Zero Trust in the Real World: The Gaps You Cannot Ignore

Microsoft 365Security & ComplianceSMB SolutionsDefenderCloud Security
Written By Tiago Carvalho
Zero Trust in the Real World: The Gaps You Can't Ignore – 2026
Zero Trust · Part 3 of 5

Every Zero Trust deployment has gaps. The slide decks do not mention them. The vendor assessments gloss over them. But they are there, in every tenant I have worked on, and pretending otherwise helps nobody. This article is the honest assessment: the places where Zero Trust principles collide with operational reality, the workarounds that are less clean than the architecture diagram suggests, and the risks you accept when you acknowledge a gap rather than paper over it.

Zero Trust  ·  Security  ·  Real-world gaps  ·  2026

Zero Trust Series Part 3 of 5
Part 1
What Zero Trust Actually Means
Part 2
Implementing with Intune
Part 3 · Now
Where Zero Trust Breaks
Part 4
Identity, Device, Session
Part 5
SMB vs Enterprise
Key Takeaways
🎯
Unmanaged browsers are the biggest BYOD blind spot. App protection policies only cover MAM-integrated apps. A user accessing OWA through Chrome on a personal device sits outside the app protection controls applied to managed apps.
🔗
Legacy apps that cannot do modern auth sit outside your entire Zero Trust perimeter. If users authenticate directly with NTLM, Kerberos or LDAP, Conditional Access usually never sees that sign-in. Inventory them, document the risk, and set a migration deadline.
⚠️
Service accounts are one of the most common weak points attackers look for in M365 tenants. They cannot do MFA by design. If you exclude them from CA policies without compensating controls, you have created a front door.
📋
A Zero Trust posture with documented gaps is stronger than one that ignores them. The goal is not perfection. The goal is visibility, conscious risk decisions, and a remediation roadmap with deadlines.

The BYOD gap: when app protection is not enough

Part 2 covered app protection policies as the BYOD answer. And for the apps that support Intune MAM, they work well. Outlook on an unmanaged iPhone with an app protection policy is genuinely secure: data stays in the container, copy/paste is restricted, selective wipe works, and the user's personal data is untouched.

But here is the gap nobody puts on the slide deck.

A user on an unmanaged Android phone opens Chrome. They navigate to outlook.office.com and sign in with their credentials. MFA passes because the CA policy requires MFA and they have Authenticator. Depending on the Conditional Access and session control design, they may still get browser-based mailbox access outside the Intune app protection container. The app protection policy does not apply unless that browser is a supported managed app with an applicable app protection policy. They can download attachments to their phone's local storage. They can forward emails to personal accounts. They can screenshot anything on screen.

🛑
The browser on an unmanaged device is the biggest gap in BYOD Zero Trust. App protection policies only cover apps that integrate with the Intune MAM SDK. An unmanaged browser accessing web-based M365 services is outside the container entirely. Your options are: block browser access from non-compliant devices (breaks BYOD usability), require Microsoft Edge mobile with app protection (users resist), or accept the risk and add session controls (sign-in frequency, no persistent browser) to limit the window.

Mitigation options for the browser gap

Option Impact Trade-off
Block browser on non-compliant devices Closes the gap completely BYOD users lose web access. Major pushback.
Require Microsoft Edge mobile with app protection Extends MAM to browser sessions Users must install Edge and accept the MAM policy. Some will refuse.
Session controls: 1-hour sign-in frequency, no persistent browser Limits the exposure window Does not prevent data exfiltration during the session. Just shortens the window.
Defender for Cloud Apps session proxy Real-time session monitoring, block downloads Requires E5 or Defender for Cloud Apps add-on. Adds latency. Some apps break under proxy.
Accept the risk and document it Honest acknowledgement Sometimes the right answer. Not every gap can be closed without breaking usability.
🏗️
From the field: I have seen organisations fully confident in their Zero Trust posture while allowing full mailbox access through unmanaged browsers. No alerts, no controls, just a blind spot. It is one of the most common gaps I find during assessments, and it is almost always a surprise to the security team.

