Zero Trust guidance for small businesses
This article provides guidance and resources for deploying Zero Trust with Microsoft 365 Business Premium and other technologies commonly used by small to medium-sized businesses. These resources help you realize the principles of Zero Trust:
- Verify explicitly: Always authenticate and authorize with identity and device access policies.
- Use least privilege access: Provide users with only the access they need and for the time they need it to perform their tasks.
- Assume breach: Do what you can to prevent attacks, protect against threats, and then be ready to respond.
This article also includes information and resources for Microsoft partners.
Configuration guidance for Microsoft 365 Business Premium
Microsoft 365 Business Premium is a comprehensive cloud productivity and security solution designed especially for small and medium sized businesses. The guidance in this article applies the principles of Zero Trust in an end-to-end configuration process using the capabilities provided in Business Premium.
| Cybersecurity playbook | Description |
|---|---|
|
In this library:
|
For more information, see the following resources:
- Microsoft 365 Business Premium - Productivity and cybersecurity for small business
- Microsoft 365 Business Premium resources for partners and small business
| Zero Trust principle | Met by |
|---|---|
| Verify explicitly | Multifactor authentication (MFA) is turned on by using security defaults (or with Conditional Access). This configuration requires users to register for MFA. It also disables access through legacy authentication (devices that don't support modern authentication) and requires admins to authenticate every time they sign in. |
| Use least privileged access | Guidance is provided for protecting admin accounts and not using these accounts for user tasks. |
| Assume breach | Protection against malware and other cybersecurity threats is increased by using preset security policies. Guidance is provided for training your team to set up unmanaged, personally owned devices (BYOD), use email securely, and collaborate and share more securely. Guidance is also provided to secure managed devices (typically, company-owned devices). |
Additional threat protection
Business Premium includes Microsoft Defender for Business, which provides comprehensive security for devices with a simplified configuration experience that's optimized for small and medium-sized businesses. Capabilities include threat and vulnerability management, next-generation protection (antivirus and firewall), automated investigation and remediation, and more.
Business Premium also includes advanced anti-phishing, anti-spam, and anti-malware protection for email content and Office files (Safe Links and Safe Attachments) with Microsoft Defender for Office 365 Plan 1. With these capabilities, your email and collaboration content is more secure and better protected.
For more information, see the following resources:
| Zero Trust principle | Met by |
|---|---|
| Verify explicitly | Devices that access company data must meet security requirements. |
| Use least privileged access | Guidance is provided for using roles to assign permissions and security policies to prevent unauthorized access. |
| Assume breach | Advanced protection is provided for devices, email, and collaboration content. Remediation actions are taken when threats are detected. |
Partner guidance and tools
If you're a Microsoft partner, several resources are available to help you manage security for your business customers. These resources include learning paths, guidance, and integration.
The Solutions Partner for Security designation enables customers to identify you as a partner they can trust for integrated security, compliance, and identity solutions. See Solutions Partner for Security Learning Path (Microsoft Partner Center).
Guidance is available to help customers review permissions and administrative access granted to partners. Guidance is also available to help Microsoft Managed Security Service Providers (MSSPs) integrate with their customer organizations. For more information, see the following articles:
Resources are available to help you as a Microsoft partner to manage security settings for your customers, and to help protect their devices and data. Microsoft 365 Lighthouse integrates with Microsoft 365 Business Premium, Microsoft Defender for Business, and Microsoft Defender for Endpoint.
The Defender for Endpoint APIs can be used to integrate device security capabilities in Business Premium with remote monitoring and management (RMM) tools and professional service automation (PSA) software. See the following articles:
- Integrate Microsoft endpoint security with your RMM tools and PSA software
- Use Microsoft 365 Lighthouse to secure and manage customer devices and data
- Help for partners (general information and support)
| Zero Trust principle | Met by |
|---|---|
| Verify explicitly | Resources are available to help Microsoft partners configure and manage identities, access methods, and policies for their customers. |
| Use least privileged access | Partners can configure integration with customer organizations. Customers can review permissions and administrative access granted to partners. |
| Assume breach | Microsoft 365 Lighthouse integrates with Microsoft threat protection capabilities for small and medium-sized businesses. |
Protect other SaaS apps you or your customers use
You or your small business customers likely use other Software as a Service (SaaS) applications, such as Salesforce, Adobe Creative Cloud, and DocuSign. You can integrate these applications with Microsoft Entra ID and include these applications in your MFA and Conditional Access policies.
