Zero Trust in 2025: What Has Changed and Why It Matters

The first half of 2025 has brought significant changes to identity security in Microsoft's cloud ecosystem. With several major policy changes rolling out across Microsoft Entra ID (formerly Azure Active Directory), organizations that have delayed their Zero Trust journey are running out of time. These are the key developments and what they mean for your security posture.

H1 2025 Entra ID Highlights

Microsoft has been steadily tightening the identity security baseline for all tenants. Three milestones stand out.

Mandatory MFA for Admin Center (February 2025): Microsoft began enforcing multi-factor authentication for all users accessing the Microsoft Entra admin center. This was not a recommendation but a requirement, closing one of the most common attack vectors against privileged accounts. Organizations that had not yet rolled out MFA to their administrators found themselves forced to act.

Managed Conditional Access Policies (March 2025): Microsoft introduced Microsoft-managed conditional access policies that are automatically created in new and existing tenants. These policies provide a security baseline out of the box, covering scenarios such as requiring MFA for admin portals, blocking legacy authentication, and requiring compliant devices for sensitive applications. Administrators can customize or disable them, but the default-secure approach represents a significant shift in philosophy. For more details, see What's new in Microsoft Entra - March 2025.

Risk Policy Migration Deadline (July 31, 2025): Microsoft has set a firm deadline for migrating legacy Identity Protection risk policies to modern conditional access risk-based policies. After July 31, the legacy risk policies will no longer be supported, pushing organizations to adopt the more flexible and powerful conditional access framework. This migration is not optional for organizations that rely on risk-based access controls.

Continuous Access Evaluation Becomes Default

Continuous Access Evaluation (CAE) is now the default behavior for supported Microsoft 365 workloads. Unlike traditional token-based authentication, where access tokens are valid until they expire (often one hour), CAE allows near-real-time policy enforcement. If a user's session is revoked, their location changes, or a risk event is detected, access can be terminated within minutes rather than waiting for token expiry.

This is a meaningful improvement for organizations dealing with compromised accounts or insider threats. Security teams should verify that their applications support CAE and that their conditional access policies are configured to take advantage of it.

The Push for Phishing-Resistant Authentication

Microsoft's 2025 roadmap places heavy emphasis on phishing-resistant authentication methods. Passkeys and FIDO2 security keys are now positioned as the preferred alternative to traditional passwords and even standard MFA. The rationale is straightforward: SMS-based MFA and authenticator app codes can be intercepted through sophisticated phishing attacks, while hardware-bound credentials cannot.

Organizations should begin piloting passkey registration for their workforce. Microsoft Entra ID now supports passkey registration flows directly in the authentication methods policy, making it easier to roll out at scale. For more on recent authentication improvements, see What's new in Microsoft Entra - June 2025.

New Conditional Access Templates

Beyond the Microsoft-managed policies, Microsoft has expanded the library of conditional access policy templates. These templates cover common scenarios such as requiring phishing-resistant MFA for administrators, blocking access from high-risk locations, and enforcing device compliance for specific application groups.

The templates reduce the barrier to entry for organizations that lack dedicated identity security teams. Rather than building policies from scratch, administrators can deploy a curated set of policies and adjust them to their environment. The full reference is available in the conditional access documentation.

A Practical Zero Trust Roadmap for Mid-Size Organizations

For mid-size organizations that are still early in their Zero Trust journey, the 2025 updates provide a clear path forward.

Phase 1 - Identity Foundation (Weeks 1-4): Enable MFA for all users, not just administrators. Review and accept or customize Microsoft-managed conditional access policies. Migrate any legacy risk policies before the July 31 deadline.

Phase 2 - Device Trust (Weeks 5-8): Enroll devices in Microsoft Intune and create conditional access policies that require device compliance. Start with corporate-owned devices and expand to BYOD with app protection policies.

Phase 3 - Application Security (Weeks 9-12): Inventory all applications registered in Entra ID. Apply conditional access policies to sensitive applications. Enable CAE for supported workloads.

Phase 4 - Advanced Controls (Ongoing): Pilot passkeys and FIDO2 keys for privileged users. Implement token protection policies. Review sign-in and audit logs regularly to identify gaps.

What This Means for Your Organization

The direction is unmistakable: Microsoft is making Zero Trust the default, not the exception. Organizations that proactively adopt these controls will benefit from a stronger security posture and reduced risk of identity-based attacks. Those that wait will increasingly find themselves forced into compliance by Microsoft's own policy enforcement.

At MADIT, we help organizations navigate these changes, from initial assessment through implementation and ongoing management. If you need help understanding how these updates affect your tenant, contact us to discuss your Zero Trust roadmap.