XDR. Compliance and audit logs to Microsoft Sentinel.
**Actions**: DLP enforcement across endpoints (Defender for Endpoint), and sessions (Defender for Cloud Apps).
+**Defender for Endpoint** | **Signals**: Endpoint telemetry (process, file, network activity).
**Context**: Microsoft Entra ID (identity context). Microsoft Intune (device posture). Microsoft Purview (DLP policies). | **Outputs**: Endpoint alerts and telemetry to Defender XDR and Microsoft Sentinel.
**Actions**: Endpoint enforcement (device isolation, blocking, remediation).
+**Defender for Identity** | **Signals**: Active Directory identity signals. | **Output**: Identity threat alerts to Defender XDR and Microsoft Sentinel.
+**Defender for Cloud Apps** | **Signals**: SaaS app activity (cloud usage). Network and shadow IT telemetry from Defender for Endpoint.
**Context**: Session and authentication context from Microsoft Entra ID. DLP policies from Microsoft Purview. | **Outputs**: Cloud app alerts to Defender XDR and Microsoft Sentinel.
**Actions**: Session enforcement (block, monitor, restrict access).
+**Defender for Cloud** | **Signals**: Resource operation information from Azure. Server/workload telemetry from Defender for Endpoint.
**Context**: Resource configuration and posture. | **Outputs**: Security alerts and posture insights to Defender XDR and Microsoft Sentinel.
+**Microsoft Security Exposure Management** | **Signals**: Device risk scores from Defender for Endpoint. Cloud resource inventory, posture, exposure, and attack surface findings from Defender for Cloud. Identity inventory and risk signals from Microsoft Entra. SaaS app inventory, risk, and usage context from Defender for Cloud Apps.
**Context**: Unified exposure and risk correlation. | **Outputs**: Exposure insights and risk correlations to Microsoft XDR and Microsoft Sentinel.
+**Defender XDR** | **Signals**: Alerts from Defender for Endpoint (devices), Defender for Identity (identity signals), Defender for Office 365 (email and collaboration), Defender for Cloud Apps (SaaS/app activity). Extra signals from Microsoft Purview (DLP, insider risk, data classification), Microsoft Entra ID Protection (identity risk signals), and Defender for Cloud (workload/cloud posture). | **Outputs**: Correlated alerts, incidents to Microsoft Sentinel.
**Actions**: Automated cross-domain response.
+**Microsoft Sentinel** | **Signals**: Alerts, logs, telemetry from Defender XDR, Microsoft Purview, cloud services, and other first-party/third-party sources. | **Outputs**: Analytics, investigations, and incidents.
**Actions**: Automated response using playbooks.
+**Microsoft Security Copilot** | **Signals**: Incidents and alerts from Microsoft Sentinel and Defender XDR.
**Context**: Sensitive data and insider risk context from Microsoft Purview. Exposure context from Microsoft Security Exposure Management. | **Outputs**: Investigation summaries, recommendations, AI-driven insights.
**Actions**: Guided response actions routed through Microsoft Sentinel and Defender XDR workflows.
+
+
+
+## Next steps
+
+- To kick off with a [Zero Trust assessment](assessment/overview.md) of your current security posture.
+- Follow our structured [adoption model](security-adoption-model.md) to get started with Zero Trust adoption.
+- Dive into critical security outcomes for business leaders with our adoption [business scenarios](security-adoption-business-scenarios-overview.md).
+Start by[implementing technical solutions](implement-overview.md) for business solutions and technology pillars such as data and devices.
\ No newline at end of file
diff --git a/security-docs/zero-trust/security-zero-trust-frameworks.md b/security-docs/zero-trust/security-zero-trust-frameworks.md
new file mode 100644
index 000000000..408129fed
--- /dev/null
+++ b/security-docs/zero-trust/security-zero-trust-frameworks.md
@@ -0,0 +1,170 @@
+---
+title: Align security adoption with industry Zero Trust frameworks
+description: Learn how to Microsoft's security adoption model aligns with industry-driven Zero Trust frameworks.
+ms.date: 05/24/2026
+ms.service: security
+ms.subservice: zero-trust
+author: rayne-wiselman
+ms.author: raynew
+ms.topic: conceptual
+
+#customer intent: As a Microsoft security platform adopter, I want to understand how Microsoft's security adoption model aligns with external Zero Trust frameworks.
+---
+# Align adoption with Zero Trust frameworks
+
+This article provides an overview of well known Zero Trust frameworks, and shows how [Microsoft's Zero Trust adoption model](security-adoption-model.md) helps you to move from framework understanding to adoption at scale.
+
+Zero Trust isn't a single framework. It's a security model that aligns with multiple industry and government standards. These standards aren't competing solutions. Each addresses a different aspect of Zero Trust, such as defining core concepts, assessing progress, or coordinating adoption across an organization.
+
+While industry frameworks help define what Zero Trust should achieve, organizations still need a way to translate that guidance into a specific strategy and architecture for solution planning, design, and deployment.
+
+Microsoft's Zero Trust adoption model does just that. It provides a reference strategy and architecture that aligns to and builds on industry frameworks to accelerate Zero Trust adoption and implementation.
+
+
+> [!TIP]
+> Microsoft offers a rich set of security adoption workshops - the *Security Adoption Framework (SAF) workshops*. Our structured adoption model guidance aligns with the expert-led guidance from Microsoft Unified delivered in those workshops. Learn more about [SAF workshops](workshop-business-overview.md).
+
+## NIST Zero Trust
+
+[National Institute of Standards and Technology (NIST) Special Publication (SP) 800‑207 Zero Trust Architecture](https://csrc.nist.gov/pubs/sp/800/207/final) establishes an industry-recognized definition of Zero Trust architecture. It explains what Zero Trust is and how trust decisions are made, independent of any specific vendor, product, or deployment roadmap.
+
+NIST SP 800-207 is most useful when organizations need a common, authoritative definition of Zero Trust concepts that can be shared across security, IT, and architecture teams.
+
+### NIST features
+
+NIST explicitly positions Zero Trust as an architecture where access to resources is never implicitly trusted.
+
+Zero Trust principles in NIST include:
+
+- Assuming compromise (breach) to drive a holistic and practical security approach.
+- Verifying trust explicitly before granting access to assets.
+- Limiting the blast radius by granting the least privilege necessary.
+
+
+Key architectural concepts focus on:
+
+- Continuous dynamic evaluation of access requests using contextual signals.
+- Centralized policy decision logic that evaluates signals against organizational policy.
+- Policy enforcement functionality close to protected resources applies the decision.
+
+The Zero Trust conceptual architecture defined by NIST focuses on how access decisions are evaluated and enforced using policy engines, enforcement points, and contextual signals.
+
+Note that:
+
+- NIST SP 800-270 doesn't define technology pillars or security domains such as identity, endpoints, or data protection.
+- Identity, device posture, applications, and data are modeled as subjects, resources, and sources of context that inform trust decisions, rather than as separate architectural domains.
+
+Microsoft’s [security adoption model](security-adoption-model.md) builds on this architecture by applying its principles and components within an operational framework.
+
+While NIST defines how trust decisions are made and enforced, our adoption model organizes these capabilities across security disciplines and technology pillars to guide business planning, ownership, solution design, implementation, and progress tracking.
+
+
+### Implementation
+
+Implementation guidance is provided in [NIST SP 1800-35 Implementing a Zero Trust Architecture](https://csrc.nist.gov/pubs/sp/1800/35/final).
+
+For this implementation guidance:
+
+- NIST collaborated with 24 vendors, including Microsoft, on developing a guide with practical steps for organizations eager to implement cybersecurity reference designs for Zero Trust.
+- Microsoft participated as one of the vendors providing technology to implement Zero Trust capabilities across:
+ - Identity and access management.
+ - Endpoint management and configuration.
+ - Threat protection and monitoring.
+ - Secure access to distributed resources.
+
+This diagram is the result of the NIST SP 1800-35 collaboration. It can be downloaded from [Microsoft Cybersecurity Reference Architecture (MCRA)](https://aka.ms/MCRA). Learn more about [MCRA](microsoft-reference-architecture.md)
+
+:::image type="content" source="./media/adoption-map-national-institute.png" alt-text="Diagram showing Microsoft products mapped to NIST Zero Trust Architecture." lightbox="./media/adoption-map-national-institute.png":::
+
+
+
+
+## CISA Zero Trust Maturity Model
+
+The [Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model](https://www.cisa.gov/zero-trust-maturity-model) is organized around adoption and assessment. This maturity model helps organizations organize and assess their current posture, prioritize improvements, and track progress.
+
+### CISA features
+
+Unlike NIST, CISA doesn't define a reference architecture and instead evaluates capabilities independently of specific design patterns.
+
+- The model uses pillar-based domains, including Identity, Devices, Networks/Environment, Applications/Workloads, and Data.
+- It also defines three cross-cutting capabilities - Visibility and Analytics, Automation and Orchestration, and Governance.
+- And it captures four maturity stages: Traditional, Initial, Advanced, and Optimal.
+- Governance is also not treated as a standalone pillar, but as a cross-cutting capability that ensures business alignment, clear ownership, and measurable outcomes across all domains.
+
+### Implementation
+
+The model aligns with and informs the Microsoft security adoption model, while Microsoft further extends it by introducing disciplines such as Architecture to bridge conceptual frameworks like NIST SP 800‑207 with practical implementation.
+
+**CISA** | **Adoption discipline/pillar** | **Details**
+--- | --- | ---
+**Identity**
Identity covers authentication, authorization, identity risk, lifecycle. Apps and workloads cover app access controls, workload identity, and secure app interaction. | **Discipline**: Identity and Access
**Technology**: Identity | Access control in Microsoft spans both identity and application layers while CISA separates them.
+**Governance**
Enterprise-wide policies, controls, and enforcement. | **Discipline**: Strategy, Integration, Governance
Security Architecture
**Technology**: All. | CISA’s policy and control capabilities map directly to SecOps outcomes. Microsoft adds extra focus on other aspects of governance (business alignment, risk management, roles, and more), and dedicated focus on architectural discipline and reference architectures.
+**Devices**
Device inventory, posture, compliance; network segmentation, secure connectivity, environmental controls. Including nontraditional, constrained, and specialized devices. | **Discipline**: Identity and Access, Infrastructure security, OT/IoT security
**Technology**: Endpoints | Infrastructure trust is established through device health and controlled connectivity, aligning with the Zero Trust goal to minimize blast radius and lateral movement.
Microsoft considers OT/IoT devices as a distinct discipline due to unique ownership, and risk management reasons.
+**Apps and workloads**
Apps & Workloads covers application access controls, workload identity, and secure application interaction. | **Discipline**: Development Security
**Technology**: Apps | CISA’s workload focus aligns with DevSecOps goals by embedding security into application and service lifecycles, rather than treating it as a post‑deployment activity.
+**Networks**
Network segmentation, secure connectivity, environmental controls. | **Discipline**: Identity and Access
**Technology**: Networks | Microsoft combines all access (identity, apps, and networks) into a single discipline to help drive clear strategy, architecture, and policy consistency across technologies.
