Every Conditional Access decision comes down to three signals: who you are, what you are using, and how that session behaves. Most admins invest heavily in the identity layer and under-invest in device and session controls. This article breaks down each pillar: identity evaluation (MFA, authentication strength, sign-in risk, user risk, PIM), device evaluation (compliance, hybrid join, device filters, managed vs unmanaged), session evaluation (sign-in frequency, persistent browser, CAE, token protection, adaptive lifetime), how the three pillars combine in CA policy logic with the "most restrictive wins" rule, when to focus on which pillar by scenario, common policy patterns, and where this model breaks in real environments.

Zero Trust is everywhere — in vendor pitches, compliance checklists, and security strategies. But most organisations treat it as a product to buy rather than a model to implement. This article cuts through the marketing: what Zero Trust actually is (and is not), the six technology pillars mapped to your Microsoft 365 stack, why Conditional Access is the policy engine that connects everything, why MFA alone does not equal Zero Trust, and what the 2026 "All resources" enforcement change means for your tenant. Includes a visual mental model and a practical framework for getting started.