The Microsoft Zero Trust Assessment: Helping you operationalize the hardening of your Microsoft security products
Evolving Threats, Adaptive Defenses: The Security Practitioner’s New Reality Cyber threats are advancing faster than ever, and the arrival of highly accessible AI tools with a low proficiency barrier has made this challenge one that most organizations cannot keep up with. According to the latest Microsoft Digital Defense Report, 28% of breaches begin with phishing, and we also see a 4.5x increase in AI automated phishing campaigns with higher click through rates. This example highlights the need for security organizations to not only prioritize hardened security policies but also automating detection of misconfigurations and deviations from the desired security posture. To help address these challenges, Microsoft launched the Secure Future Initiative (SFI) in November 2023, a multiyear effort to transform how we design, build, test, and operate our products and services, to meet the highest security standards. SFI unites every part of Microsoft to strengthen cybersecurity across our company and products. We’ve committed to transparency by sharing regular updates with customers, partners, and the security community. Today, we released our third SFI progress report, which highlights 10 actionable patterns and practices customers can adopt to reduce risk, along with additional best practices and guidance. In this report, we share updates across every engineering pillar, introduce mapping to the NIST Cybersecurity Framework to help customers measure progress against a recognized industry standard, and showcase new security capabilities delivered to customers. We also provide implementation guidance aligned to Zero Trust principles, ensuring organizations have practical steps to reduce risk and strengthen resilience. Building on these learnings, we’re excited to announce the public preview of the Microsoft Zero Trust Assessment tool, designed to help you identify common security gaps starting with Identity and Device pillars with the remaining pillars of Zero Trust coming soon. This assessment is informed by our own SFI learnings and aligned with widely recognized frameworks such as CISA’s SCuBA project. Your feedback is critical as we continue to iterate and expand this tool. Our goal is for you to operationalize it in your environment and share insights as we add more pillars in the coming months. Introducing Zero Trust Assessment A deep dive into how the Microsoft Zero Trust Assessment works including report structure, prioritization logic, and implementation guidance is available below in this blog. The Microsoft Zero Trust Assessment empowers teams to make informed decisions, reduce blind spots, and prioritize remediation, turning insights into action. Once you download and run the tool (installation guide), it will assess your policy configurations and scan objects to generate a comprehensive report that not only highlights gaps and risks but also explains what was checked, why a test failed, and how your organization can implement the recommended configuration. This makes the results immediately actionable; security teams know exactly what steps to take next. The report features an overview page that presents aggregated data across your tenant, highlighting overall risk levels, patterns, and trends. This allows security teams to quickly assess their organization’s posture, identify high-impact areas, and prioritize remediation efforts. The assessment provides a detailed list of all the tests that were conducted, including those not applicable, so the results are clear and relevant. Each test includes risk level, user impact, and implementation effort, enabling teams to make informed decisions and prioritize fixes based on business impact. By combining clear guidance with prioritized recommendations, the Zero Trust Assessment turns insights into action, helping organizations reduce blind spots, strengthen security, and plan remediation effectively. Future updates will expand coverage to additional Zero Trust pillars, giving organizations even broader visibility and guidance. For each test performed, customers can see the exact policies or objects that are passing or failing the test with a direct link to where they can address it in the product, and guidance on how to remediate. The report also provides granular details of the policies evaluated and any applicable assignment groups. In addition, the tool provides clear guidance on details of the test performed and why it matters, and the steps required to resolve issues effectively. How It Works Here’s a quick summary of the steps for you to run the tool. Check our documentation for full details. First, you install the ZeroTrustAssessment PowerShell module. Install-Module ZeroTrustAssessment -Scope CurrentUser Then, you connect to Microsoft Graph and to Azure by signing into your tenant. Connect-ZtAssessment After that, you run a single command to kick off the data gathering. Depending on the size of your tenant, this might take several hours. Invoke-ZtAssessment After the assessment is complete, the tool will display the assessment results report. A sample report of the assessment can be viewed at aka.ms/zerotrust/demo. The tool uses read-only permissions to download the tenant configuration, and it runs the analysis locally on your computer. We recommend you treat the data and artifacts it creates as highly sensitive organization security data. Get Started Today Ready to strengthen your security posture? Download and run the Zero Trust Assessment to see how your tenant measures up. Review the detailed documentation for Identity and Devices to understand every test and recommended action. If you have feedback or want to help shape future releases, share your insights at aka.ms/zerotrust/feedback. If you find the assessment valuable, pass it along to your peers and help raise the bar for all our customers. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog and Technical Community blogs to keep up with our expert coverage on security matters, including updates on this assessment. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. What’s Next This is just the first step in the journey. We will be launching new SFI-infused assessments across the other pillars of Zero Trust in the coming months. Please stay tuned for updates. Want to go deeper? Visit the SFI webpage to explore the report, actionable patterns, NIST mapping, and best practices that can help you strengthen your security posture today.Lock down Form creation for staff