+**Data**
Data classification, inventory, access control, encryption, and protection independent of network location. | **Discipline**: Data Security
**Technology**: Data | Both models place data as a primary protection target, and reinforce the Zero Trust shift from perimeter security to data‑centric controls.
+**Visibility & Analytics, Automation & Orchestration**
Telemetry collection, continuous monitoring, detection, response automation, and policy enforcement at scale. | **Discipline**: SecOps
**Technology**: All | CISA’s cross‑cutting capabilities map directly to SecOps outcomes that include detecting threats, automating response, and continuously reassessing trust across all domains.
+**Maturity stages across all pillars** | Security posture | Posture management is the core purpose of the CISA model: assess current state, identify gaps, prioritize improvements, and track Zero Trust progress over time.
+
+For information, see [Implementing the CISA Zero Trust Maturity Model with Microsoft cloud services](cisa-zero-trust-maturity-model-intro.md).
+
+## The Open Group Zero Trust Reference Model
+
+The Open Group [Zero Trust Reference Model](https://www.opengroup.org/forum/security/Zerotrust) approaches Zero Trust from an enterprise capability and integration perspective. Rather than defining specific implementation steps, it describes the capabilities and governance structures that organizations need to define, integrate, and operate Zero Trust at scale.
+
+### Open Group features
+
+Features include:
+
+- **Capabilities + Architecture Building Blocks (ABBs)** define security capabilities that drive durable security outcomes and the people, process, and technology to enable them.
+- **Collaboration and Integration Models** show how to integrate security with strategy, risk management, operations, and other aspects of the organization.
+
+The capabilities are composed of people, process, and technology elements working together:
+
+- **People**: defined as roles in [The Open Group Roles and Glossary standard](https://publications.opengroup.org/s252)
+- **Process**: defined as architecture building blocks (ABBs) in the same Zero Trust Reference Model standard
+- **Technology**: defined as ABBs in the same Zero Trust Reference Model standard
+
+This diagram shows these capabilities:
+
+:::image type="content" source="./media/adoption-zero-trust-open.png" alt-text="Diagram showing The Open Group Security Capabilities from the Zero Trust Reference model." lightbox="./media/adoption-zero-trust-open.png":::
+
+This diagram shows how these capabilities align to the functions of the NIST Cybersecurity Framework (NIST CSF):
+
+:::image type="content" source="./media/adoption-zero-trust-open-capabilities.png" alt-text="Diagram that shows The Open Group Security Capabilities mapped to the NIST Cybersecurity Framework functions." lightbox="./media/adoption-zero-trust-open-capabilities.png":::
+
+
+### Implementation
+
+The model maps to our recommended adoption model.
+
+**Open Group** | **Adoption discipline** | **Alignment**
+--- | --- | ---
+**Zero Trust Strategy & Governance**
Defines how organizations establish Zero Trust as a business‑aligned strategy, including governance, risk management, policy ownership, and alignment of people, process, and technology. | Strategy, Integration, and Governance | Both Open Group and Microsoft explicitly position Zero Trust as an enterprise strategy, not a technical control set. This directly supports executive alignment, ownership, and integration across the organization.
+**Capability-based Zero Trust architecture**
Provides architectural building blocks and capability groupings to design Zero Trust architectures, without prescribing specific technologies or products. | Security architecture | This fills the space between NIST’s abstract architecture and implementation guidance, enabling architects to translate Zero Trust principles into enterprise‑scale designs.
+**Identity, Authentication, Authorization, and Policy Enforcement capabilities**
Defines capabilities required to verify identity, evaluate trust dynamically, and enforce access decisions consistently across environments. | Identity and access | Aligns directly to access security as an adoption discipline: who can access what, under which conditions, and how that decision is enforced.
+**Data‑centric protection capabilities**
Emphasizes protection of information regardless of location, including data classification, protection, and policy‑driven access. | Data security | Mirrors Zero Trust’s shift from perimeter security to data‑centric security, aligning naturally with data protection as an adoption domain.
+**Visibility, monitoring, analytics, and response capabilities**
Includes capabilities for collecting telemetry, monitoring trust signals, and adapting policy based on observed risk. | SecOps | Enables continuous evaluation and enforcement—core to Zero Trust operations and security monitoring at scale.
+**Application and service interaction security capabilities**
Addresses how applications and services participate in Zero Trust, including secure interactions, service identity, and runtime enforcement. | Dev security | Supports integrating Zero Trust into modern application lifecycles and service‑to‑service communication.
+**Platform and environment security capabilities**
Covers secure operation of platforms, networks, and environments that host workloads, without treating the network as a trust boundary. | Infrastructure security | Aligns infrastructure security with Zero Trust principles by treating infrastructure as enforceable but not inherently trusted.
+**Extended environment and non‑traditional asset support**
Explicitly recognizes IT/OT/IoT convergence and the need for Zero Trust capabilities across constrained and heterogeneous environments. | Infrastructure (OT/IoT security) | Matches adoption reality where OT/IoT require distinct ownership but must still align to enterprise Zero Trust strategy.
+**Capability‑based maturity and continuous improvement**
Provides a capability model intended to assess current state, guide improvement, and adapt over time as threats and technology evolve. | Security posture | Positions Zero Trust as an ongoing program, not a one‑time deployment—aligning directly with posture management goals.
+
+### Map Microsoft technologies to the model
+
+The Zero Trust Reference model also includes an overall summary of Zero Trust components. This diagram shows how Microsoft technologies map to those components:
+
+:::image type="content" source="./media/adoption-zero-trust-open-mapping.png" alt-text="Diagram showing Microsoft technologies mapped to The Open Group Zero Trust Reference Model components." lightbox="./media/adoption-zero-trust-open-mapping.png":::
+
+
+
+## DoD Zero Trust Strategy
+
+The US Department of Defense released a DoD Zero Trust Strategy and Roadmap.
+
+For information on how to configure Microsoft cloud services for the DoD Zero Trust Strategy, see [Configure Microsoft services for the DoD Zero Trust strategy](dod-zero-trust-strategy-intro.md).
+
+## Next steps
+
+[Pick a business scenario](security-adoption-business-scenarios-overview.md) and learn how security disciplines map to the scenario.
\ No newline at end of file
diff --git a/security-docs/zero-trust/sfi/manage-agentic-memory-safety.md b/security-docs/zero-trust/sfi/manage-agentic-memory-safety.md
new file mode 100644
index 000000000..2ee50fb82
--- /dev/null
+++ b/security-docs/zero-trust/sfi/manage-agentic-memory-safety.md
@@ -0,0 +1,135 @@
+---
+title: Manage AI memory safety in agentic systems
+description: Learn how to manage AI memory safely in agentic AI systems
+ms.date: 06/03/2026
+ms.service: security
+ms.subservice: zero-trust
+ms.topic: design-pattern
+ms.collection:
+ - highpri
+ - zerotrust
+ - sfi-zerotrust
+---
+
+
+# Manage memory safety in agentic systems
+
+**Pillar name: Monitor and detect threats**
+**Pattern name: Secure agentic AI systems**
+
+
+## Context and problem
+
+Memory gives AI agents the ability to retain and recall information across interactions to influence future behavior. This persistence delivers personalization and agentic coherence as agents build durable knowledge that strengthens their performance over time. This is the feeling of "learning".
+
+However, persistent memory doesn't just store information, it acts as a configuration layer for the AI system. A memory created today can influence tool selection, refusal behavior, and reasoning later, often outside the original context, session, or application.
+
+Persistence fundamentally changes the threat model: attackers no longer need to succeed in a single prompt. By influencing memory, they can shape behavior gradually over time, exploiting the temporal gap between exposure and execution.
+
+Key challenges include:
+
+- **Transient threats become persistent**: A single compromised interaction can silently shape all future behavior long after the original session ends. Hallucinations become persisted hallucinations; cross-prompt injection (XPIA) becomes continuous XPIA with automatic exfiltration or overrides of system instructions.
+- **Expanded blast radius**: Persistent state means more surface area for exfiltration, corruption, and manipulation. More storage of potentially sensitive data creates extra attack surface and increases operational complexity for deletion, correction, and transparency.
+- **Delayed and cross-context effects**: Corruption effects might be delayed or triggered later ("delayed tool invocation"), and cross-context recall can unintentionally disclose information. Attackers can break up harmful instructions across turns to assemble a payload over time.
+- **Single-turn defenses are insufficient**: Attackers are already thinking across turns. Memory-aware attacks exploit the temporal gap between exposure and execution.
+
+These challenges underscore the need for treating memory as a first-class security concern with protections applied at multiple layers rather than relying solely on model behavior or single-turn detection.
+
+## Solution
+
+Treat AI memory as both high-value data and a control plane. Because memory stores sensitive user information and simultaneously drives agent behavior, it requires the governance rigor of both a data protection system and an execution control system.
+
+Organizations can use these functions to structure ongoing assessments as follows:
+
+- **Gate writes on intent and provenance**:
+ - Verify the caller is authorized (least privilege).
+ - Confirm user intent—avoid implicit or autonomous memory creation from untrusted sources.
+ - This is also a good time to sanitize inputs using a data handling taxonomy or to achieve governance goals. As an example:
+ - **Block from memory**: Credentials, API keys, payment data, government IDs, known malicious patterns.
+ - **Never infer**: For sensitive attributes (health, race, religion, politics), only add to memory if explicitly provided by the user.
+ - **General data**: Preferences, tasks, context—allowed with standard safeguards and purpose limited to the service.
+ - Label provenance on every memory entry: source, identity, timestamp, model version.
+
+- **Enforce isolation architecturally**:
+ - Isolate memory by user, agent, and tenant using deterministic controls like ACLs, scoped tokens, encryption at rest and in transit.
+ - Don't rely on model prompting for boundary enforcement.
+ - Scope subagent access to only the memory they require.
+
+- **Treat retrieval as a risk decision**.
+ - Memory is candidate context, not authoritative truth.
+ - At retrieval time:
+ - Validate relevance and freshness.
+ - Revaluate for sensitive or malicious content (for example, Prompt Shields).
+ - Prevent memory from overriding safety controls or system instructions.
+ - Guard against cross-context information disclosure.
+
+- **Surface memory and its influence to users**:
+ - Show users how memory influenced a specific response or action.
+ - Provide view, edit, and delete controls.
+ - Notify on memory creation. Enable both granular and bulk deletion.
+
+- **Maintain full lifecycle observability**
+ - Log all memory operations (create, read, update, delete) with identity, timestamp, source, and provenance.
+ - Track where memory propagated (blast radius).
+ - Retain history sufficient for incident investigation and rollback.
+ - Integrate memory telemetry with SIEM/XDR.
+
+### Microsoft example
+
+- **Step 1**: Memory-enabled copilot interactions emit structured audit events (identity, provenance, operation type) to Microsoft Purview.
+- **Step 2**: Retrieval-time content safety evaluation is applied via Azure AI Content Safety (Prompt Shields) before memory is injected into agent context.
+- **Step 3**: Memory telemetry is ingested into Microsoft Sentinel for correlation with broader security signals, enabling detection of poisoning patterns and cross-session XPIA.
