Business Problem
Following a security assessment, IDSentinel Solutions' executive leadership issued a mandate to implement a Zero Trust access model across the organization. The assessment identified three critical gaps:
Gap 1No least-privilege enforcement — administrators held permanent privileged roles with no time limits or approval requirementsGap 2No device compliance requirements — any device including personal and unmanaged devices could access corporate resourcesGap 3No location-based access controls — access was permitted from any geographic location with no risk-based evaluation
The CISO tasked the IAM team with designing and implementing a Zero Trust architecture to address all three gaps within 30 days.
Risk
- Permanent admin access creates insider threat and credential theft risk
- Unmanaged devices accessing sensitive data violates Zero Trust principles
- No location controls means compromised credentials work from anywhere
- Non-compliant with IDSentinel's cyber insurance requirements
- Fails SOC 2 Type II access control requirements
Zero Trust Principles Applied
| Principle | Implementation |
|---|---|
| Verify explicitly | MFA + device compliance required for all access |
| Use least privilege | PIM Just-in-Time admin access replaces permanent roles |
| Assume breach | Named locations + sign-in risk policies limit blast radius |
Solution Design
The Zero Trust rollout was implemented across three parallel workstreams:
Just-in-Time Admin Access (PIM)
All privileged roles converted from permanent to eligible. Admins must request and justify access with time-limited 1-hour activation windows.
Conditional Access Policy Suite
Four CA policies deployed — MFA enforcement, device compliance, risk-based sign-in blocking, and admin portal access restriction.
Infrastructure as Code (Terraform)
All Conditional Access policies defined as Terraform code for repeatable, auditable, version-controlled deployment.
Implementation
Workstream 1 — PIM Just-in-Time Access
-
01
Convert Permanent Roles to Eligible
All privileged roles (Global Admin, Security Admin, etc.) converted from permanent to PIM eligible assignments. Zero standing admin access outside of break-glass accounts.
-
02
Configure Activation Requirements
PIM activation configured to require MFA verification, business justification entry, and a maximum 1-hour activation window with full audit logging.
-
03
Validate JIT Access Request Flow
End-to-end tested from the IAM Engineer perspective — activated Security Administrator role via PIM with MFA challenge and business justification required. Role confirmed active for 1-hour window then automatically expired.
Workstream 2 — Conditional Access Policy Suite
-
04
Policy 1 — Require MFA for All Users
MFA required for all users on all cloud apps. No exclusions except break-glass accounts.
-
05
Policy 2 — Block High Risk Sign-ins
Sign-ins at high risk level (Identity Protection) blocked outright. Medium risk challenged with MFA step-up.
-
06
Policy 3 — Restrict Admin Portal Access
Azure/Entra admin portals restricted to compliant, managed devices only — preventing admin access from personal or unmanaged endpoints.
Workstream 3 — Terraform as Code
-
07
Configure Terraform Entra Provider
AzureAD Terraform provider configured with service principal authentication.
terraform initrun to initialize the working directory. -
08
Define CA Policies as Code
All four Conditional Access policies defined in
main.tfusing theazuread_conditional_access_policyresource.terraform planvalidated all resources before apply. -
09
Apply Infrastructure
terraform applydeployed all CA policies to Entra ID. Policies confirmed active in Entra admin center — version-controlled and repeatable.
Outcome
Files
terraform/main.tfTerraform configuration for all CA policiesterraform/variables.tfVariable definitionsterraform/outputs.tfOutput valuesdiagrams/zero-trust-architecture.pngZero Trust architecture diagramscripts/Validate-ZeroTrustPosture.ps1Validates CA policies and PIM assignments are correctly configuredscreenshots/Evidence of implementation across all three workstreams