Microsoft’s Zero Trust Assessment gives you a structured way to understand how closely your Microsoft 365 tenant aligns with modern security expectations. It reviews core identity, device, access and logging configurations, then produces a clear report with practical guidance.

Never miss an article and subscribe, and don’t forget to subscribe to my YouTube channel, Control Alt Delete Tech Bits

What is the Zero Trust Assessment?

The Zero Trust Assessment is a PowerShell module created by Microsoft to automate the process of evaluating your tenant against the Zero Trust security model.

Rather than manually reviewing hundreds of settings across Entra ID, Conditional Access, Intune, authentication methods and audit logs, this tool pulls everything together in one assessment and produces a detailed HTML report.

The report gives you:

• A high-level overview of your tenant’s identity and device posture
• A summary of how many tests passed, failed or require investigation
• Clear descriptions of each check
• Risk ratings
• Potential user impact
• Admin effort required
• Direct remediation guidance

It’s completely read-only, meaning it won’t change anything in your environment.

Prerequisites Before You Begin

The assessment is straightforward to run, but a few things need to be in place:

PowerShell version

Use PowerShell 7 or later.

Permissions

Two roles are needed:

• First run: Global Administrator (to grant application permissions)
• Subsequent runs: Global Reader

Network requirements

Your device must be able to connect to:

• PowerShell Gallery
• Microsoft Graph
• Azure login endpoints

Azure subscription (optional)

If you want logging checks against Azure Monitor or Sentinel, a subscription helps, but the tool will still run without it.

For this article, I am going to assign global admin to user Olavi King for 2 hours to run the assessment tool so they can grant application access using Privileged Identity Management. Follow along below

Here’s an interactive tutorial

https://www.iorad.com/player/2646992/Entra-Microsoft—How-to-untitled-task-name

Install the Zero Trust Assessment Module

Open PowerShell 7 and run:

You will see a warning about the PowerShell Gallery being an untrusted repository. Choose the option to continue.

Type A, then enter

Once installation finishes, confirm the module is available:

Authenticate and Connect to Your Tenant

Use the following command to connect the module to Microsoft Graph:

You’ll be prompted to sign in. Choose your account and grant the read-only permissions requested. These permissions allow the tool to query Entra ID, Conditional Access, device data and app registrations.

Microsoft also shows a list of permissions such as:

• AuditLog.Read.All
• Directory.Read.All
• DeviceManagementConfiguration.Read.All
• Policy.Read.ConditionalAccess
• IdentityRiskEvent.Read.All

A second login prompt for Azure may appear. If you aren’t using Azure Monitor or Sentinel, you can close it.

Once authenticated, PowerShell confirms the connection.

Run the Zero Trust Assessment

Start the assessment using:

If you don’t have Visual C++ Redistributable, you will get the message below:

Run the Zero Trust Assessment

Start the assessment using:

The assessment begins collecting data from your tenant. Your screenshots show this clearly:
service principals being exported, device data collected, role assignments checked and sign-in logs processed.

Depending on the size of your environment:

• Small tenants: 20–30 minutes
• Medium tenants: 1–3 hours
• Large tenants: 24 hours+

When it completes, you’ll see a confirmation in the console showing the HTML report location : C:\Windows\System32\ZeroTrustReport

Reviewing the Zero Trust Assessment Report

The report opens in your browser and gives a full overview of your tenant. Your screenshots show the exact pages users will see.

Overview dashboard

The dashboard includes:

• Tenant stats (users, groups, devices, apps)
• Authentication methods for privileged users
• Sign-in protection (CA and MFA coverage)
• Device compliance
• Device ownership
• Total tests passed vs total tests available

This gives a quick impression of your tenant’s health.

Identity

The Identity tab shows every identity-related test, including:

• MFA enforcement
• Password protection
• Admin account configuration
• Conditional Access coverage
• Guest restrictions
• App credentials
• Sign-in risk features

Each item shows:

• Risk rating
• Status (Passed, Failed, Investigate)

Click any item for a full explanation.

