In a Microsoft environment, almost every meaningful security decision turns out to be an identity decision. Who can reach this data. Who can change this configuration. Under what conditions. From which device. The network used to answer most of these questions. It does not anymore.
Once work moved to Microsoft 365 and Azure, the perimeter stopped being a place. It became a person and a context. That is why I treat identity as the control plane, not as one security domain among many.
Why the network stopped being the boundary
A traditional model assumed that being inside the network meant being trusted. That assumption quietly broke. People work from anywhere, on managed and unmanaged devices, reaching services that live outside any network you control. The thing that consistently sits between a user and your data is no longer a firewall. It is an identity and the conditions attached to it.
So the real question is not whether traffic is inside or outside. It is whether this identity, in this context, should be allowed to do this thing right now.
What treating identity as the control plane looks like
When identity is the control plane, several things follow naturally:
- Access decisions become explicit and policy-driven through Conditional Access, rather than implicit and inherited
- Standing privilege gives way to just-in-time elevation, so admin rights exist only when they are being used
- Every access becomes auditable, because it flows through a decision point you designed
- Risk signals from devices and sign-ins feed directly into whether access is granted
This is the foundation Zero Trust is built on. Not a product, but a posture where identity carries the weight that the network used to.
Where to start
I almost always start an uplift here, because identity creates leverage for everything else. Fix standing access and tighten Conditional Access first, and suddenly endpoint, data, and application controls have something coherent to attach to. Try to secure those layers while identity is still loose, and you are building on sand.
If you want one place to begin improving a Microsoft environment, begin with the question identity answers a thousand times a day: should this person, in this moment, be allowed to do this. Get that decision right and most of your security story gets simpler.