Home / Use Cases / Zero Trust

How do we pragmatically introduce a Zero-Trust baseline in the Mittelstand?

Zero Trust is not a product. We build the baseline in five realistic steps in your Microsoft 365 tenant — without overwhelming your workforce.

MFA is in place — that was the first big step. Still, you have the nagging feeling that the security of your Microsoft 365 tenant remains on thin ice: nobody knows exactly who has access to what, Conditional Access is a mystery, and whether the field-sales notebooks are compliant is anyone’s guess. Zero Trust is not a product you buy. We build the baseline with you in five realistic steps — without your employees going on strike.

Does this sound familiar?

Why now — and not later

Zero Trust is not a buzzword but a pragmatic answer to a changed world: people work from anywhere, devices are managed to varying degrees, and identities are the real gateway into the company. Anchoring security solely to network boundaries (“the firewall at the office”) means playing a game that stopped working ten years ago. Today, most attacks come through compromised identities, not breached firewalls.

The uncomfortable news: introducing a complete Zero Trust architecture in a mid-market company is not a three-week project. The good news: the baseline — the most important 70 to 80 percent of the effect — is achievable, and it’s achievable without a big-bang migration.

Typical triggers that put this on the agenda now:

What this would look like at your company

We deliberately don’t tackle this as a big bang, but along three fields of action — identity, devices, governance — implemented in five steps. Each step gets a test phase with a small group, then the rollout. Switch everything on at once and you lock out half the workforce on Monday morning — and trust is gone for months.

Step 1 — Identity inventory and closing the MFA gaps

Before we build Conditional Access, we take an honest inventory: which accounts exist in the tenant, which are active, which are privileged, where is MFA actually missing? We also look into the uncomfortable corners: former employees whose accounts are “accidentally” still active; service accounts with ancient passwords; management accounts that were kept out of the MFA requirement as a “special exception”.

Deliverable: an identity overview in which every account has a status (active/inactive, MFA status, privileged role yes/no, last sign-in). Plus a prioritized remediation plan. In our experience, tenants that have grown over the years regularly contain accounts nobody needs anymore — or accounts that should have been protected long ago.

Stack hints: Entra ID Sign-in Logs, Audit Logs, Microsoft Graph for the identity inventory, Entra ID PIM for privileged roles.

Step 2 — Build Conditional Access pragmatically

This is where the biggest lever sits — and the biggest risk. We build a Conditional Access baseline that answers the following core questions:

We implement this step by step: first report-only mode, so we can see what a policy would block without actually blocking anything. Then a trial run with IT and volunteer users. Only then the broad rollout. Deliverable: a documented set of 5 to 10 policies your tenant can carry — with clearly named exceptions for special cases (e.g. a CAD workstation without an MFA-capable device, if there is genuinely no other way).

Stack hints: Conditional Access (incl. report-only mode), Authentication Strengths, Continuous Access Evaluation, break-glass account pattern.

Step 3 — Device baseline with Intune

Identity alone isn’t enough. If a notebook is compromised, the best MFA won’t help. That’s why we build a device baseline: company notebooks are enrolled in Intune, receive a compliance policy (BitLocker on, Defender active, OS current), and Conditional Access is extended so that critical applications are only reachable from devices marked as compliant.

For BYOD (an employee’s personal smartphone that is also used for the mailbox), we deliberately forgo full management. Instead: App Protection — company data in the Outlook app is protected against copy/paste into private apps, without Nexaro or IT gaining any access to private photos. That’s acceptable to employees and still protects the data path that matters.

Deliverable: all company notebooks in Intune, compliance policy active, BYOD smartphones with App Protection. Plus an onboarding path for new devices (Autopilot), so this doesn’t fall apart again.

Stack hints: Microsoft Intune, Compliance Policies, App Protection Policies, Autopilot, Defender for Endpoint onboarding.

Step 4 — Guest governance and privileged access

External people who have had access for years are a frequently overlooked risk. We set up a review rhythm with you: every guest account is confirmed once a quarter by the person who invited them — anyone not confirmed is automatically deactivated. Plus access reviews for internal privileged roles: who is Global Administrator, who is SharePoint Administrator, and is that still justified?

Deliverable: a quarterly access-review rhythm, set up in the tenant, with clear responsibilities. Plus Privileged Identity Management configured for the top roles — so that Global Admin rights, for example, are not permanently assigned but activated on demand for a few hours.

Stack hints: Entra ID Access Reviews, Entra ID PIM, Entitlement Management for guest onboarding.

Step 5 — Employee communication and buy-in

This is the step where most Zero Trust projects fail — not the technology. We help you communicate internally what changes for users, why, and when. A short all-staff email is not enough. We propose a small package: a one-pager for management (why are we doing this at all), a one-pager for users (what changes concretely, what do I need to do), a Q&A list for the most common questions, and a clearly named contact person for the rollout phase.

Deliverable: communication material in your language, approved by management, rolled out one week before each policy goes live.

What to watch out for

What realistically changes afterwards

What you contribute

Risks and when it’s not a fit

How the conversation starts

Book an initial conversation

Frequently asked questions

Do we need Microsoft E5 to introduce Zero Trust? No. Business Premium or E3 is enough for a solid baseline — MFA, Conditional Access, Intune and Defender for Endpoint are included there. E5 adds features like risk-based authentication and Defender for Identity, which make sense in larger environments. In the Mittelstand, Business Premium is sufficient for most scenarios.

How long does introducing the baseline take? Realistically 3 to 6 months from identity inventory to a stable Conditional Access configuration with device compliance, depending on the size and starting state of your tenant. That’s not a three-week project — and it shouldn’t be, if the workforce is supposed to still be able to work at the end.

Will our employees accept it? If the communication is done well and management visibly leads the way: yes. In day-to-day work, Conditional Access is barely noticeable for most users — they sign in once in the morning with MFA, and that’s it. It only becomes noticeable in the special cases (access from an unknown device, travel outside DACH), and that’s exactly where it should be noticeable.

What if we need emergency access and MFA isn’t working? That’s what the break-glass account is for — a deliberately exempted emergency account with a very long password that sits in a safe. Nobody uses it in daily work, but it exists for the day when the MFA provider, the internet or Conditional Access itself causes problems. Setting up the break-glass account is mandatory, not a nice-to-have.