Page 1 of 3

ZERO TRUST READINESS ASSESSMENT

For 100–1,000 User Tenants

Instructions for respondent: Answer honestly based on your current Microsoft 365 environment not planned improvements.

1. How is MFA enforced for privileged roles (admins)?

1. How is MFA enforced for privileged roles (admins)?
A
B
C
D

2. Is legacy authentication blocked in your tenant?

2. Is legacy authentication blocked in your tenant?
A
B
C
D

3. How are break‑glass (emergency access) accounts handled?

3. How are break‑glass (emergency access) accounts handled?
A
B
C
D

4. How are privileged roles assigned?

4. How are privileged roles assigned?
A
B
C
D

5. How are Conditional Access (CA) policies designed?

5. How are Conditional Access (CA) policies designed?
A
B
C
D

6. How are new CA policies introduced?

6. How are new CA policies introduced?
A
B
C
D

7. Are administrator and user access policies separated?

7. Are administrator and user access policies separated?
A
B
C
D

8. How often are CA policies reviewed?

8. How often are CA policies reviewed?
A
B
C
D

9. How are devices used to control access to M365?

9. How are devices used to control access to M365?
A
B
C
D

10. How mature is your Intune deployment?

10. How mature is your Intune deployment?
A
B
C
D

11. How do you handle unmanaged or BYOD devices?

11. How do you handle unmanaged or BYOD devices?
A
B
C
D

12. Are access policies validated across platforms?

12. Are access policies validated across platforms?
A
B
C
D

13. Are sensitivity labels implemented?

13. Are sensitivity labels implemented?
A
B
C
D

14. How is external sharing controlled?

14. How is external sharing controlled?
A
B
C
D

15. How is DLP used today?

15. How is DLP used today?
A
B
C
D

16. Are audit logs retained long enough for incident response?

16. Are audit logs retained long enough for incident response?
A
B
C
D

17. How quickly could you investigate a compromised user?

17. How quickly could you investigate a compromised user?
A
B
C
D

18. Are Zero Trust controls documented and owned?

18. Are Zero Trust controls documented and owned?
A
B
C
D

19. How aligned is security enforcement with business reality?

19. How aligned is security enforcement with business reality?
A
B
C
D

20. Overall confidence in your Zero Trust posture?

20. Overall confidence in your Zero Trust posture?
A
B
C
D