If you’ve been working on “doing Zero Trust” for a while, you’ve probably hit the same wall I see everywhere: lots of guidance and checklists, but very little that tells you how your tenant is actually configured today.
That’s precisely where Microsoft’s Zero Trust Assessment comes in.
Below, I’ll break it down in two parts, in a practical, admin-friendly way:
- What the Zero Trust Assessment is.
- Why would you run it?
What is the Microsoft Zero Trust Assessment?
At a simple level, the Zero Trust Assessment is a PowerShell-based, automated posture scan for your Microsoft cloud environment. It checks hundreds of configuration items across Microsoft Entra and Intune and compares them to Microsoft’s recommended security baselines, aligned with:
- The Zero Trust pillars (identities, devices, data, apps, infrastructure, networks, visibility/automation)
- Microsoft’s Secure Future Initiative (SFI), which is their internal push to raise the security bar across products and operations
The key points:
- It runs as a PowerShell 7 module called
ZeroTrustAssessment. - It connects to your tenant using Microsoft Graph and (optionally) Azure.
- It is read-only: no changes are made to your tenant configuration.
- It generates a local HTML report that summarizes your Zero Trust posture, including detailed tests, risk levels, and remediation guidance.
Think of it as a repeatable health check that sits between the “marketing deck” version of Zero Trust and the “click every blade in the portal” reality.
Instead of manually walking through every Intune setting, Conditional Access policy, or identity protection control, the assessment automates that review and presents the findings in a structured report, mapped back to Zero Trust concepts.
Why would you run a Zero Trust Assessment?
You don’t run this just to tick a box. You run it to get clarity. Here’s how I’d frame the “why” when talking to stakeholders.
1. Establish a real baseline for your Zero Trust journey
Most organizations say they’re “on the Zero Trust journey,” but when you ask, “What’s our current maturity?” the answers are vague.
Microsoft provides several assessment and progress tracking resources for Zero Trust, including posture assessments, workshops, and progress trackers that help you understand where you are and how you’re improving over time.
The Zero Trust Assessment gives you that missing piece:
A defensible, evidence-based baseline of your current configuration.
That baseline is what you’ll use to:
- Prioritize which gaps to close first
- Show progress to leadership over time
- Align technical work with Zero Trust adoption frameworks and business scenarios
2. Reduce manual, error-prone config reviews
Microsoft publishes extensive guidance on configuring Entra ID and Intune securely, but manually validating every recommendation against your tenant isn’t realistic at scale. The overview explicitly states that manual checks are time-consuming and error-prone, and that the assessment automates that process.
Instead of:
- Clicking through the Conditional Access policy after the policy
- Exporting device compliance reports
- Manually checking MFA, passwordless, sign-in risk, etc.
The assessment does that heavy lifting and maps findings back to Zero Trust and SFI pillars.
3. Turn Zero Trust from vague strategy into concrete work
Zero Trust guidance is great for strategy decks, but engineers need something far more concrete:
- Which settings are wrong or missing
- Why they matter in a Zero Trust model
- Exactly what to change
The Zero Trust Assessment report includes:
- A high-level Overview
- Detailed Identity and Devices tabs listing each test, risk level, and status
- Per-test details with descriptions and recommended remediation actions
That is the bridge between architecture and operations: you can hand specific findings to specific teams and say, “Fix these 15 items in this sprint.”
4. Support audits, compliance, and executive reporting
Many organizations are using Zero Trust not just as a technical model, but also to meet regulatory and compliance expectations (e.g., data protection regulations, government guidance, or internal policies).
Running this assessment helps you:
- Show evidence of due diligence and continuous improvement.
- Provide before/after posture snapshots for audits.
- Give leadership a clear, visual story instead of a pile of portal screenshots.
In other words, it’s not just for the SOC or identity team—it’s a tool you can use across security, IT, and governance.
Wrapping up
The main goal of this first part is simple: take Zero Trust out of the abstract and connect it to something concrete you can actually run in your tenant. The Zero Trust Assessment isn’t a slide, a maturity model, or another “future state” diagram; it’s a practical way to see how your current identity and device configuration stacks up against Microsoft’s baseline modern security.
Once you understand what the assessment is and why it matters, every technical step you take afterward carries more weight. You’re not just installing a PowerShell module for the sake of it; you’re putting in place a repeatable way to baseline your posture, have better conversations with leadership, and prioritize the work that actually reduces risk.
Think of this as laying the foundation. You’ve got the context, you know why this matters, and you know what you’re aiming to measure. In part two, we’ll walk through installing and running the Zero Trust Assessment so you can put all of this into practice in your own environment.