March 27, 2026March 27, 2026 Understanding Microsoft Zero Trust Assessment Tool Table of Contents What is Zero Trust Assessment Microsoft Zero Trust Assessment is a free tool. You can use it against your tenant to clarify the security configurations for Entra ID, Intune, Purview and Azure subscriptions.The assessment has two parts, the technical scan and the workshop.Technical scan from customer environment helps to identify gaps and areas for improvement.Workshop helps the customer to identify projects and initiatives that they need to implement to further advance their adoption of capabilities to transform their environment.NOTE: The assessment is read-only. All results are saved to the client desktop where it is invoked. Remember to delete the results later because they might include sensitive information. Pre-requisites Install the PowerShell 7.x modules First you need make sure that your computer has the latest PowerShell 7 modules installed. You can get the modules here.After the modules have been installed, open the PowerShell 7 client and give the command: Install-Module ZeroTrustAssessment -Scope CurrentUser MS Graph consent Give the following command to enable the Graph consent and sign in with GA: Connect-ZtAssessment It is very easy to use but it needs Global Administrator rights for the first time use to have a MS Graph PowerShell permissions:AuditLog.Read.AllCrossTenantInformation.ReadBasic.AllDeviceManagementApps.Read.AllDeviceManagementConfiguration.Read.AllDeviceManagementManagedDevices.Read.AllDeviceManagementRBAC.Read.AllDeviceManagementServiceConfig.Read.AllDirectory.Read.AllDirectoryRecommendations.Read.AllEntitlementManagement.Read.AllIdentityRiskEvent.Read.AllIdentityRiskyUser.Read.AllIdentityRiskyServicePrincipal.Read.AllNetworkAccess.Read.AllPolicy.Read.AllPolicy.Read.ConditionalAccessPolicy.Read.PermissionGrantPrivilegedAccess.Read.AzureADReports.Read.AllRoleManagement.Read.AllUserAuthenticationMethod.Read.AllAfter that you need only Global reader role to run the assessment. So GA Graph consent is needed only once. Azure sign-in Azure sign-in needs also Global Administrator role. This is required for the export of audit and sign-in logs.Use -TenantId parameter if you think you have used different tenants lately. With -TenantId you can be sure that the assessment is done to the right tenant. Where Connect-ZtAssessment connects When you give the “Connect-ZtAssessment” command you will be connected to the following services: Running the assessment To run the assessment, use this command: Invoke-ZtAssessment The assessment consists of 195 different tests. Here sample of them: The assessment report After you have run the assessment your browser will automatically open the report page where you can start investigate the results for example by clicking the menu links Identity, Devices, Network, Data. Click to enlarge Links will open its test categories for example the Identity: Click to enlarge If you want to drill in the tests you can choose from the Name column and see the results: The Workshop Click to enlarge The Workshops are kind of mini projects where each category with it’s findings are gone through and explain it to the customer what does it mean and why it needs to be fixed. And the best result is that someone can actually fix these.The MS learn says “The Zero Trust Workshop helps customers to develop an actionable and orderly strategy for implementing a secure Zero Trust posture.Workshops are available for the following pillars:IdentityDevicesDataNetworkInfrastructureSecurity OperationsArtificial Intelligence (New)”Read the whole workshop content here. I think if you don’t understand the reports YOU SHOULD give the job to someone who knows what they are doing. Summary This is a good assessment to go through in your environment if normal security scores does not tell anything to you. The Zero Trust Assessment includes tests for hundreds of security configuration items aligned with the Secure Future Initiative (SFI) and Zero Trust pillars and guides you through remediation steps to help operationalize Zero Trust principles.These tests are drawn from trusted sources in cybersecurity, including:Industry standards like those developed by NIST, CISA, and CISMicrosoft’s internal security baselines that protect Microsoft’s own infrastructureReal-world customer insights from thousands of security implementationsTry it. Jussi Metso Author is a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future. Share on Social Mediaxfacebooklinkedinwhatsapp Discover more from Jussi Metso Subscribe to get the latest posts sent to your email. Type your email… Subscribe SECURITY
AI AI LLM attacks & how – Part 2 January 18, 2025January 18, 2025 Here’s the second part of my Microsoft AI Summit Finland speak written in blog mode. Read More
AI Microsoft Security Copilot – Can your SOC live without it? December 3, 2023December 3, 2023 Table of Contents Microsoft is bringing Copilot also for the Security field called Security Copilot…. Read More
AI OWASP (Few words about AISec p2) October 16, 2024October 17, 2024 In this second part of AI Security Series I will open more of OWASP programs. Read More