+
+
+## Guidance
+
+Organizations can adopt similar practices using the following actions.
+
+| Use case | Recommended actions | Resource |
+|------------------|---------------------|----------|
+| Memory systems handling sensitive data | Classify or govern data at write time; block inappropriate or harmful data before writing to memory. | [Microsoft Purview data security posture management for AI](/purview/data-security-posture-management-learn-about) |
+| Multi-agent or shared-memory architectures | Enforce isolation to the agent and user with allowances for the tenant. Isolate with deterministic access controls and verifiable agent identity. | [Agent identities in Microsoft Entra Agent ID](/entra/agent-id/agent-identities) |
+| Agentic AI with using persistent context (includes agents.md, ai notes, etc.) | Apply retrieval-time Prompt Shields to detect indirect attacks before injecting memory into reasoning context. | [Prompt Shields in Azure AI Content Safety](/azure/ai-services/content-safety/concepts/jailbreak-detection) |
+| Detecting memory poisoning and XPIA | Enable AI workload threat protection to detect credential theft, jailbreak persistence, and data exfiltration patterns. | [AI threat protection in Defender for Cloud](/azure/defender-for-cloud/ai-threat-protection) |
+| User trust and transparency | Provide in-product memory review, edit, and deletion UX; notify users when memory is created or influences output. | [Guidelines for human-AI interaction](https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/?msockid=3867c9cd6a036861120cdcb96b93697a) |
+| Red teaming memory systems | Test for multi-turn poisoning, delayed tool invocation, cross-context leakage, and payload assembly across sessions. | [AI Red Team Agent (PyRIT)](/azure/foundry/concepts/ai-red-teaming-agent) |
+| Incident response for AI systems with memory enabled | Log all memory CRUD events with full provenance; retain for audit, incident reconstruction, and roll back. | [Observability for generative AI and AI agentic systems](observability-ai-systems.md) |
+
+
+## Outcomes
+
+### Benefits
+
+- Earlier detection of memory poisoning, corruption, and persistent XPIA.
+- Reduced blast radius through architectural isolation and provenance-based containment.
+- Improved user trust through transparency about what the system remembers and how it influences behavior.
+- Faster incident response through full lifecycle audit trails with provenance.
+- Better alignment between AI behavior and user expectations over time.
+
+### Trade‑offs
+
+- Architectural complexity from enforcing deterministic isolation across memory boundaries.
+- Logging volume and retention costs must be balanced against privacy and data minimization requirements.
+- Retrieval latency increases from runtime safety validation.
+- UX investment required for meaningful transparency and user control surfaces.
+
+
+## Key success factors
+
+Track these KPIs to measure progress:
+
+- Accuracy and satisfaction scored for AI responses formed using memory.
+- Percentage (%) of memory CRUD operations logged with full provenance (source, identity, timestamp, model version).
+- Percentage (%) of memory-specific threat scenarios (poisoning, XPIA persistence, cross-context leakage) covered by active detection rules.
+- Mean time to detect and remediate memory corruption or poisoning incidents.
+- Percentage (%) of memory systems providing user-facing view, edit, and delete controls.
+
+
+
+## Summary
+
+Persistent memory introduces durable, cross-context influence into AI systems—turning transient threats into persistent ones and expanding the blast radius of compromise.
+
+By gating writes on intent and provenance, enforcing architectural isolation, treating retrieval as a risk decision, and maintaining full lifecycle observability, organizations can enable AI personalization while limiting the impact of corruption, poisoning, and unintended disclosure.
+
+As memory becomes foundational to agentic AI, these controls must be enforced as infrastructure-level requirements rather than optional model behaviors.
diff --git a/security-docs/zero-trust/sfi/secure-future-initiative-whats-new.md b/security-docs/zero-trust/sfi/secure-future-initiative-whats-new.md
index e19e3bfde..5b65eeae6 100644
--- a/security-docs/zero-trust/sfi/secure-future-initiative-whats-new.md
+++ b/security-docs/zero-trust/sfi/secure-future-initiative-whats-new.md
@@ -39,13 +39,13 @@ The table summarizes the latest updates.
**Platform** | **Updates**
--- | ---
+New pattern | **Monitor and detect**: [Manage memory safety in agentic systems](manage-agentic-memory-safety.md)
New pattern | **Accelerate response and remediation**: [Respond to incidents in AI systems](incident-response-ai-systems.md).
New pattern | **Monitor and detect**: [Complete AI threat modeling](threat-modeling-ai.md).
New pattern | **Monitor and detect**: [Implement AI observability](observability-ai-systems.md).
New pattern | **Monitor and detect**: [Secure autonomous agentic AI systems](secure-agentic-systems.md).
New pattern | **Monitor and detect**: [Identity risk for agentic AI systems](manage-agentic-risk.md).
New pattern | **Monitor and detect**: [Protect against indirect prompt injection attacks](defend-indirect-prompt-injection.md).
-New pattern | **Monitor and detect**: [Complete AI threat modeling](threat-modeling-ai.md).
**[Azure](https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/bade/documents/products-and-services/en-us/security/sfi-nov-2025-progress-report.pdf#page=18)** enforced additional secure defaults. | **Innovate**: [Azure Bastion Developer](/azure/bastion/quickstart-developer) expanded secure-by-default VM connectivity to 35 Azure regions, reducing attack surfaces.
In Azure Local we [increased security settings enabled by default](/azure/azure-local/concepts/security-features).
For [increased hardware trust](https://azure.microsoft.com/blog/protecting-azure-infrastructure-from-silicon-to-systems/), Microsoft-designed hardware-security module (HSM) tamper-resistant chips are integrated into the Azure infrastructure to keep encryption keys within secure hardware boundaries, eliminating latency and exposure risk.
**Implement**: Increased mandatory enforcement of strong multifactor authentication, emphasizing phishing-resistant authentication methods for all Azure service users, helping to neutralize stolen credentials at scale.
**Guidance**: [Microsoft Cloud Security Benchmark v2](/security/benchmark/azure/overview) released, with clear and comprehensive security best practices that can be enforced using Azure Policy.
**[Microsoft 365](https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/bade/documents/products-and-services/en-us/security/sfi-nov-2025-progress-report.pdf#page=19)** provided increased AI control and data security. | **Innovate**: Microsoft 365 introduced a [dedicated AI Admin role](/microsoft-365-copilot/extensibility/connector-admin-delegation) to secure Copilot management, move away from the Global Administrator role, and enforce least-privilege principles.
[Centralized Copilot agent control and governance](/microsoft-365/admin/manage/manage-copilot-agents-integrated-apps) in the Microsoft 365 Admin Center allows IT admins to easily manage, configure, and monitor agents.
**Implement**: Microsoft Purview's [secure-by-default adaptive labeling](/purview/deploymentmodels/depmod-securebydefault-intro) now classifies and secures more than 50 million items monthly.
**Guidance**: Helping customers to use the AI admin roles for Copilot tasks, enforcing least-privilege.
Guidance on use of [Microsoft Purview DSPM for AI](/purview/data-security-posture-management-learn-about) to monitor Copilot data usage, and detect misuse.
[Windows and Surface](https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/bade/documents/products-and-services/en-us/security/sfi-nov-2025-progress-report.pdf#page=20) enhanced Zero Trust principles with expanded passkeys, automatic recovery capabilities, and memory-safe improvements. | **Innovate**: In Windows 11, Windows Hello and [passkeys integration](/windows/security/identity-protection/passkeys) offers a more secure, phishing-resistant passwordless sign-in experience.
Surface is [advancing Windows security through the Open Device Partnership](https://blogs.windows.com/windowsexperience/2025/11/10/advancing-security-with-windows-and-surface-microsoft-sfi-report-nov-2025/), an open-source firmware initiative that replaces legacy firmware with a transparent, secure, and reusable platform.
**Implement**: Improvements in Hotpatch to [support ARM64 devices](https://techcommunity.microsoft.com/blog/windows-itpro-blog/hotpatching-now-available-for-64-bit-arm-architecture/4430949). Hotpatch is now enabled by default when creating a new Quality Update Policy in Autopatch, making it easier to maintain security and compliance with less disruption.
**Guidance**: Helping customers to [enable Quick Machine Recovery on Windows 11](/windows/configuration/quick-machine-recovery) to automatically remediate boot failures and protect against boot-time attacks.
Helping customers to [adopt passwordless sign-ins](/windows/security/book/identity-protection-passwordless-sign-in), integrating with password managers such as 1Password or Bitwarden.
diff --git a/security-docs/zero-trust/siem-xdr-implement.md b/security-docs/zero-trust/siem-xdr-implement.md
index ad129f7ff..07504271c 100644
--- a/security-docs/zero-trust/siem-xdr-implement.md
+++ b/security-docs/zero-trust/siem-xdr-implement.md
@@ -1,30 +1,19 @@
---
title: Zero Trust Security with Microsoft Sentinel and Defender XDR
description: Transform your security posture with Microsoft Sentinel and Defender XDR. Benefit from AI-powered threat detection and incident response for Zero Trust.
-author: batamig
-ms.author: bagol
ms.subservice: zero-trust
manager: raynemw
ms.date: 02/05/2025
ms.topic: how-to
ms.service: security
-ms.collection:
- - zerotrust-solution
- - msftsolution-secops
- - msftsolution-overview
- - zerotrust-azure
- - usx-security
-appliesto:
- - Microsoft Sentinel in the Microsoft Defender portal
- - Microsoft Sentinel in the Azure portal
-ms.localizationpriority: medium
+
#customerIntent: As a security analyst, I want to use Microsoft Sentinel and Defender XDR for incident response so that I can effectively detect and mitigate threats under a Zero Trust model.
---
# Zero Trust security with Microsoft Sentinel and Defender XDR
-Microsoft Defender XDR is an XDR solution that complements Microsoft Sentinel. An XDR pulls raw telemetry data from multiple services like cloud applications, email security, identity, and access management.
+Microsoft Defender XDR is an extended detection and response (XDR) solution that complements Microsoft Sentinel. An XDR pulls raw telemetry data from multiple services like cloud applications, email security, identity, and access management.
