Skip to main content
6 min read
Share

Back in early 2021, I wrote a post asking whether Zero Trust was a buzz word or a strategy. At the time, most organisations I spoke to understood the principles — verify explicitly, use least privilege, assume breach — but actually putting them into practice across a messy, real-world environment? That felt miles away.

Five years on, it seems like a good time to take stock. Where have we actually landed? What’s moved forward? And where are we still falling short?

What’s Changed: The Good Stuff

Identity Really Is the Control Plane

I talked about the shift from network-based trust to identity-based trust back in 2021. In 2026, that shift has largely happened — at least for most of the organisations I work with. Entra ID (or Azure AD, as we all called it back then) sits at the centre of access decisions now, and Conditional Access policies are how trust gets evaluated.

This isn’t aspirational any more. It’s just how things work. When a user authenticates, we’re checking their identity, device compliance, sign-in risk, location, and the sensitivity of what they’re after — all in real time. That’s “verify explicitly” actually happening in production.

The tooling’s matured a lot too. Conditional Access has gone from a fairly basic policy engine to something that handles authentication contexts, token protection, GPS-based named locations, and external signal integration. It’s proper infrastructure now. Not a nice-to-have.

Conditional Access Is Table Stakes

This is probably the single biggest shift I’ve noticed. Five years ago, Conditional Access was something the more forward-thinking organisations implemented. Now? If you’re running Microsoft 365 without Conditional Access policies, you’re doing it wrong. There’s no real debate about that any more.

The conversation has moved from “Should we implement Conditional Access?” to “How do we optimise what we’ve got?” and “How do we extend coverage to more of the estate?” That’s proper progress.

Device Trust Has Caught Up

Device trust was a weak spot in the early days of Zero Trust. You could verify identity all day long, but if you couldn’t verify the device, you had a big gap. Microsoft Intune and the broader endpoint management ecosystem have closed that gap substantially.

Compliance policies feeding into Conditional Access, app protection policies for BYOD, endpoint detection and response data from Defender — they all contribute to a much richer picture of device health. The question “is this device trusted?” actually has a meaningful answer now, which is a far cry from where we were.

Network Trust Is Declining

Traditional VPNs are being replaced by Zero Trust Network Access solutions. Microsoft’s own Entra Private Access is a good example — it gives you application-level access based on identity and device compliance, rather than just dumping users onto a network segment and hoping for the best. I’ve written about the Entra SSE story in more detail previously.

The organisations I work with are steadily moving away from full-tunnel VPN towards application-specific access. The network perimeter isn’t dead exactly, but it’s no longer the primary trust boundary for most workloads.

What Still Needs Work

I’ll be honest, though. It’s not all sunshine. There are areas where adoption is lagging and where the tooling hasn’t caught up with the ambition.

OT and IoT

This is the big one. Operational technology and IoT devices are still a massive blind spot for most Zero Trust implementations. These devices often can’t run modern authentication protocols, can’t have agents installed, and can’t participate in Conditional Access policies. They just sit there, doing their thing, outside the trust model entirely.

Microsoft Defender for IoT has made progress on visibility into OT networks, but visibility isn’t the same as control. We can see these devices, we can spot anomalies, but actually applying proper Zero Trust controls — verify explicitly, least privilege, assume breach — to a fleet of industrial sensors or building management systems? Still really hard.

Until someone cracks this properly, most organisations are running a two-tier security model: Zero Trust for IT, network-based controls for OT. Not ideal, but that’s the practical reality right now.

Legacy Applications

Despite years of cloud migration, legacy applications stubbornly persist. I’ve lost count of how many times I’ve seen this pattern — that line-of-business app from 2012 that only speaks NTLM. The on-premises ERP system that needs direct database connectivity. These applications can’t participate in modern identity flows without serious rearchitecting or intermediary solutions like application proxies.

Entra Application Proxy and similar tools help bridge the gap, but they’re workarounds rather than proper solutions. The application itself still has no concept of Zero Trust. For organisations with large legacy estates, this remains a real blocker.

Third-Party Integration

Zero Trust works beautifully when everything lives in the Microsoft ecosystem. But real environments have Salesforce, ServiceNow, Workday, AWS, and dozens of other SaaS and IaaS platforms. SAML and OIDC federation handle authentication reasonably well, but extending device compliance signals, risk-based access, and session controls to third-party apps? Inconsistent at best.

Microsoft Defender for Cloud Apps (formerly MCAS) provides session controls for some SaaS applications, but coverage isn’t universal. The experience varies quite a bit depending on the app.

Data-Centric Zero Trust

We’ve done well with identity and device trust. Where we’re still early — and I mean really early — is applying Zero Trust principles consistently to data. Sensitivity labels and DLP policies are a start, but truly granular, context-aware data access controls where access gets continuously evaluated based on real-time signals? That’s still more vision than reality for most organisations I talk to.

Microsoft Purview is heading in this direction, particularly with adaptive protection linking insider risk signals to DLP controls. But we’re not there yet. Not for the majority.

An Honest Assessment

The way I see it, Zero Trust has gone from being a strategy deck to a partially implemented reality. The core of it — identity-centric access control with continuous evaluation — is in production across most mature Microsoft shops. That’s a real achievement and shouldn’t be undersold.

But the edges are still rough. OT, IoT, legacy apps, third-party integration — these represent real gaps that can’t be papered over with marketing. And the data layer needs substantial work before anyone can honestly claim a full Zero Trust posture.

The good news? The direction of travel is right. The tooling keeps improving, the integration points are expanding, and the industry consensus is clear. Zero Trust isn’t a buzz word any more. It’s how things get done. We just need to stay honest about how far along we actually are.

For organisations still early in their Zero Trust journey, Microsoft’s Zero Trust guidance is still the best starting point. It’s been updated a lot since 2021 and now includes practical deployment guides rather than just high-level principles.

If you want to revisit where this conversation started, have a read of my original Zero Trust post from 2021. It’s quite something to see how much has shifted since then.

As always, happy to discuss. If you’ve got a different take on where Zero Trust stands in 2026, I’d love to hear it.

Share
Previous & Next
Hello World Entra Internet Access: Secure Web Gateway in the Cloud

Related Posts

Defending Against AitM Phishing - Practical Steps
7 min read

Defending Against AitM Phishing - Practical Steps

Azure Security
Microsoft Sentinel Cost Optimisation: Real-World Tips
7 min read

Microsoft Sentinel Cost Optimisation: Real-World Tips

Azure Security
Token Theft - The Threat That Keeps Security Teams Up at Night
7 min read

Token Theft - The Threat That Keeps Security Teams Up at Night

Azure Security