Legacy apps without modern authentication

This is where architecture meets legacy reality.

Modern authentication (OAuth 2.0 / OpenID Connect) is the foundation of Conditional Access. Every signal evaluation, every grant control, every session control operates within the modern auth flow. If an application only supports NTLM, Kerberos, or LDAP bind authentication, it simply does not participate.

Common culprits in 2026:

Legacy
On-premises line-of-business apps
The ERP system from 2014 that speaks NTLM. The HR portal built on classic ASP. The accounting package that authenticates against AD via LDAP. These cannot be wrapped in modern auth without significant development effort or replacement.
Legacy
Older mail clients and protocols
IMAP/POP3 clients that do not support OAuth. SMTP relay devices using basic auth. Multifunction printers doing scan-to-email with SMTP AUTH credentials. Microsoft is retiring basic auth, but some devices physically cannot update.
Partial
Third-party SaaS with SAML only
Apps that support SAML federation but not full OIDC. They work with Entra ID SSO, and CA policies apply at the SAML assertion, but some advanced session controls do not work. SAML apps can still be protected by Conditional Access when authentication is brokered through Microsoft Entra ID. The limitation is usually after sign-in: session behaviour, token lifetime, logout, and continuous enforcement depend heavily on how the application handles SAML sessions.
Workaround
Entra Application Proxy / Private Access
For on-prem web apps, Application Proxy can front-end legacy auth with modern auth. The user authenticates via Entra ID (CA applies), and the proxy handles Kerberos constrained delegation to the back-end app. Not perfect for every scenario, but it brings CA to apps that cannot do it natively.

The honest answer for many of these is a timeline. You cannot modernize every legacy app overnight. But you can inventory them, document the risk each one introduces, and put a migration plan on the roadmap with a target date. An acknowledged risk with a remediation timeline is infinitely better than a hidden gap.

Printers, IoT, and devices that cannot authenticate

Not everything on your network has a user behind it.

Every office has them. The multifunction printer that scans to email using an SMTP relay account. The conference room display that signs into Teams Rooms with a resource account. The badge reader. The environmental sensors. The security cameras.

None of these devices can do MFA. None of them can enroll in Intune. Most of them need network connectivity and some form of authentication to function.

⚠️
The standard workaround is a combination of network segmentation and service account exceptions. Put IoT devices on their own VLAN with restricted access. Use dedicated service accounts with the minimum permissions needed. Exclude those accounts from MFA policies but monitor them aggressively. It is not Zero Trust for those devices. It is risk-managed exception handling.

Common device types and their Zero Trust gaps

Device type Authentication method Zero Trust gap Mitigation
MFP / Scanner SMTP AUTH or OAuth (newer models) Cannot MFA, uses service account OAuth where possible, SMTP relay with IP restriction, dedicated account with no other permissions
Teams Rooms Resource account with password Cannot use standard MFA (no human present) Dedicated CA policy, trusted location restriction, device compliance if supported by vendor
Security cameras Network-only, no cloud auth Outside Entra entirely Isolated VLAN, no internet access, local management only
Badge readers Direct AD integration or local Cannot participate in CA Network isolation, dedicated management network
Smart displays / kiosks Shared account or dedicated account Cannot MFA per session Device-bound token, compliant location, limited app access

Third-party VPNs bypassing Conditional Access

This is the gap that hides in plain sight.

A user connects to a third-party VPN (Cisco AnyConnect, Palo Alto GlobalProtect, Fortinet FortiClient). The VPN assigns them an IP address from the corporate range. If you have CA policies that use trusted locations based on IP ranges, the VPN-connected user now appears to be "on the corporate network." They bypass location-based CA controls.

Worse: if the user's actual device is unmanaged and non-compliant, but your CA policy only checks location (trusted IP = skip MFA), they get full access from an untrusted device simply because the VPN put them on a trusted IP.

