← daniellepel.com
Capability Profile
Capability Profile
Zero Trust Architecture
Never trust, always verify - built into how the platform works
Zero Trust is a security model that assumes no user, device, or network location is inherently trustworthy. Every access request is authenticated, authorized, and continuously evaluated regardless of where it originates.
Overview
My Experience
Key Work
Related
What It Is
Zero Trust is not a product. It is a security architecture built on three principles: verify explicitly, use least privilege access, and assume breach. In the Microsoft cloud, Zero Trust is implemented through a combination of Entra ID Conditional Access, Microsoft Defender, Intune device compliance, and Purview information protection working as an integrated system. The goal is an environment where access decisions are made continuously based on real-time risk signals rather than assumed based on network location.
Why It Matters
The traditional network perimeter, where everything inside the firewall was trusted and everything outside was not, has been functionally obsolete since the shift to cloud and remote work. Zero Trust is the architectural response to that reality. It is also increasingly a compliance requirement: NIST 800-207, CISA guidance, and a growing number of sector-specific frameworks either require or strongly align to Zero Trust principles. For organizations in government, healthcare, or financial services, Zero Trust architecture is becoming a baseline expectation rather than a differentiator.
Microsoft's Zero Trust Pillars
  • Identity - Entra ID with Conditional Access, Identity Protection, and PIM as the primary enforcement layer
  • Devices - Intune device compliance as a signal in Conditional Access decisions
  • Applications - App-level Conditional Access policies and session controls
  • Data - Purview sensitivity labels and information protection as the data layer
  • Infrastructure - Azure Policy and Defender for Cloud extending Zero Trust to infrastructure resources
  • Networks - Entra Private Access and Internet Access for network-layer Zero Trust
In Practice

At NBT, I designed Conditional Access frameworks for 25 client tenants, each built from a Zero Trust baseline: block legacy authentication, require compliant devices for corporate data access, enforce MFA through named locations and risk-based signals. Zero Trust in practice is not a project with a finish line. It is a set of architectural decisions made consistently across every identity, device, and data configuration decision.

My Zero Trust work is primarily expressed through Conditional Access architecture, identity governance, and endpoint compliance rather than as a standalone project. That is how Zero Trust actually gets implemented in practice: not as a separate initiative but as a set of architectural decisions made consistently across the identity, device, and data layers of an existing environment.
At NBT, designing Conditional Access frameworks for 25 client tenants meant working from a Zero Trust baseline and adapting it to each organization's risk tolerance, compliance posture, and operational constraints. Some clients were ready for strict device compliance requirements; others needed a phased approach that moved toward Zero Trust over time without disrupting operations. The architectural work was translating the principle into configurations that would hold up in production without generating constant helpdesk friction.
M&A scenarios are among the higher-risk identity environments because they involve connecting formerly separate organizations with unknown security postures. At Latham Pool Products, there were three potential acquisitions. One was completed, a small organization, and the planning work included thinking through what cross-tenant access to allow and what to keep isolated during any integration period.
  • Conditional Access framework design across 25 tenants - Built and maintained Conditional Access policy sets aligned to Zero Trust principles for MSP clients, including risk-based authentication, device compliance enforcement, and location-based controls. Adapted the framework to each organization's risk profile and compliance requirements.
  • Device compliance integration with Intune - Configured Intune device compliance policies as Conditional Access signals, ensuring that access to M365 resources requires both verified identity and a compliant, managed device.
  • M&A integration planning at Latham Pool Products - Contributed to planning for three potential acquisitions, one of which was completed. Work included thinking through identity boundary decisions and what access to allow during any integration period.
  • Phased Zero Trust rollout planning - Developed staged implementation plans for organizations that could not absorb full Zero Trust controls immediately, sequencing changes to minimize operational disruption while moving security posture measurably forward at each phase.
  • Security baseline alignment - Implemented Microsoft security baselines and Zero Trust frameworks aligned with Microsoft's documented best practices and NIST 800-207 principles across multiple client environments.
← Microsoft Entra ID Privileged Access Management →