Using artificial intelligence (AI) and machine learning, the XDR performs automatic analysis, investigation, and real-time response. It also correlates security alerts into larger incidents, giving security teams greater visibility into attacks and prioritizing incidents to help analysts gauge threat risk levels.
diff --git a/security-docs/zero-trust/siem-xdr-overview.md b/security-docs/zero-trust/siem-xdr-overview.md
index 0ed5015f4..f9e1ddfab 100644
--- a/security-docs/zero-trust/siem-xdr-overview.md
+++ b/security-docs/zero-trust/siem-xdr-overview.md
@@ -118,7 +118,7 @@ Capability or feature | Description | Product |
|[Improve your security posture](/azure/defender-for-cloud/defender-for-cloud-introduction#improve-your-security-posture) | A cloud security posture management (CSPM) solution that surfaces actions that you can take to prevent breaches. | Microsoft Defender for Cloud |
|[Protect cloud workloads](/azure/defender-for-cloud/defender-for-cloud-introduction#protect-cloud-workloads) | A cloud workload protection platform (CWPP) with specific protections for servers, containers, storage, databases, and other workloads. | Microsoft Defender for Cloud |
|[User and Entity Behavioral Analytics (UEBA)](/azure/sentinel/enable-entity-behavior-analytics) |Analyzes behavior of organization entities such as users, hosts, IP addresses, and applications | Microsoft Sentinel |
-|[Fusion](/azure/sentinel/configure-fusion-rules) | A correlation engine based on scalable machine learning algorithms. Automatically detects multistage attacks also known as advanced persistent threats (APT) by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. | Microsoft Sentinel |
+|[Fusion](/azure/sentinel/configure-fusion-rules) | A correlation engine based on scalable machine learning algorithms. Automatically detects multistage attacks also known as advanced persistent threats (APT) by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the "kill chain". | Microsoft Sentinel |
|[Threat Intelligence](/azure/sentinel/threat-intelligence-integration) | Use Microsoft third-party providers to enrich data to provide extra context around activities, alerts, and logs in your environment. | Microsoft Sentinel |
|[Automation](/azure/sentinel/automation) | Automation rules are a way to centrally manage automation with Microsoft Sentinel, by allowing you to define and coordinate a small set of rules that can apply across different scenarios. | Microsoft Sentinel |
|[Anomaly rules](/azure/sentinel/work-with-anomaly-rules) | Anomaly rule templates use machine learning to detect specific types of anomalous behavior. | Microsoft Sentinel |
diff --git a/security-docs/zero-trust/siem-xdr-training.md b/security-docs/zero-trust/siem-xdr-training.md
deleted file mode 100644
index 6c3a3fd49..000000000
--- a/security-docs/zero-trust/siem-xdr-training.md
+++ /dev/null
@@ -1,107 +0,0 @@
----
-title: Recommended Training for SIEM and XDR (Azure portal)
-description: Learn about recommended training modules for using Microsoft Sentinel with Microsoft Defender XDR and Microsoft Defender for Cloud, an XDR solution for Zero Trust, in the Azure portal.
-author: batamig
-ms.author: bagol
-ms.subservice: zero-trust
-manager: raynew
-ms.date: 02/12/2025
-ms.topic: best-practice
-ms.service: security
-ms.collection:
- - zerotrust-solution
- - msftsolution-secops
- - msftsolution-overview
- - zerotrust-azure
- - usx-security
-appliesto:
- - Microsoft Sentinel in the Azure portal
-ms.localizationpriority: medium
-
-#customerIntent: As a cybersecurity professional working in the Azure portal, I want to explore training on Microsoft's Zero Trust solution for SIEM and XDR so that I can improve our security posture.
----
-
-# Recommended training for SIEM and XDR from the Azure portal
-
-This article lists recommended training modules for using Microsoft Sentinel with Microsoft Defender XDR and Microsoft Defender for Cloud, an XDR solution for Zero Trust.
-
-Training content doesn't currently cover scenarios where Microsoft Sentinel is onboarded to the Defender portal.
-
-## Feature coverage
-
-### Explore security solutions in Microsoft Defender XDR
-
-|Training |[Explore security solutions in Microsoft Defender XDR](/training/modules/explore-security-solutions-microsoft-365-defender/)|
-|---------|---------|
-|:::image type="icon" source="media/generic-badge.svg" border="false"::: | This module introduces several features in Microsoft 365 that help protect your organization against cyberthreats, detect when a user or computer is compromised, and monitor your organization for suspicious activities.|
-> [!div class="nextstepaction"]
-> [Start](/training/modules/explore-security-solutions-microsoft-365-defender/)
-
-### Introduction to Microsoft Sentinel
-
-|Training |[Introduction to Microsoft Sentinel](/training/modules/intro-to-azure-sentinel/)|
-|---------|---------|
-|:::image type="icon" source="media/intro-to-azure-sentinel.svg" border="false"::: | Learn how Microsoft Sentinel lets you start getting valuable security insights from your cloud and on-premises data quickly. |
-> [!div class="nextstepaction"]
-> [Start >](/training/modules/intro-to-azure-sentinel/)
-
-## Deployment
-
-### Enable and manage Microsoft Defender for cloud
-
-|Training |[Enable and manage Microsoft Defender for Cloud](/training/modules/azure-security-center/)|
-|---------|---------|
-|:::image type="icon" source="media/microsoft-cloud-app-security.svg" border="false"::: | Use Microsoft Defender for cloud to strengthen security posture and protect workloads against modern threats. |
-> [!div class="nextstepaction"]
-> [Start >](/training/modules/azure-security-center/)
-
-### Connect Microsoft Defender XDR to Microsoft Sentinel
-
-|Training |[Connect Microsoft Defender XDR to Microsoft Sentinel](/training/modules/connect-microsoft-defender-365-to-azure-sentinel/)|
-|---------|---------|
-|:::image type="icon" source="media/connect-microsoft-defender-365-to-azure-sentinel.svg" border="false"::: | Learn about the configuration options and data provided by Microsoft Sentinel connectors for Microsoft Defender XDR |
-> [!div class="nextstepaction"]
-> [Start >](/training/modules/connect-microsoft-defender-365-to-azure-sentinel/)
-
-### Configure your Microsoft Sentinel environment
-
-|Training |[Configure your Microsoft Sentinel environment](/training/paths/sc-200-configure-azure-sentinel-environment/)|
-|---------|---------|
-|:::image type="icon" source="media/configure-your-azure-sentinel-environment.svg" border="false"::: | Get started with Microsoft Sentinel by configuring the Microsoft Sentinel workspace. |
-> [!div class="nextstepaction"]
-> [Start >](/training/paths/sc-200-configure-azure-sentinel-environment/)
-
-### Create and manage Microsoft Sentinel workspaces
-
-|Training |[Create and manage Microsoft Sentinel workspaces](/training/modules/create-manage-azure-sentinel-workspaces/)|
-|---------|---------|
-|:::image type="icon" source="media/create-and-manage-azure-sentinel-workspaces.svg" border="false"::: | Learn about the architecture of Microsoft Sentinel workspaces to ensure you configure your system to meet your organization's security operations requirements. |
-> [!div class="nextstepaction"]
-> [Start](/training/modules/create-manage-azure-sentinel-workspaces/)
-
-### Connect data to Microsoft Sentinel using data connectors
-
-|Training|[Connect data to Microsoft Sentinel using data connectors](/training/modules/connect-data-to-azure-sentinel-with-data-connectors/)|
-|---------|---------|
-|:::image type="icon" source="media/connect-data-to-azure-sentinel-with-data-connectors.svg" border="false":::|The primary approach to connect log data is using the Microsoft Sentinel provided data connectors. This module provides an overview of the available data connectors.|
-> [!div class="nextstepaction"]
-> [Start >](/training/modules/connect-data-to-azure-sentinel-with-data-connectors/)
-
-### Connect logs to Microsoft Sentinel
-
-
-|Training |[Connect logs to Microsoft Sentinel](/training/paths/sc-200-connect-logs-to-azure-sentinel/)|
-|---------|---------|
-|:::image type="icon" source="media/connect-windows-hosts-to-azure-sentinel.svg" border="false"::: |Connect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds to Microsoft Sentinel. |
-> [!div class="nextstepaction"]
-> [Start >](/training/paths/sc-200-connect-logs-to-azure-sentinel/)
-
-## Threat detection
-
-### Identify threats with Behavioral Analytics
-
-|Training |[Identify threats with Behavioral Analytics](/training/modules/use-entity-behavior-analytics-azure-sentinel/)|
-|---------|---------|
-|:::image type="icon" source="media/azure-sentinel-behavior-analytics.svg" border="false"::: |The primary approach to connect log data is using the Microsoft Sentinel-provided data connectors. This module provides an overview of the available data connectors. |
-> [!div class="nextstepaction"]
-> [Start >](/training/modules/use-entity-behavior-analytics-azure-sentinel/)
diff --git a/security-docs/zero-trust/ten-laws-of-security.md b/security-docs/zero-trust/ten-laws-of-security.md
deleted file mode 100644
index 46d668c39..000000000
--- a/security-docs/zero-trust/ten-laws-of-security.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-title: The immutable laws of security
-description: Busting myths, biases, and uncertainty with the 10 laws of cybersecurity.
-
-ms.service: security
-ms.subservice: zero-trust
-ms.topic: concept-article
-ms.date: 05/23/2024
-
-ms.reviewer: mas
----
-# The immutable laws of security
-
-The [original immutable laws of security](#immutable-laws-of-security-v2) identified key technical truths that busted prevalent security myths of those times. In that spirit, we're publishing a new complementary set of laws focused on busting prevalent myths in today's world of ubiquitous cybersecurity risk.
-
-Since the original immutable laws, information security has grown from a technical discipline into a cybersecurity risk management discipline that includes cloud, IoT, and OT devices. Now, security is part of the fabric of our daily lives, business risk discussions, and elections.
-
-As many of us in the industry followed this journey to a higher level of abstraction, we saw patterns of common myths, biases, and uncertainty emerge at the risk management layer. We decided to create a new list of laws for cybersecurity risk while retaining the original laws (v2) as is (with a single slight change of "bad guy" to "bad actor" to be fully correct and inclusive).
-
-Each set of laws deals with different aspects of cybersecurity, designing sound technical solutions vs. managing a risk profile of complex organizations in an ever-changing threat environment. The difference in the nature of these laws also illustrates the difficult nature of navigating cybersecurity in general. Technical elements tend toward the absolute, while risk is measured in likelihood and certainty.
-
-Because it's difficult to make predictions, especially about the future, we suspect these laws might evolve with our understanding of cybersecurity risk.
-
-## Ten Laws of Cybersecurity Risk
-
-1. **Security success is ruining the attacker's ROI** – Security can't achieve a perfect secure state, so deter them by disrupting and degrading their Return on Investment (ROI). Increase the attacker's cost and decrease the attacker's return for your most important assets.
-1. **Not keeping up is falling behind** – Security is a continuous journey. You must keep moving forward because it will continually get cheaper for attackers to successfully take control of your assets. You must continually update your security patches, strategies, threat awareness, inventory, tooling, monitoring, permission models, platform coverage, and anything else that changes over time.
-1. **Productivity always wins** – If security isn't easy for users, they work around it to get their job done. Always make sure solutions are secure **and** usable.
-1. **Attackers don't care** – Attackers use any available method to get into your environment and access your assets, including networked printers, fish tank thermometers, cloud services, PCs, servers, Macs, or mobile devices. They influence or trick users, exploit configuration mistakes or insecure operational processes, or just ask for passwords in a phishing email. Your job is to understand and take away the easiest, cheapest, and most useful options, like anything that leads to administrative privileges across systems.
-1. **Ruthless prioritization is a survival skill** – Nobody has enough time and resources to eliminate all risks to all resources. Always start with what is most important to your organization or most interesting to attackers, and continuously update this prioritization.
-1. **Cybersecurity is a team sport** – Nobody can do it all, so always focus on the things that only you (or your organization) can do to protect your organization's mission. If security vendors, cloud providers, or the community can do better or cheaper, have them do it.