Problem
VPN masks the real device posture
The VPN changes the user's apparent location. CA policies that grant trust based on IP see a "trusted" connection. But the device itself has not been evaluated. The VPN client does not report device compliance to Entra ID. You are granting trust based on a network signal that the user controls.
Fix
Never rely solely on location for trust
Location should reduce friction, not replace other controls. A compliant device from a trusted IP gets seamless access. A non-compliant device from a trusted IP still gets challenged. Layer your CA policies: identity + device + location, not location alone.

The longer-term answer is to move away from traditional VPN entirely. Microsoft's Global Secure Access (Entra Private Access) evaluates identity and device before granting access to private resources, which closes the gap by design. But migrating off a well-established VPN infrastructure is a multi-quarter project for most organizations.

Service accounts that cannot do MFA

This is where most tenants have the widest gap and the least visibility.

Service accounts are the ugly truth of every tenant. They are everywhere: the backup agent, the monitoring tool, the integration between CRM and Exchange, the script that runs a nightly report. They authenticate with credentials. They cannot respond to an MFA prompt because there is no human at the keyboard. In this section, "service accounts" means user accounts used by scripts, appliances, services or integrations. Workload identities such as service principals and managed identities should be handled differently.

In a Zero Trust model, every identity should be verified. Service accounts break that principle by design.

Options for handling service accounts

1
Managed identities (Azure workloads)
If the service runs in Azure (Logic Apps, Functions, VMs), use a managed identity. No credentials stored anywhere. The identity is bound to the resource. This is the cleanest option, but it only works for Azure-hosted workloads.
2
Workload Identity CA (requires Entra Workload ID Premium)
You can scope Conditional Access policies directly to service principals and control sign-ins based on supported conditions such as location and risk. This is not MFA for service accounts, but it gives you policy enforcement for workload identities. Note that policies for workload identities must be assigned directly to service principals; policies assigned to groups that contain service principals are not applied. This requires Entra Workload ID Premium, which many SMBs do not have.
3
Certificates instead of passwords
For app registrations in Entra ID, use certificate-based authentication instead of client secrets. Certificates are harder to steal and can be rotated on schedule. They are not MFA, but they are stronger than a password in a config file.
4
Named exclusion group with monitoring
For service accounts that genuinely cannot be migrated: put them in a dedicated CA-Exclusions-ServiceAccounts group, exclude from MFA policies, restrict sign-in to specific IPs where possible, and set up alerts on any sign-in from an unexpected location. Document the risk. Review quarterly.
⚠️
The one thing you should never do: exclude a service account from all CA policies and forget about it. That account becomes the easiest path into your tenant. I have seen compromised service accounts used for lateral movement, data exfiltration, and mailbox delegation attacks. If you exclude them from MFA, you must compensate with monitoring, IP restrictions, and credential rotation.

Guest and external users

You control your tenant. You do not control theirs.

B2B collaboration in Entra ID lets external users access your resources using their home tenant identity. Your CA policies can require MFA for guests, and that works. Depending on your cross-tenant access settings, you may be trusting the guest's home tenant to satisfy the MFA claim.

That introduces trust questions you cannot fully answer:

Trust gap
MFA quality is unknown
If you configure inbound trust for MFA, you are trusting the guest's home tenant to satisfy that MFA claim. That may be acceptable for known partners, but it should be a conscious decision, not the default for every external user. You required phishing-resistant MFA? Their home tenant may not support it.
Trust gap
Device compliance is not shared
You cannot evaluate the guest's device compliance. Their device is managed by their tenant's Intune (if at all). Your compliance policy does not apply to their device. If you require a compliant device, the guest is blocked unless you exempt guest users.
Trust gap
Lifecycle management is manual
Guest accounts do not automatically expire in most configurations. The project ends, the contractor leaves, but their guest account stays active with whatever access it had. Without access reviews or automated lifecycle policies, stale guest accounts accumulate.
Mitigation
Cross-tenant access settings
Entra ID cross-tenant access settings let you configure inbound trust per organisation. You can choose to trust MFA claims from specific partner tenants and reject them from others. You can also require MFA to be performed in your tenant instead of trusting the home tenant. Use this for high-sensitivity collaborations.