Hi, I want some staff being able to create forms/surveys etc. https://forms.microsoft.com/ I want to ensure that the rest of the staff can consume the forms ,i.e. fill in, but not create new or "Collaborate or Duplicate". What is the best way for me to do this? Thank you for your time, OllieWindows 12 in a Nutshell
• Speed and Responsiveness: like Windows 8.x – instant startup, smooth reactions. • Stability: like Windows 7 – a reliable foundation that doesn’t collapse under load. • Lightweight Hardware Requirements: like Windows XP – able to run smoothly even on weaker configurations. • Modern Components: no outdated libraries (.NET Framework 2.0/3.5/4.8, OpenGL). • More Secure Registry: resilient against errors and attacks, better protected than in current systems. • Separated AI Layer: intelligent features available, but clearly separated from the system core to preserve stability.Support tip: Upcoming Microsoft Intune network changes
We know many customers don’t always check their service change messages in the Microsoft 365 admin center or the corresponding Message Center content in the Microsoft Intune admin center, so in this blog post we’re highlighting an important upcoming change to Intune network service endpoints. Starting on or shortly after December 2, 2025, Intune will also use Azure Front Door IP addresses to improve security and simplify firewall management. If your organization uses outbound traffic policies based on IP addresses or service tags, you’ll want to review and update your firewall rules to avoid service disruptions. We’ll keep you updated if the timeline shifts. In the meantime, here’s the service change communication that posted to all Intune customers: MC1147982 - Action Required: Update firewall configurations to include new Intune network endpoints As part of Microsoft’s ongoing Secure Future Initiative (SFI), starting on or shortly after December 2, 2025, the network service endpoints for Microsoft Intune will also use Azure Front Door IP addresses. This improvement supports better alignment with modern security practices and over time will make it easier for organizations using multiple Microsoft products to manage and maintain their firewall configurations. As a result, customers may be required to add these network (firewall) configurations in third-party applications to enable proper function of Intune device and app management. This change will affect customers using a firewall allowlist that allows outbound traffic based on IP addresses or Azure service tags. Do not remove any existing network endpoints required for Microsoft Intune. Additional network endpoints are documented as part of the Azure Front Door and service tags information referenced in the files linked below: Public clouds: Download Azure IP Ranges and Service Tags – Public Cloud from Official Microsoft Download Center Government clouds: Download Azure IP Ranges and Service Tags – US Government Cloud from Official Microsoft Download Center The additional ranges are those listed in the JSON files linked above and can be found by searching for “AzureFrontDoor.MicrosoftSecurity”. How this will affect your organization If you have configured an outbound traffic policy for Intune IP address ranges or Azure service tags for your firewalls, routers, proxy servers, client-based firewalls, VPN or network security groups, you will need to update them to include the new Azure Front Door ranges with the “AzureFrontDoor.MicrosoftSecurity” tag. Intune requires internet access for devices under Intune management, whether for mobile device management or mobile application management. If your outbound traffic policy doesn’t include the new Azure Front Door IP address ranges, users may face login issues, devices might lose connectivity with Intune, and access to apps like the Intune Company Portal or those protected by app protection policies could be disrupted. What you need to do to prepare Ensure that your firewall rules are updated and added to your firewall’s allowlist with the additional IP addresses documented under Azure Front Door by December 2, 2025. Alternatively, you may add the service tag “AzureFrontDoor.MicrosoftSecurity” to your firewall rules to allow outbound traffic on port 443 for the addresses in the tag. If you are not the IT admin who can make this change, notify your networking team. If you are responsible for configuring internet traffic, refer to the following documentation for more details: Azure Front Door Azure service tags Intune network endpoints US government network endpoints for Intune If you have a helpdesk, inform them about this upcoming change. If you need additional assistance, contact Microsoft Intune Support and refer to this Message Center post. Note: The above post went to all customers in our public cloud. Customers in Microsoft Intune for US Government GCC High and DoD received the following post (the only difference is the focus on US government network endpoints): MC1147978 - Action Required: Update firewall configurations to include additional Intune network endpoints Note: The previously available PowerShell scripts for retrieving Microsoft Intune endpoint IP addresses and FQDNs no longer returns accurate data from the Office 365 Endpoint service. Instead, use the consolidated list provided in the Intune endpoints documentation. Using the original scripts or endpoint lists from the Office 365 Endpoint service is insufficient and may lead to incorrect configurations. For network best practices, make sure to check out the blog: Support tip: Aligning network policy with Intune and Zero Trust If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn. Update 11/13: Added a note to use the consolidated list of Intune endpoints.