-1. **Your network isn't as trustworthy as you think it is** – A security strategy that relies on passwords and trusting any intranet device is only marginally better than lack of security strategy. Attackers easily evade these defenses, so the trust level of each device, user, and application must be proven and validated continuously, starting with a level of zero trust.
-1. **Isolated networks aren't automatically secure** – While air-gapped networks can offer strong security when maintained correctly, successful examples are extremely rare because each node must be isolated from outside risk. If security is critical enough to place resources on an isolated network, you should invest in mitigations to address potential connectivity via methods such as USB media (for example, required for patches), bridges between the intranet network and external devices (for example, vendor laptops on a production line), and insider threats that could circumvent all technical controls.
-1. **Encryption alone isn't a data protection solution** – Encryption protects against out-of-band attacks (for example, network packets, files, and storage), but data is only as secure as the decryption key (key strength + protections from theft/copying), and other authorized means of access.
-1. **Technology doesn't solve people and process problems** – While machine learning, artificial intelligence, and other technologies offer amazing leaps forward in security (when applied correctly), cybersecurity is a human challenge, and will never be solved by technology alone.
-
-## Reference
-
-### Immutable Laws of Security v2
-
-- **Law #1:** If a bad actor can persuade you to run their program on your computer, it's not solely your computer anymore.
-- **Law #2:** If a bad actor can alter the operating system on your computer, it's not your computer anymore.
-- **Law #3:** If a bad actor has unrestricted physical access to your computer, it's not your computer anymore.
-- **Law #4:** If you allow a bad actor to run active content in your website, it's not your website anymore.
-- **Law #5:** Weak passwords trump strong security.
-- **Law #6:** A computer is only as secure as the administrator is trustworthy.
-- **Law #7:** Encrypted data is only as secure as its decryption key.
-- **Law #8:** An out-of-date antimalware scanner is only marginally better than no scanner at all.
-- **Law #9:** Absolute anonymity isn't practically achievable, either online or offline.
-- **Law #10:** Technology isn't a panacea.
diff --git a/security-docs/zero-trust/user-access-productivity-validate-trust.md b/security-docs/zero-trust/user-access-productivity-validate-trust.md
index e9faf58ca..472e054f0 100644
--- a/security-docs/zero-trust/user-access-productivity-validate-trust.md
+++ b/security-docs/zero-trust/user-access-productivity-validate-trust.md
@@ -3,14 +3,11 @@ title: RaMP Checklist—Explicitly validate trust for all access requests
description: Use the steps in this guidance to deploy explicit validation for all access requests that adheres to Zero Trust principles.
ms.date: 02/24/2025
ms.service: security
+ms.topic: overview
ms.subservice: zero-trust
-
-ms.topic: concept-article
-ms.collection:
- - zerotrust-ramp
---
-# RaMP Checklist — Explicitly validate trust for all access requests
+# RaMP Checklist—Explicitly validate trust for all access requests
+## Next steps
-Related links:
+- To get started with structured adoption, follow our [Zero Trust adoption path](security-adoption-model.md).
+- To dive into critical security outcomes, start with our [business scenarios](security-adoption-business-scenarios-overview.md).
+- To begin with assessment of your current Zero Trust posture, start [Zero Trust assessment](assessment/overview.md).
+To dive directly into implementation, review [implementing technical solutions](implement-overview.md).
-- [Zero Trust Overview](https://www.youtube.com/watch?v=KlEKAzMQEOw&list=PLtVMyW0H7aiOQwZSsn2d-tg2z729ce1BZ&index=13): This video provides information about:
- - Zero Trust definition
- - Zero Trust principles
- - Zero Trust core concepts
-- [Zero Trust - The Open Group](https://www.youtube.com/watch?v=x0xlTVyX968&list=PLtVMyW0H7aiOQwZSsn2d-tg2z729ce1BZ&index=12): This video provides a perspective on Zero Trust from a standards organization.
diff --git a/security-docs/zero-trust/zero-trust-partner-kit.md b/security-docs/zero-trust/zero-trust-partner-kit.md
index a858691e2..7657523cf 100644
--- a/security-docs/zero-trust/zero-trust-partner-kit.md
+++ b/security-docs/zero-trust/zero-trust-partner-kit.md
@@ -4,21 +4,22 @@ description: Download customizable resources for architecting and deploying Zero
ms.date: 03/25/2025
ms.service: security
ms.subservice: zero-trust
-manager: rkarlin
ms.topic: article
-ms.collection:
- - zerotrust
---
# Zero Trust partner kit resources
-It's important to help partners and customers design, architect, and deploy security solutions. These top-requested Zero Trust resources are available for you to use with your own organization and customers. They're ready for you to add your own branding.
+This article summarizes partner resources to help you design, architect, and deploy Zero Trust security solutions. These top-requested resources are available for you to use with your own organization and customers. They're ready for you to add your own branding.
-## Co-branded progress tracking resources
+## Cobranded progress tracking resources
-These resources for tracking Zero Trust progress are co-branded with the Contoso logo. Swap in your own logo. Customize the objectives and tasks. If you're ambitious, these trackers also include instructions for updating the colors and fonts to your own branding standards.
+These progress tracking resources are cobranded with the Contoso logo.
-In this download:
+- Swap in your own logo.
+- Customize the objectives and tasks.
+- These trackers also include instructions for updating the colors and fonts to your own branding standards.
+
+Here's what's available in this download
- Blueprint for Zero Trust (Visio, can be saved as PDF).
- Business leader tracker for Zero Trust (PowerPoint).
@@ -27,54 +28,68 @@ In this download:
> [!div class="button"]
> [Download co-branded Zero Trust trackers](https://download.microsoft.com/download/d/7/6/d76f4b4d-6315-4018-a2bf-984b3067c0fe/microsoft-co-branded-zero-trust-trackers-contoso.zip)
-:::image type="content" source="media/zero-trust-phase-grid-tracker-contoso-thumb.png" alt-text="Small preview of the co-branded Zero Trust blueprint.":::
+:::image type="content" source="media/zero-trust-phase-grid-tracker-contoso-thumb.png" alt-text="Small preview of the cobranded Zero Trust blueprint.":::
## Microsoft Zero Trust workshop and assessment
-This workshop is a comprehensive technical guide to help customers and partners adopt a Zero Trust strategy and deploy security solutions end-to-end to secure their organizations.
+This workshop is a comprehensive technical guide to help customers and partners implement Zero Trust security solutions.
+
+- Learn how to [prepare and run a Zero Trust workshop](https://microsoft.github.io/zerotrustassessment/guide).
+- Review [the workshop delivery guide](https://microsoft.github.io/zerotrustassessment/docs/workshop-guidance/delivery-guide).
+- Learn about [the Zero Trust Assessment tool](assessment/overview.md).
+Learn how to run your own workshop and download the Excel assessment tool at [https://aka.ms/ztworkshop](https://aka.ms/ztworkshop).
+- Review [common partner questions](https://microsoft.github.io/zerotrustassessment/docs/zFAQs/partnerFAQs).
-Learn how to run your own workshop and download the Excel assessment tool at [https://aka.ms/ztworkshop](https://aka.ms/ztworkshop)
-:::image type="content" source="./media/zero-trust-assessment-strategy-workshop.png" alt-text="Screenshot of the Zero Trust roadmap for identities." lightbox="./media/zero-trust-assessment-strategy-workshop.png":::
+## Cobranded architecture diagrams
-## Co-branded architecture illustrations
+Architecture diagrams help communicate how to apply the principles of Zero Trust within specific environments with deep technical guidance and recommendations.
-Architecture diagrams like those included in our Zero Trust guidance help communicate how to apply the principles of Zero Trust to specific environments, from Microsoft 365 to specialized environments built in Azure or even Amazon Web Services (AWS). These illustrations help provide deeper technical guidance and recommendations. They provide a supported starting-point that you can adjust for your own environments. They help communicate design decisions and the relationships between components and security capabilities in an environment.
+- They provide a supported starting-point that you can adjust for your own environments.
+- They help communicate design decisions and the relationships between components and security capabilities in an environment.
-### Visio templates, Visio stencils, and Microsoft icon sets
+### Customizable Visio templates
-To help you work with reference architectures in the Zero Trust guidance center, you can download co-branded Visio template files along with Microsoft icon sets.
+To help you work with reference architectures in the Zero Trust guidance center, you can download cobranded Visio template files along with Microsoft icon sets.
-These 11x17 Visio template files are co-branded and leave plenty of room for your own work. Replace the Contoso logo with your own logo. Try out the template file that's themed with Microsoft Security colors. Or, work with the plain template file if you're not getting the results you want.
+- These 11x17 Visio template files are cobranded and leave plenty of room for your own work. - Replace the Contoso logo with your own logo.
+- Try out the template file themed with Microsoft Security colors.
+- Or, work with the plain template file if you're not getting the results you want.
> [!div class="button"]
> [Download co-branded Visio templates](https://download.microsoft.com/download/9/e/b/9eb3ec90-6f38-4ebe-aecd-4a746642905f/microsoft-poster-templates.zip)
-Other downloadable resources:
+### Download stencils and icon sets
-- **Visio stencils and icons** To download more Visio template page sizes and, more importantly, Visio stencil files that include Microsoft icons, see [Microsoft 365 architecture templates and icons](/microsoft-365/solutions/architecture-icons-templates). This Visio stencil set includes many conceptual icons, including many security symbols.
+ Both of these icon sets, you can download just the SVG files (scalable vector graphic). You can drag and drop these icon files into any tool, including Visio and PowerPoint.
+- **Visio stencils and icons** To download more Visio template page sizes and, more importantly, Visio stencil files that include Microsoft icons, see [Microsoft 365 architecture templates and icons](/microsoft-365/solutions/architecture-icons-templates). This Visio stencil set includes many conceptual icons, including many security symbols.
- **Azure icons** To download Azure icons, see [Azure architecture icons](/azure/architecture/icons/).
-With both of these icon sets, you can download just the SVG files (scalable vector graphic). You can drag and drop these icon files into any tool, including Visio and PowerPoint.
+### Download a tutorial
-To help you get started with these resources, your friendly Zero Trust team at Microsoft provides a tutorial: Draw like and architect quick start. This download includes both a PDF file and the editable Visio file.
+To help you get started with these resources, your friendly Zero Trust team at Microsoft provides a tutorial - *Draw like and architect quick start*. This download includes both a PDF file and the editable Visio file.