Devices

The device section highlights:

• Device compliance
• Device platforms
• Managed vs unmanaged breakdown
• Protection policies
• App management status

Again, each test can be opened for deeper detail.

What To Do Once You Have the Report

Once you’ve run the Zero Trust Assessment and opened the report, the next step is understanding what the results mean and more importantly, how to act on them.

Start with the high-level summary

The first thing the report shows you is a high-level summary of:

• The number of tests passed
• The total number of tests available for your licence
• Identity and device posture
• Authentication method usage
• Conditional Access coverage

This gives you an immediate understanding of where your tenant sits on the Zero Trust maturity scale.

Authentication overview

The privileged and non-privileged user authentication charts show:

• How many users are using weak methods
• How many users rely on phishable MFA
• Whether admins are using strong methods such as Passkeys or Windows Hello for Business

If you see “Single factor” listed against privileged accounts, that’s an immediate priority.

Analyse sign-in behaviour

The report inspects your sign-in logs to show how Conditional Access is being applied. It highlights:

• Sign-ins with no CA policy
• Sign-ins with CA but no MFA enforcement
• Sign-ins from unmanaged or non-compliant devices

This allows you to quickly spot gaps in enforcement.
For example:

• A large amount of unmanaged device sign-ins = tighten Conditional Access
• Low MFA coverage = enforce stronger authentication

Review device health

The Devices section gives you a breakdown of:

• Desktop vs mobile usage
• Compliance status
• Enrolment method
• Ownership (corporate vs personal)

This helps you spot issues such as:

• A high percentage of unmanaged devices
• Devices not meeting compliance
• Outdated platforms

This is essential for Zero Trust as device state directly affects access decisions.

Identity and Devices test details

In the Identity and Devices tabs, each test can be opened to show:

• What Microsoft checked
• Why your tenant failed (if applicable)
• The risk level (High, Medium, Low)
• The impact to end users
• The effort required to fix it

Use the remediation guidance properly

Each test includes a “How to fix” section.
Microsoft explains that this tells you exactly:

• What needs changing
• Why it matters
• Where to make the change

The report often links directly to the relevant portal area, such as:

• Conditional Access
• Authentication methods
• Device compliance policies
• App registrations
• User settings

This turns the report into a task list you can work through systematically.

Enable advanced columns if required

You can enable additional columns within the report such as:

• Minimum licence required
• Admin effort
• User impact

This helps with prioritisation and planning, especially when reporting to leadership or security boards.

Build your remediation plan

Microsoft recommends breaking the fixes down into three groups:

High risk

Fix first, these often include:

• Weak admin authentication
• No MFA enforcement
• Unprotected privileged accounts
• Unmanaged or non-compliant device access
• Long-lived app secrets

Medium risk

Important but not critical:

• Conditional Access refinements
• Guest user restrictions
• Password policy improvements

Low risk

Lower urgency items:

• Cosmetic configuration issues
• Minor security hardening

Re-run the Zero Trust Assessment regularly

Microsoft suggests running the assessment:

• After each major configuration change
• Quarterly for regular security posture reviews
• Before audits or compliance checks

This gives you:

• Before/after comparisons
• Evidence of continuous improvement
• A measurable record of progress

You can uninstall by typing

Running the Zero Trust Assessment is one of the simplest ways to understand where your Microsoft 365 tenant stands today and what needs attention next. It gives clear, evidence-based findings that help you strengthen identity, tighten access controls and improve device security.

By turning the results into an action plan and reviewing progress regularly, you build a far stronger security posture without guesswork. The tool removes the complexity of finding configuration gaps and gives you a structured path forward.

If you’re responsible for securing a Microsoft 365 environment, the Zero Trust Assessment should be part of your routine. Run it, act on the results and repeat it on a regular cycle. This approach keeps your tenant aligned with modern security expectations and helps you stay ahead of risks.

Also checkout this article Restrict App Consent and Permissions Hardening Microsoft Entra Enterprise Apps

Merill Fernando has an in-depth video on YouTube