This work package provides organisations with expert guidance to design and implement a Zero Trust Architecture (ZTA) aligned to the Microsoft Cybersecurity Reference Architecture (MCRA). It integrates Zero Trust principles — identity‑centric access, continuous verification, least privilege, micro‑segmentation, and adaptive policy enforcement — across Microsoft cloud, hybrid, and multi‑cloud environments.
The service ensures Zero Trust is embedded into identity, endpoints, networks, applications, data, infrastructure, and operational security, leveraging the full Microsoft security ecosystem (Entra, Defender, Purview, Sentinel, Intune, Azure).
Assess current security posture against MCRA and Zero Trust principles.
Design a Zero Trust Reference Architecture aligned to Microsoft’s security capabilities.
Strengthen identity, device, network, application, and data security.
Improve monitoring, detection, and automated response capabilities.
Establish governance, operating models, and continuous assurance processes.
A MCRA‑aligned Zero Trust maturity assessment.
A Zero Trust Reference Architecture mapped to Microsoft security capabilities.
Hardened identity, network, data, and workload controls.
Updated governance, policies, and operational processes.
A multi‑phase Zero Trust transformation roadmap.
Assessment aligned to:
Microsoft Cybersecurity Reference Architecture
Microsoft Zero Trust Model
Microsoft Cloud Security Benchmark
NIST SP 800‑207
CISA Zero Trust Maturity Model
Assessment across Zero Trust pillars:
Identity (Entra ID, Conditional Access, PIM)
Devices (Intune, Defender for Endpoint)
Network (ZTNA, Azure Firewall, Private Link)
Applications (App Proxy, App Registrations, Workload Identities)
Data (Purview, DLP, encryption)
Infrastructure (Azure, hybrid, on‑prem)
Operations (Sentinel, Defender XDR, SOAR)
Activities include:
Review of architecture, controls, and governance.
Mapping current capabilities to MCRA and Zero Trust maturity levels.
Gap analysis and prioritised recommendations.
Identity governance and lifecycle management.
MFA, passwordless, Conditional Access.
Privileged Identity Management (PIM).
Workload identity governance.
Device trust and compliance policies.
Endpoint hardening and threat protection.
BYOD and corporate device governance.
Zero Trust network segmentation.
Azure Firewall, WAF, DDoS Protection.
Private Link and service endpoint strategy.
Secure remote access and ZTNA patterns.
Application identity and workload trust.
API security and gateway integration.
Secure DevOps and CI/CD controls.
App registration governance.
Data classification and sensitivity labels.
Encryption, tokenisation, key management.
DLP and insider risk management.
Data access governance.
Secure landing zones aligned to CAF.
VM, container, and serverless hardening.
Defender for Cloud configuration.
SIEM, SOAR, XDR integration.
Behavioural analytics and anomaly detection.
Automated policy enforcement and remediation.
Zero Trust governance framework aligned to MCRA.
Updated security policies and standards.
Architecture principles and decision‑making workflows.
Zero Trust risk register and control mapping.
Operating model for continuous verification and assurance.
Prioritised capability roadmap (12–36 months).
Work package catalogue aligned to business priorities.
Dependency mapping across identity, network, data, and cloud.
Costing, resourcing, and risk analysis.
Entra ID hardening (MFA, PIM, Conditional Access).
Intune and Defender for Endpoint deployment.
Azure network segmentation and ZTNA integration.
Sentinel SIEM/SOAR configuration.
Defender XDR integration.
Purview data governance deployment.
DevSecOps and CI/CD security integration.
MCRA Zero Trust Maturity Assessment Report
Zero Trust Reference Architecture Blueprint (MCRA‑aligned)
Identity & Access Modernisation Pack
Network Micro‑Segmentation Design
Data Protection & Governance Framework
Monitoring, Detection & Automation Design Pack
Governance & Operating Model Framework
Executive Summary & Board‑Level Presentation
Azure Zero Trust Landing Zone
Secure DevOps / DevSecOps Integration Guide
Continuous Zero Trust Monitoring Service
Zero Trust Incident Response Playbooks
Multi‑Cloud Zero Trust Architecture
Initiation & Discovery (1–2 weeks)
MCRA Zero Trust Maturity Assessment (2–4 weeks)
Architecture & Policy Design (4–8 weeks)
Identity, Network & Data Hardening (variable)
Monitoring & Automation Integration (2–4 weeks)
Governance & Capability Uplift (ongoing)
Optional: Continuous Zero Trust Assurance (subscription)
Lead Zero Trust Architect
Microsoft Cloud Security Architect
Identity & Access Specialist
Network & Micro‑Segmentation Engineer
Data Security & Purview Specialist
Governance & Compliance Analyst
Project Manager
Fixed‑price for assessment, architecture, and governance phases.
Time & materials for engineering, integration, and hardening.
Subscription/retainer for continuous Zero Trust monitoring and assurance.
Access to Entra ID, Azure, Defender, Purview, and Sentinel environments.
Engagement with IT, security, and architecture teams.
Availability of existing architecture diagrams and policies.
Client commitment to governance and operational adoption.
Identity sprawl → mitigated through governance and PIM.
Cloud misconfigurations → mitigated through Defender for Cloud and policy enforcement.
Operational resistance → mitigated through training and clear operating models.
Tool sprawl → mitigated through consolidation into Microsoft’s integrated security stack.