> [!div class="button"]
> [Download Draw like an architect quick start](https://www.microsoft.com/download/details.aspx?id=108351)
-### Zero Trust architecture illustrations
+## Zero Trust architecture illustrations
+
These illustrations are replicas of the reference illustrations across the Zero Trust guidance center. Download and customize these illustrations for your organization and customers.
|Item|Description|
|---|---|
-|:::image type="content" source="media/thumb-zero-trust-architecture-contoso.png" alt-text="Thumbnail picture of Zero trust architecture." link="https://download.microsoft.com/download/a/6/9/a69822ae-c58d-4ebf-8da2-53c8b9b966d2/zero-trust-architecture-contoso.vsdx"::: [Download Visio](https://download.microsoft.com/download/a/6/9/a69822ae-c58d-4ebf-8da2-53c8b9b966d2/zero-trust-architecture-contoso.vsdx)|**Zero Trust architecture**
High-level Zero Trust architecture. Use this illustration together with: - [Zero Trust adoption framework](adopt/zero-trust-adoption-overview.md)
- [Zero Trust deployment plan with Microsoft 365](https://aka.ms/zerotrust-m365)
- [Use Zero Trust security to prepare for AI companions, including Microsoft Copilots](copilots/apply-zero-trust-copilots-overview.md)
- [Apply Zero Trust principles to Azure services](apply-zero-trust-azure-services-overview.md)
|
-|:::image type="content" source="media/thumb-m365-zero-trust-deployment-plan.png" alt-text="Thumbnail picture of the Microsoft Zero Trust deployment plan with Microsoft 365." link="https://download.microsoft.com/download/a/6/9/a69822ae-c58d-4ebf-8da2-53c8b9b966d2/zero-trust-architecture-contoso.vsdx":::
[PDF](https://download.microsoft.com/download/f/d/b/fdb6ab0c-34bb-4cb8-84e6-5de8f13298da/m365-zero-trust-deployment-plan.pdf) \| [Visio](https://download.microsoft.com/download/f/d/b/fdb6ab0c-34bb-4cb8-84e6-5de8f13298da/m365-zero-trust-deployment-plan.vsdx)
Updated March 2025 | **Zero Trust deployment plan with Microsoft 365**
Use this illustration together with this article: [Zero Trust deployment plan with Microsoft 365](https://aka.ms/zerotrust-m365).|
-|:::image type="content" source="media/thumb-zero-trust-id-and-device-access-policies-contoso.png" alt-text="Thumbnail picture of Zero Trust identity and device access policies." link="https://download.microsoft.com/download/8/b/2/8b23ab16-a3de-4b4e-b8a0-95b393cfbcee/zero-trust-id-and-device-access-policies-contoso.vsdx":::
[PDF](https://download.microsoft.com/download/3d22de2e-38d8-4119-9f26-f6122b567909/zero-trust-id-and-device-access-policies-contoso.pdf) [Visio](https://download.microsoft.com/download/8/b/2/8b23ab16-a3de-4b4e-b8a0-95b393cfbcee/zero-trust-id-and-device-access-policies-contoso.vsdx)|**Zero Trust identity and device access policies**
This policy set is recommended for Microsoft 365, Azure-based solutions, and AI apps and companions.
Use this illustration together with [this set of articles](zero-trust-identity-device-access-policies-overview.md).|
-|:::image type="content" source="media/thumb-zero-trust-iaas-contoso.png" alt-text="Thumbnail picture of Apply Zero Trust principles to Azure IaaS." link="https://download.microsoft.com/download/2/d/e/2de84267-39d1-4845-8d31-83d97c9844a1/zero-trust-iaas-contoso.vsdx"::: [Download Visio](https://download.microsoft.com/download/2/d/e/2de84267-39d1-4845-8d31-83d97c9844a1/zero-trust-iaas-contoso.vsdx)|**Apply Zero Trust principles to Azure IaaS**
Use these illustrations with these articles: - [Overview](azure-infrastructure-overview.md)
- [Azure storage](azure-infrastructure-storage.md)
- [Virtual machines](azure-infrastructure-virtual-machines.md)
- [Azure spoke virtual networks ](azure-infrastructure-iaas.md)
- [Azure hub virtual networks](azure-infrastructure-networking.md)
|
-|:::image type="content" source="media/thumb-zero-trust-iaas-contoso-poster.png" alt-text="Thumbnail picture of Apply Zero Trust principles to Azure IaaS - One page poster." link="https://download.microsoft.com/download/b/6/b/b6b7207a-8b19-4a9a-a2c5-c6573e0f6685/zero-trust-iaas-contoso-poster.vsdx"::: [Download Visio](https://download.microsoft.com/download/b/6/b/b6b7207a-8b19-4a9a-a2c5-c6573e0f6685/zero-trust-iaas-contoso-poster.vsdx)|**Apply Zero Trust principles to Azure IaaS - One page poster**
A one-page overview of the process for [applying the principles of Zero Trust to Azure IaaS environments](azure-infrastructure-overview.md).|
-|:::image type="content" source="media/thumb-zero-trust-virtual-network-paas-contoso.png" alt-text="Thumbnail picture of Apply Zero Trust principles to a spoke virtual network with Azure PaaS Services." link="https://download.microsoft.com/download/8/8/4/884c8fc5-75bd-49c5-890c-4bb8f9d3365a/zero-trust-virtual-network-paas-contoso.vsdx"::: [Download Visio](https://download.microsoft.com/download/8/8/4/884c8fc5-75bd-49c5-890c-4bb8f9d3365a/zero-trust-virtual-network-paas-contoso.vsdx)|**Apply Zero Trust principles to a spoke virtual network with Azure PaaS Services**
Use these illustrations with [this article](azure-infrastructure-paas.md).|
-|:::image type="content" source="media/thumb-zero-trust-azure-virtual-wan-contoso.png" alt-text="Thumbnail picture of Apply Zero Trust principles to an Azure Virtual WAN deployment." link="https://download.microsoft.com/download/b/9/a/b9a27af0-3431-4fce-ae97-9d87529fef19/zero-trust-azure-virtual-wan-contoso.vsdx"::: [Download Visio](https://download.microsoft.com/download/b/9/a/b9a27af0-3431-4fce-ae97-9d87529fef19/zero-trust-azure-virtual-wan-contoso.vsdx)|**Apply Zero Trust principles to an Azure Virtual WAN deployment**
Use these illustrations with [this article](azure-virtual-wan.md).|
-|:::image type="content" source="media/thumb-zero-trust-pilot-and-deploy-microsoft-xdr-contoso.png" alt-text="Thumbnail picture of Pilot and deploy Microsoft Defender XDR." link="https://download.microsoft.com/download/c/a/b/cab2a45c-fe81-47f6-b592-4450374453b2/zero-trust-pilot-and-deploy-microsoft-xdr.vsdx"::: [Download Visio](https://download.microsoft.com/download/c/a/b/cab2a45c-fe81-47f6-b592-4450374453b2/zero-trust-pilot-and-deploy-microsoft-xdr.vsdx)|**Pilot and deploy Microsoft Defender XDR**
These illustrations include deployment processes and architecture illustrations for: - Defender for Identity
- Defender for Office
- Defender for Endpoint
- Defender for Cloud Apps.
Use these illustrations together with: [Pilot and deploy Microsoft Defender XDR](/defender-xdr/pilot-deploy-overview).|
-|:::image type="content" source="media/thumb-zero-trust-sentinel-xdr-contoso.png" alt-text="Thumbnail picture of Implement Microsoft Sentinel and Microsoft Defender XDR for Zero Trust." link="https://download.microsoft.com/download/d/3/6/d362e836-941c-49f5-9c39-19a8c97c898c/zero-trust-sentinel-xdr-contoso.vsdx"::: [Download Visio](https://download.microsoft.com/download/d/3/6/d362e836-941c-49f5-9c39-19a8c97c898c/zero-trust-sentinel-xdr-contoso.vsdx)|**Implement Microsoft Sentinel and Microsoft Defender XDR for Zero Trust**
Use these illustrations together with these articles:
[Overview](../operations/siem-xdr-overview.md)
[Step 1. Set up XDR tools](../operations/setup-xdr-tools.md)
[Step 2. Architect a Microsoft Sentinel workspace](../operations/siem-workspace.md)
[Step 3. Ingest data sources and configure incident detection](../operations/ingest-data-sources.md)
[Step 4. Respond to an incident using Microsoft Sentinel and Microsoft Defender XDR](../operations/respond-incident.md)|
+|:::image type="content" source="media/thumb-zero-trust-architecture-contoso.png" alt-text="Thumbnail picture of Zero Trust architecture." link="https://download.microsoft.com/download/a/6/9/a69822ae-c58d-4ebf-8da2-53c8b9b966d2/zero-trust-architecture-contoso.vsdx"::: [Download Visio](https://download.microsoft.com/download/a/6/9/a69822ae-c58d-4ebf-8da2-53c8b9b966d2/zero-trust-architecture-contoso.vsdx)|**ARCHITECTURE**
High-level Zero Trust architecture. Use this illustration together with:
[Our Zero Trust adoption model](security-adoption-model.md)
[Security Architecture discipline](security-adoption-discipline-architecture.md)|
+|:::image type="content" source="media/thumb-m365-zero-trust-deployment-plan.png" alt-text="Thumbnail picture of the Microsoft Zero Trust deployment plan with Microsoft 365." link="https://download.microsoft.com/download/a/6/9/a69822ae-c58d-4ebf-8da2-53c8b9b966d2/zero-trust-architecture-contoso.vsdx":::
[PDF](https://download.microsoft.com/download/f/d/b/fdb6ab0c-34bb-4cb8-84e6-5de8f13298da/m365-zero-trust-deployment-plan.pdf) \| [Visio](https://download.microsoft.com/download/f/d/b/fdb6ab0c-34bb-4cb8-84e6-5de8f13298da/m365-zero-trust-deployment-plan.vsdx)
Updated March 2025 | **MICROSOFT 365**
Use this illustration together with [Zero Trust Microsoft 365 protection](microsoft-365-zero-trust.md).|
+|:::image type="content" source="media/thumb-zero-trust-id-and-device-access-policies-contoso.png" alt-text="Thumbnail picture of Zero Trust identity and device access policies." link="https://download.microsoft.com/download/8/b/2/8b23ab16-a3de-4b4e-b8a0-95b393cfbcee/zero-trust-id-and-device-access-policies-contoso.vsdx":::
[PDF](https://download.microsoft.com/download/3d22de2e-38d8-4119-9f26-f6122b567909/zero-trust-id-and-device-access-policies-contoso.pdf) [Visio](https://download.microsoft.com/download/8/b/2/8b23ab16-a3de-4b4e-b8a0-95b393cfbcee/zero-trust-id-and-device-access-policies-contoso.vsdx)|**IDENTITY AND ACCESS POLICY**
This policy set is recommended for Microsoft 365, Azure-based solutions, and AI apps and companions.