Entra ID Governance access reviews help with lifecycle. Configure a quarterly review of guest accounts where the sponsor confirms the guest still needs access. Unconfirmed guests get disabled automatically. It is not glamorous work, but it closes one of the most common audit findings in B2B-heavy tenants.

Gap severity matrix

Gap Severity Likelihood of exploitation Remediation effort
Unmanaged browser on BYOD Medium-High High (easy path for insiders) Medium (session controls, Edge requirement)
Legacy apps without modern auth High Medium (targeted attacks) High (app modernization/replacement)
IoT / printers on network Medium Low-Medium (lateral movement vector) Medium (VLAN segmentation)
VPN masking device posture Medium Medium (misconfigured trust) Low (layer CA controls)
Service accounts without MFA High High (common attack vector) Medium (managed identities, Workload ID)
Guest account lifecycle Medium Medium (stale access) Low (access reviews)

Gap ownership and review cadence

Gap Owner Review frequency Evidence
BYOD browser access Endpoint / Security Monthly Sign-in logs + CA reports
Legacy apps Application owner Quarterly App inventory + migration plan
Service accounts IAM / Platform Monthly Exclusion list + sign-in logs
Guest lifecycle Business sponsor Quarterly Access review results
VPN trusted IPs Network / Security Quarterly CA policy review

Gap assessment checklist

  • Identify all users accessing M365 from unmanaged browsers Check sign-in logs filtered by deviceDetail.isCompliant = false and clientAppUsed = Browser. Quantify the gap.
  • Inventory all legacy applications that cannot use modern auth Document the app, the authentication method, the owner, and the migration target date. No target date means the gap lives forever.
  • Map all IoT/printer devices and their authentication method Which service accounts do they use? Are those accounts excluded from MFA? Are the devices on a segmented VLAN?
  • Audit CA policies for location-only trust Find any policy where a trusted IP alone reduces security controls. Layer device compliance on top of location.
  • List all service accounts excluded from CA policies For each one: what IP restrictions exist? Is credential rotation scheduled? Is sign-in monitoring active? Can it be migrated to managed identity or certificate auth?
  • Review guest account inventory and configure access reviews How many guest accounts exist? When was each last used? Set up quarterly access reviews with sponsors. Disable inactive guests automatically.
  • Configure cross-tenant access settings for key partners Decide which partner tenants you trust for MFA claims. Require your own MFA for untrusted or unknown organisations.
  • Document accepted risks with owner, justification, and review date Every gap that cannot be closed immediately gets a risk acceptance entry. Reviewed quarterly. No undocumented exceptions.

The bottom line

Zero Trust does not fail because of technology. It fails because of compromises made for usability, legacy systems, and operational reality.

The goal is not perfection. The goal is visibility, control, and conscious risk decisions. Every gap in this article exists in production tenants right now. Most of them are undocumented. Many of them are unknown to the security teams responsible for the environment.

If you know where it breaks, you are already ahead of most organisations. Document the gaps. Assign owners. Set review dates. That is what separates a real Zero Trust posture from a marketing checkbox.

ℹ️
A Zero Trust posture with documented, risk-managed gaps is infinitely stronger than a "complete" posture built on ignored exceptions. The gaps do not make your deployment a failure. Hiding them does.

Knowing where it breaks is the first step

If you need help mapping these gaps against your real environment and building a prioritised remediation plan, that is usually where things get practical. I can help with that.

Get in touch
References
Next in series · Part 4 of 5
Identity, Device, Session
How identity evaluation, device evaluation, and session evaluation combine in Conditional Access — and when to focus on which pillar.
Read Part 4 →
Tiago Carvalho
Previous

Identity, Device, Session: How Conditional Access Actually Makes Decisions
Next

Zero Trust with Intune: How to Turn Device Compliance into Access Control