The Microsoft Entra application gallery is a collection of software as a service (SaaS) applications that are pre-integrated with Microsoft Entra ID. All you need to do is find the application in the gallery and add it to your environment. Then, the application is available to include in the scope of your MFA and Conditional Access rules. See Overview of the Microsoft Entra application gallery.
After you add SaaS apps to your environment, these apps are automatically be protected with Microsoft Entra MFA and the other protections provided by security defaults. If you're using Conditional Access policies instead of security defaults, you need to add these apps to the scope of your Conditional Access and related policies. See Turn on MFA in Microsoft 365 Business Premium.
Microsoft Entra ID determines when a user is prompted for MFA based on factors such as location, device, role, and task. This functionality protects all applications registered with Microsoft Entra ID, including SaaS applications. See Require users to do MFA when necessary.
| Zero Trust principle | Met by |
|---|---|
| Verify explicitly | All SaaS apps you add require MFA for access. |
| Use least privileged access | Users must meet authentication requirements to use apps that access company data. |
| Assume breach | Factors, such as location, device, role, and task are considered when users are authenticated. MFA is used when necessary. |
More Zero Trust documentation
Use the Zero Trust content in this section based on a documentation set or the roles in your organization.
Documentation set
Follow this table for the best Zero Trust documentation sets for your needs.
| Documentation set | Helps you... | Roles |
|---|---|---|
| Adoption framework for phase and step guidance for key business solutions and outcomes | Apply Zero Trust protections from the C-suite to the IT implementation. | Security architects, IT teams, and project managers |
| Concepts and deployment objectives for general deployment guidance for technology areas | Apply Zero Trust protections aligned with technology areas. | IT teams and security staff |
| Zero Trust Rapid Modernization Plan (RaMP) for project management guidance and checklists for easy wins | Quickly implement key layers of Zero Trust protection. | Security architects and IT implementers |
| Zero Trust deployment plan with Microsoft 365 for stepped and detailed design and deployment guidance | Apply Zero Trust protections to your Microsoft 365 organization. | IT teams and security staff |
| Zero Trust for Microsoft Copilots for stepped and detailed design and deployment guidance | Apply Zero Trust protections to Microsoft Copilots. | IT teams and security staff |
| Zero Trust for Azure services for stepped and detailed design and deployment guidance | Apply Zero Trust protections to Azure workloads and services. | IT teams and security staff |
| Partner integration with Zero Trust for design guidance for technology areas and specializations | Apply Zero Trust protections to partner Microsoft cloud solutions. | Partner developers, IT teams, and security staff |
| Develop using Zero Trust principles for application development design guidance and best practices | Apply Zero Trust protections to your application. | Application developers |
Your role
Follow this table for the best documentation sets for your role in your organization.
| Role | Documentation set | Helps you... |
|---|---|---|
| Security architect IT project manager IT implementer |
Adoption framework for phase and step guidance for key business solutions and outcomes | Apply Zero Trust protections from the C-suite to the IT implementation. |
| Member of an IT or security team | Concepts and deployment objectives for general deployment guidance for technology areas | Apply Zero Trust protections aligned with technology areas. |
| Security architect IT implementer |
Zero Trust Rapid Modernization Plan (RaMP) for project management guidance and checklists for easy wins | Quickly implement key layers of Zero Trust protection. |
| Member of an IT or security team for Microsoft 365 | Zero Trust deployment plan with Microsoft 365 for stepped and detailed design and deployment guidance for Microsoft 365 | Apply Zero Trust protections to your Microsoft 365 organization. |
| Member of an IT or security team for Microsoft Copilots | Zero Trust for Microsoft Copilots for stepped and detailed design and deployment guidance | Apply Zero Trust protections to Microsoft Copilots. |
| Member of an IT or security team for Azure services | Zero Trust for Azure services for stepped and detailed design and deployment guidance | Apply Zero Trust protections to Azure workloads and services. |
| Partner developer or member of an IT or security team | Partner integration with Zero Trust for design guidance for technology areas and specializations | Apply Zero Trust protections to partner Microsoft cloud solutions. |
| Application developer | Develop using Zero Trust principles for application development design guidance and best practices | Apply Zero Trust protections to your application. |