Use this illustration together with [Zero Trust identity and access](zero-trust-identity-device-access-policies-overview.md).|
+|:::image type="content" source="media/thumb-zero-trust-iaas-contoso.png" alt-text="Thumbnail picture of Apply Zero Trust principles to Azure IaaS." link="https://download.microsoft.com/download/2/d/e/2de84267-39d1-4845-8d31-83d97c9844a1/zero-trust-iaas-contoso.vsdx"::: [Download Visio](https://download.microsoft.com/download/2/d/e/2de84267-39d1-4845-8d31-83d97c9844a1/zero-trust-iaas-contoso.vsdx)|**AZURE INFRASTRUCTURE**
Use these illustrations with this article:
[Overview](azure-infrastructure-overview.md)|
+|:::image type="content" source="media/thumb-zero-trust-iaas-contoso-poster.png" alt-text="Thumbnail picture of Apply Zero Trust principles to Azure IaaS - One page poster." link="https://download.microsoft.com/download/b/6/b/b6b7207a-8b19-4a9a-a2c5-c6573e0f6685/zero-trust-iaas-contoso-poster.vsdx"::: [Download Visio](https://download.microsoft.com/download/b/6/b/b6b7207a-8b19-4a9a-a2c5-c6573e0f6685/zero-trust-iaas-contoso-poster.vsdx)|**AZURE INFRASTRUCTURE**
Use with this article: [Zero Trust for Azure VMs](azure-infrastructure-virtual-machines.md).|
+|:::image type="content" source="media/thumb-zero-trust-virtual-network-paas-contoso.png" alt-text="Thumbnail picture of Apply Zero Trust principles to a spoke virtual network with Azure PaaS Services." link="https://download.microsoft.com/download/8/8/4/884c8fc5-75bd-49c5-890c-4bb8f9d3365a/zero-trust-virtual-network-paas-contoso.vsdx"::: [Download Visio](https://download.microsoft.com/download/8/8/4/884c8fc5-75bd-49c5-890c-4bb8f9d3365a/zero-trust-virtual-network-paas-contoso.vsdx)|**Apply Zero Trust principles to a spoke virtual network with Azure PaaS Services**
Use these illustrations with [this article](azure-networking-overview.md).|
+|:::image type="content" source="media/thumb-zero-trust-azure-virtual-wan-contoso.png" alt-text="Thumbnail picture of Apply Zero Trust principles to an Azure Virtual WAN deployment." link="https://download.microsoft.com/download/b/9/a/b9a27af0-3431-4fce-ae97-9d87529fef19/zero-trust-azure-virtual-wan-contoso.vsdx"::: [Download Visio](https://download.microsoft.com/download/b/9/a/b9a27af0-3431-4fce-ae97-9d87529fef19/zero-trust-azure-virtual-wan-contoso.vsdx)|**AZURE VIRTUAL WAN**
Use these illustrations with [this article](azure-virtual-wan.md).|
+|:::image type="content" source="media/thumb-zero-trust-pilot-and-deploy-microsoft-xdr-contoso.png" alt-text="Thumbnail picture of Pilot and deploy Microsoft Defender XDR." link="https://download.microsoft.com/download/c/a/b/cab2a45c-fe81-47f6-b592-4450374453b2/zero-trust-pilot-and-deploy-microsoft-xdr.vsdx"::: [Download Visio](https://download.microsoft.com/download/c/a/b/cab2a45c-fe81-47f6-b592-4450374453b2/zero-trust-pilot-and-deploy-microsoft-xdr.vsdx)|**THREAT PROTECTION**
These illustrations include deployment processes and architecture illustrations for threat protection in the Defender porta.
Use these illustrations together with: [Pilot and deploy Microsoft Defender XDR](/defender-xdr/pilot-deploy-overview).|
+|:::image type="content" source="media/thumb-zero-trust-sentinel-xdr-contoso.png" alt-text="Thumbnail picture of Implement Microsoft Sentinel and Microsoft Defender XDR for Zero Trust." link="https://download.microsoft.com/download/d/3/6/d362e836-941c-49f5-9c39-19a8c97c898c/zero-trust-sentinel-xdr-contoso.vsdx"::: [Download Visio](https://download.microsoft.com/download/d/3/6/d362e836-941c-49f5-9c39-19a8c97c898c/zero-trust-sentinel-xdr-contoso.vsdx)|**THREAT PROTECTION**
Use these illustrations together with these articles:
[Overview](../operations/siem-xdr-overview.md)
[Threat detection and response](integrate/visibility-automation-orchestration.md).
+
+## Next steps
+
+Review the [Microsoft Cybersecurity reference architecture (MCRA) set](microsoft-reference-architecture.md).
\ No newline at end of file
diff --git a/security-docs/zero-trust/zero-trust-tech-illus.md b/security-docs/zero-trust/zero-trust-tech-illus.md
index 9bc946469..fdcbe23cb 100644
--- a/security-docs/zero-trust/zero-trust-tech-illus.md
+++ b/security-docs/zero-trust/zero-trust-tech-illus.md
@@ -9,20 +9,15 @@ ms.collection:
- zerotrust-illustrations
---
-# Zero Trust illustrations for IT architects and implementers
+# Zero Trust illustrations
+
+This article summarizes Zero Trust illustrations available for IT architects and implementers
These posters and technical diagrams give you information about deployment and implementation steps to apply the [principles of Zero Trust](zero-trust-overview.md) to Microsoft cloud services, including Microsoft 365 and Microsoft Azure.
Zero Trust is a security model that assumes breach and verifies each request as though it originated from an uncontrolled network. Regardless of where the request originates or what resource it accesses, the Zero Trust model teaches us to "never trust, always verify."
-As an IT architect or implementer, you can use these resources for deployment steps, reference architectures, and logical architectures to more quickly apply Zero Trust principles to your existing environment for:
-
-- [Microsoft 365](/microsoft-365/security/microsoft-365-zero-trust?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json)
-- [Microsoft Copilot for Microsoft 365](copilots/zero-trust-microsoft-365-copilot.md)
-- Azure services:
-
- - [Azure IaaS](azure-infrastructure-overview.md)
- - [Azure Virtual WAN](azure-infrastructure-avd.md)
+As an IT architect or implementer, you can use these resources for deployment steps, reference architectures, and logical architectures that align with Zero Trust principles.
You can download the following types of illustrations:
@@ -40,7 +35,7 @@ This illustration provides a deployment plan for applying Zero Trust principles
|---|---|
|[](https://download.microsoft.com/download/f/d/b/fdb6ab0c-34bb-4cb8-84e6-5de8f13298da/m365-zero-trust-deployment-plan.pdf)
[PDF](https://download.microsoft.com/download/f/d/b/fdb6ab0c-34bb-4cb8-84e6-5de8f13298da/m365-zero-trust-deployment-plan.pdf) \| [Visio](https://download.microsoft.com/download/f/d/b/fdb6ab0c-34bb-4cb8-84e6-5de8f13298da/m365-zero-trust-deployment-plan.vsdx)
Updated March 2024|Use this illustration together with this article: [Microsoft 365 Zero Trust deployment plan](/microsoft-365/security/microsoft-365-zero-trust?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json)
**Related solution guides**
- [Deploy your identity infrastructure for Microsoft 365](/microsoft-365/enterprise/deploy-identity-solution-overview)
- [Recommended identity and device access configurations](/security/zero-trust/zero-trust-identity-device-access-policies-overview)
- [Manage devices with Intune](/microsoft-365/solutions/manage-devices-with-intune-overview)
- [Evaluate and pilot Microsoft Defender XDR](/defender-xdr/pilot-deploy-overview)
- [Deploy an information protection solution with Microsoft Purview](/purview/information-protection-solution)
- [Deploy information protection for data privacy regulations with Microsoft 365](/microsoft-365/solutions/data-privacy-protection)
|
-## Zero Trust for Microsoft Copilot for Microsoft 365
+## Zero Trust for Microsoft Copilot
Adopting Microsoft Copilot for Microsoft 365 or Copilot is a great incentive for your organization to invest in Zero Trust. This set of illustrations introduces new logical architecture components for Copilot. It also includes security and deployment recommendations for preparing your environment for Copilot. These recommendations align with Zero Trust recommendations and help you begin this journey, even if your licenses are Microsoft 365 E3.
@@ -48,7 +43,7 @@ Adopting Microsoft Copilot for Microsoft 365 or Copilot is a great incentive for
|---|---|
|[](https://download.microsoft.com/download/c/d/6/cd6c6858-f87b-4dc5-a593-e87db0aa6029/microsoft-365-copilot-architecture.pdf)
[PDF](https://download.microsoft.com/download/c/d/6/cd6c6858-f87b-4dc5-a593-e87db0aa6029/microsoft-365-copilot-architecture.pdf) \| [Visio](https://download.microsoft.com/download/c/d/6/cd6c6858-f87b-4dc5-a593-e87db0aa6029/microsoft-365-copilot-architecture.vsdx)
Updated November 2023|Copilot combines the power of large language models (LLMs) with your data in the Microsoft Graph (calendar, emails, chats, documents, meetings, and more) and the Microsoft 365 apps to provide a powerful productivity tool.
This series of illustrations provides a view into new logical architecture components. It includes recommendations for preparing your environment for Copilot with security and information protection while assigning licenses.|
-## Apply Zero Trust to Azure IaaS components poster
+## Zero Trust for Azure IaaS
This poster provides a single-page, at-a-glance view of the components of Azure IaaS as reference and logical architectures. It also provides the steps to ensure that these components have the "never trust, always verify" principles of the Zero Trust model applied.
@@ -56,7 +51,7 @@ This poster provides a single-page, at-a-glance view of the components of Azure
|---|---|
|[](https://download.microsoft.com/download/d/8/b/d8b38a95-803c-4956-88e6-c0de68f7f8e9/apply-zero-trust-to-Azure-IaaS-infra-poster.pdf)
[PDF](https://download.microsoft.com/download/d/8/b/d8b38a95-803c-4956-88e6-c0de68f7f8e9/apply-zero-trust-to-Azure-IaaS-infra-poster.pdf) \| [Visio](https://download.microsoft.com/download/d/8/b/d8b38a95-803c-4956-88e6-c0de68f7f8e9/apply-zero-trust-to-Azure-IaaS-infra-poster.vsdx)
Updated June 2024|Use this poster together with this article: [Apply Zero Trust principles to Azure IaaS overview](azure-infrastructure-overview.md)
**Related solution guides**
- [Azure Storage services](azure-infrastructure-storage.md)
- [Virtual machines](azure-infrastructure-virtual-machines.md)
- [Spoke virtual networks (VNets)](azure-infrastructure-iaas.md)
- [Hub VNets](azure-infrastructure-networking.md)
|
-## Diagrams for applying Zero Trust to Azure IaaS components
+### Zero Trust to Azure IaaS components
You can also download the technical diagrams used in the [Zero Trust for Azure IaaS series of articles](azure-infrastructure-overview.md). These diagrams are an easier way to view the illustrations in the article or modify them for your own use.
@@ -64,7 +59,7 @@ You can also download the technical diagrams used in the [Zero Trust for Azure I
|---|---|
|[](https://download.microsoft.com/download/c/e/a/ceac5996-7cbf-4184-aed8-16dffcad3795/apply-zero-trust-to-Azure-IaaS-infra-diagrams.pdf)
[PDF](https://download.microsoft.com/download/c/e/a/ceac5996-7cbf-4184-aed8-16dffcad3795/apply-zero-trust-to-Azure-IaaS-infra-diagrams.pdf) \| [Visio](https://download.microsoft.com/download/c/e/a/ceac5996-7cbf-4184-aed8-16dffcad3795/apply-zero-trust-to-Azure-IaaS-infra-diagrams.vsdx)
Updated June 2024|Use these diagrams together with the articles starting here: [Apply Zero Trust principles to Azure IaaS overview](azure-infrastructure-overview.md)
**Related solution guides**
- [Azure Storage services](azure-infrastructure-storage.md)
- [Virtual machines](azure-infrastructure-virtual-machines.md)
- [Spoke VNets](azure-infrastructure-iaas.md)
- [Hub VNets](azure-infrastructure-networking.md)
|
-## Zero Trust for Azure Virtual WAN diagrams
+## Zero Trust for Azure Virtual WAN
These diagrams show the reference and logical architectures for [applying Zero Trust to Azure Virtual WAN](azure-virtual-wan.md). These diagrams are an easier way to view the illustrations in the article or modify them for your own use.
