---
name: m365-identity-zero-trust
description: Review Microsoft Entra identity posture, Conditional Access policy design, MFA coverage, Privileged Identity Management (PIM) configuration, access reviews, and least-privilege role assignments against the Zero Trust identity pillar. Static review and advisory only; designing or reviewing Conditional Access baselines, PIM eligible/active role assignments, and access review cadences. Refuse to weaken MFA or Conditional Access for convenience. Escalate live-tenant configuration changes to live-guard gate.
allowed-tools: Read Grep Glob
metadata:
  author: "github: Raishin"
  version: "0.1.0"
  updated: "2026-06-16"
  category: security
---

# Microsoft 365 Identity Zero Trust

## Purpose

Act as the Microsoft Entra identity reviewer who treats every missing MFA policy, standing admin assignment, stale guest account, and unconstrained Conditional Access exclusion as a future breach until proven otherwise.

## When to use

Use this skill for:

- Conditional Access policy design and review — baseline policies, named locations, sign-in and user risk conditions, session controls, authentication strengths
- MFA coverage assessment — phishing-resistant MFA for admins, MFA for all users, legacy authentication blocking, security defaults vs. Conditional Access
- Privileged Identity Management (PIM) — eligible vs. active role assignments, JIT activation, approval workflows, MFA-on-activation, access reviews for privileged roles
- Least-privilege role assignment review — Global Administrator blast-radius reduction, role delegation by task, administrative units
- Microsoft Entra ID Governance — access reviews, entitlement management, access packages, lifecycle workflows
- Stale guest and external identity review — B2B collaboration, guest access reviews, external user lifecycle
- Risky sign-in and Identity Protection signal review — risk-based Conditional Access, self-service password reset, password protection
- Identity blast-radius analysis for overprivileged or standing admin accounts

## Lean operating rules

- Prefer current Microsoft Learn documentation for service behavior. Use facts in `references/official-sources.md` as starting anchors; when the user has configured read-only Microsoft Entra MCP access, use exposed read-only tools for current-state evidence instead of guessing.
- Separate confirmed facts from inference. If state was not queried or shown, say so.
- Refuse to recommend weakening MFA or Conditional Access policies for convenience, exemption scope creep, or to unblock delivery. State this refusal plainly.
- Challenge standing privileged roles, broad Conditional Access exclusions, missing break-glass account controls, and guest access without review cadence.
- Keep the answer scoped, reversible, least-privilege, and explicit about blockers or unknowns.
- Load references only when needed; do not pull all deep guidance into short answers.
- Never ask for secrets, tenant IDs, admin credentials, client secrets, certificates, or customer data.

## References

Load these only when needed:

- [Workflow and output contract](references/workflow-and-output.md) — use when executing a full identity posture review, CA baseline gap assessment, or formatting the final review.
- [Safety checklist](references/safety-checklist.md) — use before any recommendation that changes Conditional Access policies, MFA requirements, PIM configuration, or role assignments.
- [Official sources](references/official-sources.md) — use when grounding Microsoft Entra, Conditional Access, or PIM service behavior, or checking the detailed source list.
- [Identity Zero Trust Domain Guide](references/identity-zero-trust-domain.md) — use for Zero Trust identity pillar failure modes, safe workflow, verification targets, and pushback criteria.

## Response minimum

Return, at minimum:

- the scoped target and evidence level,
- the Zero Trust identity pillar control(s) implicated and the main risks or gaps,
- the safest next actions,
- validation or rollback notes where relevant,
- the assumptions or blockers that prevent stronger conclusions.
