Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Secure Future Initiative (SFI) initiative is a multiyear, cross-Microsoft initiative to increasingly secure the way in which Microsoft designs, builds, tests, and operates its products and services. SFI is built upon:
- A set of security principles that drive the way in which we innovate on security design, implement those innovations into Microsoft products as secure defaults and standards, and provide internal and external security guidance. Learn more.
- A set of prioritized security pillars and objectives. Learn more.
This article summarizes the "Protect tenants and isolate systems" SFI pillar.
Before you start
- Learn about the SFI pillars.
- Review and track the latest progress on pillar objectives in the SFI What's New article.
- Learn about Zero Trust principles, and NIST CSF functions and categories.
- Get a list of NIST categories and acronyms to help as you review the table in this article.
Pillar and objectives
The aim of the "Protect tenants and isolate systems" pillar is to contain potential threat blast radius by preventing lateral movement or privilege escalation. It ensures that tenant-level security boundaries are correctly configured, hardened, and isolated.
Microsoft objectives and Zero Trust/NIST mapping for this pillar are summarized in the following table.
| Objective | Zero Trust | NIST mapping |
|---|---|---|
| 1. Remove legacy systems that risk security Maintain the security posture and commercial relationship of tenants by removing all unused, aged, or legacy systems. |
Verify explicitly: All identity and resource systems are authenticated and validated through modern control planes. Use least privilege: Eliminates old systems without modern, fine‑grained controls. Assume breach: Removes legacy trust paths and minimizes blast radius. |
ID.AM-02 (Software platforms and applications within the organization are inventoried). The first step in removing legacy systems is to discover system elements for full visibility. ID.AM-08 (Identities and associated accounts (including service accounts and applications) are inventoried). Track, manage, and decommission unmanaged accounts, service, machine, and app identities. PR.PS-01 (Configuration management practices are established and applied) Secure platforms and services on a modern foundation. |
| 2. Secure all tenants and their resources Protect Microsoft, acquired, and employee-created tenants, commerce accounts, and tenant resources in accordance with security best practice baselines. |
Verify explicitly: Authenticate all tenant‑to‑tenant interactions. Use least privilege: Policies and segmentation limit permissions across environments. Assume breach: Tenant boundaries assume potential compromise and are designed to contain lateral movement. |
ID.AM-02 (Software platforms and applications within the organization are inventoried). Securing tenants requires a complete inventory of tenants, directories, apps, service principals, and platform resources. PR.IR-01 (Processes are established to prepare for incident response and reduce potential impact). Securing tenants and assets enforces tenant-level isolation, baselines, segmentation, and health checks to reduce blast radius and contain incidents. PR.AA-05 (Permissions and authorizations are managed, enforced, and periodically verified). Securing tenants requires consistent authorization and validation. PR.PS-01 ((Configuration management practices are established and applied) Secure platforms and services on a modern foundation. |
| 3. Higher security for Entra ID apps Manage Microsoft Entra ID applications with a high and consistent security bar. |
Verify explicitly: Enforce strong authentication and app vetting. Use least privilege: App permissions restricted to minimal necessary rights. Assume breach: App access designed with containment and monitoring. |
ID.AM-08 (Maintain an inventory of accounts—including service principals, applications, and identities—and ensure they are managed according to policy).< br/> PR.AA-01 (Access control policy. Govern app access consistently). PR.AA-05 (Authorization is enforced and governed. Enforce app authentication controls). PR.IR-01 (Prepare for effective incident response by establishing processes, controls, and configurations that limit impact and support rapid containment). |
| 4. Eliminate identity lateral movement Eliminate identity lateral movement pivots between tenants, environments, and clouds. |
Verify explicitly: Validate every token and trust boundary crossing. Use least privilege: Limit identity reuse and privilege escalation across tenants. Assume breach: Design boundaries to contain identity misuse. |
PR.AA-04 (Access is restricted using segmentation and least‑privilege principles). Preventing unauthorized lateral movement by enforcing segmentation, boundary controls, and scoped access. PR.IR-01 (Processes are established to prepare for incident response and reduce potential impact). Prepare for effective incident response by implementing controls that reduce blast radius, limit attacker movement, and support rapid containment before an incident occurs. DE.CM-01 (Systems and assets are monitored to detect anomalous activity). Continuously monitor identity, access, and system activity to detect anomalous behavior, policy violations, and indicators of lateral movement. |
| 5. Continuous least-privilege enforcement Ensure continuous least-privilege access enforcement for apps and users. |
Verify explicitly: Policies ensure least privilege decisions are verified at every access. Use least privilege: Core outcome of this objective — enforce only necessary permissions. |
PR.AA-05 (Permissions and authorizations are managed, enforced, and periodically verified). Access permissions and authorizations must be continually managed and enforced, and periodically verified. |
| 6. Secure devices used for access Adopt fine-grained partitioning of identity signing keys and platform keys. Ensure that only secure, managed, healthy devices are granted access to Microsoft tenants. |
Verify explicitly: Each device identity is validated and continuously assessed. Use least privilege: Device posture gating ensures minimal risk access. |
ID.AM-01 (Physical devices and systems within the organization are inventoried). Securing devices requires a complete inventory of all devices allowed to access tenants. ID.AM-02 (Software platforms and applications within the organization are inventoried). Device security checks depend on tracking OS versions, configuration, management state and compliance posture of devices. PR.AA-01 (Identities are authenticated commensurate with risk). Authentication includes device trust. Only secure, compliant devices are allowed. PR.AA-06 (Access aligns with least‑privilege principles). Access is authorized using attributes such as roles, states, processes and aligned with least privilege. |
Next steps
- Review the latest progress on pillar objectives in What's New.
- Learn about adopting Microsoft SFI best practices.