@@ -72,7 +67,7 @@ These diagrams show the reference and logical architectures for [applying Zero T
|---|---|
|[](https://download.microsoft.com/download/1/e/f/1ef1ad20-138e-419d-b30d-7f20811ef923/apply-zero-trust-to-Azure-vWAN-diagrams.pdf)
[PDF](https://download.microsoft.com/download/1/e/f/1ef1ad20-138e-419d-b30d-7f20811ef923/apply-zero-trust-to-Azure-vWAN-diagrams.pdf) \| [Visio](https://download.microsoft.com/download/1/e/f/1ef1ad20-138e-419d-b30d-7f20811ef923/apply-zero-trust-to-Azure-vWAN-diagrams.vsdx)
Updated March 2024|Use this illustration together with this article: [Apply Zero Trust principles to Azure Virtual WAN](azure-virtual-wan.md)|
-## Zero Trust for Azure Virtual Desktop diagrams
+## Zero Trust for Azure Virtual Desktop
These diagrams show the reference and logical architectures for [applying Zero Trust to Azure Virtual Desktop](azure-infrastructure-avd.md). These diagrams are an easier way to view the illustrations in the article or modify them for your own use.
@@ -80,15 +75,15 @@ These diagrams show the reference and logical architectures for [applying Zero T
|---|---|
|[](https://download.microsoft.com/download/4/e/f/4efdcc13-1a62-4f11-9f79-d4a7201d28f9/apply-zero-trust-to-Azure-Virtual-Desktop-diagrams.pdf)
[PDF](https://download.microsoft.com/download/4/e/f/4efdcc13-1a62-4f11-9f79-d4a7201d28f9/apply-zero-trust-to-Azure-Virtual-Desktop-diagrams.pdf) \| [Visio](https://download.microsoft.com/download/4/e/f/4efdcc13-1a62-4f11-9f79-d4a7201d28f9/apply-zero-trust-to-Azure-Virtual-Desktop-diagrams.vsdx)
Updated March 2024|Use this illustration together with this article: [Apply Zero Trust principles to Azure Virtual Desktop](azure-infrastructure-avd.md)|
-## Zero Trust Identity and Device Access Policies
+## Zero Trust for access policies
This illustration shows the set of Zero Trust identity and device access policies for three levels of protection: Starting point, Enterprise, and Specialized security.
|Item|Description|
|---|---|
-|[](https://download.microsoft.com/download/e/d/0/ed03381c-16ce-453e-9c89-c13967819cea/zero-trust-identity-and-device-access-policies.pdf)
[PDF](https://download.microsoft.com/download/e/d/0/ed03381c-16ce-453e-9c89-c13967819cea/zero-trust-identity-and-device-access-policies.pdf)
Updated March 2024|Use this illustration together with this article: [Recommended identity and device access configurations](/security/zero-trust/zero-trust-identity-device-access-policies-overview)
**Related solution guides**
- [Plan your Microsoft 365 Zero Trust deployment](/microsoft-365/security/microsoft-365-zero-trust?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json)
- [Deploy your identity infrastructure for Microsoft 365](/microsoft-365/enterprise/deploy-identity-solution-overview)
- [Manage devices with Intune](/microsoft-365/solutions/manage-devices-with-intune-overview)
- [Evaluate and pilot Microsoft 365 Defender](/defender-xdr/pilot-deploy-overview)
- [Deploy an information protection solution with Microsoft Purview](/purview/information-protection-solution)
- [Deploy information protection for data privacy regulations with Microsoft 365](/microsoft-365/solutions/data-privacy-protection)
|
+|[](https://download.microsoft.com/download/e/d/0/ed03381c-16ce-453e-9c89-c13967819cea/zero-trust-identity-and-device-access-policies.pdf)
[PDF](https://download.microsoft.com/download/e/d/0/ed03381c-16ce-453e-9c89-c13967819cea/zero-trust-identity-and-device-access-policies.pdf)
Updated March 2024|Use this illustration together with this article: [Recommended identity and device access configurations](/security/zero-trust/zero-trust-identity-device-access-policies-overview)
**Related solution guides**
- [Plan your Microsoft 365 Zero Trust deployment](/microsoft-365/security/microsoft-365-zero-trust?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json)
- [Deploy your identity infrastructure for Microsoft 365](/microsoft-365/enterprise/deploy-identity-solution-overview)
- [Manage devices with Intune](/microsoft-365/solutions/manage-devices-with-intune-overview)
- [Evaluate and pilot Microsoft Defender XDR](/defender-xdr/pilot-deploy-overview)
- [Deploy an information protection solution with Microsoft Purview](/purview/information-protection-solution)
- [Deploy information protection for data privacy regulations with Microsoft 365](/microsoft-365/solutions/data-privacy-protection)
|
-## Common attacks and how Microsoft capabilities for Zero Trust can protect your organization
+## Common attacks
Learn about the most common cyber attacks and how Microsoft capabilities for Zero Trust can help your organization at every stage of an attack. Also use a table to quickly link to Zero Trust documentation for common attacks based on technology pillars such as identities or data.
@@ -97,7 +92,7 @@ Learn about the most common cyber attacks and how Microsoft capabilities for Zer
|[](https://download.microsoft.com/download/F/A/C/FACFC1E9-FA35-4DF1-943C-8D4237B4275B/MSFT_Cloud_architecture_security_commonattacks.pdf)
[PDF](https://download.microsoft.com/download/F/A/C/FACFC1E9-FA35-4DF1-943C-8D4237B4275B/MSFT_Cloud_architecture_security_commonattacks.pdf) \|[Visio](https://download.microsoft.com/download/F/A/C/FACFC1E9-FA35-4DF1-943C-8D4237B4275B/MSFT_Cloud_architecture_security_commonattacks.vsdx)
Updated February 2024|Use this illustration together with this article: [Zero Trust deployment for technology pillars](deploy/overview.md)|
-## Other Microsoft security posters and illustrations
+## Other posters and illustrations
These other Microsoft security posters and illustrations are available:
@@ -115,36 +110,9 @@ These other Microsoft security posters and illustrations are available:
## Next steps
-Use the following Zero Trust content based on a documentation set or the roles in your organization.
-
-### Documentation set
-
-Follow this table for the best Zero Trust documentation sets for your needs.
-
-|Documentation set|Helps you...|Roles|
-|---|---|---|
-|[Adoption framework](adopt/zero-trust-adoption-overview.md) for phase and step guidance for key business solutions and outcomes|Apply Zero Trust protections from the C-suite to the IT implementation.|Security architects, IT teams, and project managers|
-|[Concepts and deployment objectives](deploy/overview.md) for general deployment guidance for technology areas|Apply Zero Trust protections aligned with technology areas.|IT teams and security staff|
-|[Zero Trust for small businesses](guidance-smb-partner.md)|Apply Zero Trust principles to small business customers.|Customers and partners working with Microsoft 365 for business|
-|[Zero Trust Rapid Modernization Plan (RaMP)](zero-trust-ramp-overview.md) for project management guidance and checklists for easy wins|Quickly implement key layers of Zero Trust protection.|Security architects and IT implementers|
-|[Zero Trust deployment plan with Microsoft 365](/microsoft-365/security/microsoft-365-zero-trust?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json) for stepped and detailed design and deployment guidance|Apply Zero Trust protections to your Microsoft 365 organization.|IT teams and security staff|
-|[Zero Trust for Microsoft Copilots](copilots/apply-zero-trust-copilots-overview.md) for stepped and detailed design and deployment guidance|Apply Zero Trust protections to Microsoft Copilots.|IT teams and security staff|
-|[Zero Trust for Azure services](azure-infrastructure-overview.md) for stepped and detailed design and deployment guidance|Apply Zero Trust protections to Azure workloads and services.|IT teams and security staff|
-|[Partner integration with Zero Trust](integrate/overview.md) for design guidance for technology areas and specializations|Apply Zero Trust protections to partner Microsoft cloud solutions.|Partner developers, IT teams, and security staff|
-|[Develop using Zero Trust principles](develop/overview.md) for application development design guidance and best practices|Apply Zero Trust protections to your application.|Application developers|
-
-### Your role
-
-Follow this table for the best documentation sets for your role in your organization.
-
-|Role|Documentation set|Helps you...|
-|---|---|---|
-|Security architect
IT project manager
IT implementer|[Adoption framework](adopt/zero-trust-adoption-overview.md) for phase and step guidance for key business solutions and outcomes|Apply Zero Trust protections from the C-suite to the IT implementation.|
-|Member of an IT or security team|[Concepts and deployment objectives](deploy/overview.md) for general deployment guidance for technology areas|Apply Zero Trust protections aligned with technology areas.|
-|Customer or partner for Microsoft 365 for business|[Zero Trust for small businesses](guidance-smb-partner.md)|Apply Zero Trust principles to small business customers.|
-|Security architect
IT implementer|[Zero Trust Rapid Modernization Plan (RaMP)](zero-trust-ramp-overview.md) for project management guidance and checklists for easy wins|Quickly implement key layers of Zero Trust protection.|
-|Member of an IT or security team for Microsoft 365|[Zero Trust deployment plan with Microsoft 365](/microsoft-365/security/microsoft-365-zero-trust?bc=%2fsecurity%2fzero-trust%2fbreadcrumb%2ftoc.json&toc=%2fsecurity%2fzero-trust%2ftoc.json) for stepped and detailed design and deployment guidance for Microsoft 365|Apply Zero Trust protections to your Microsoft 365 organization.|
-|Member of an IT or security team for Microsoft Copilots|[Zero Trust for Microsoft Copilots](copilots/apply-zero-trust-copilots-overview.md) for stepped and detailed design and deployment guidance|Apply Zero Trust protections to Microsoft Copilots.|
-|Member of an IT or security team for Azure services|[Zero Trust for Azure services](azure-infrastructure-overview.md) for stepped and detailed design and deployment guidance|Apply Zero Trust protections to Azure workloads and services.|
-|Partner developer or member of an IT or security team|[Partner integration with Zero Trust](integrate/overview.md) for design guidance for technology areas and specializations|Apply Zero Trust protections to partner Microsoft cloud solutions.|
-|Application developer|[Develop using Zero Trust principles](develop/overview.md) for application development design guidance and best practices|Apply Zero Trust protections to your application.|
+Start with [Zero Trust adoption](security-adoption-model.md).
+
+
+
+
+