Before Lab 1.4 — Zero Trust Access Thinking

Mitch Mommers18/05/2026About 2 min

Zero Trust does not mean:

Nobody gets access.

Zero Trust means:

Access is explicit, limited, verified, monitored and removable.

In the previous labs, you already applied part of this idea.

You did not simply trust the backend identity because it belonged to the application.

You inspected what it could do.

You tested the impact.

You reduced its permissions.

Zero Trust access questions

For every identity, ask:

Question	Example
Who needs access?	Developer, backend app, operator
To what?	App Service, Key Vault, logs
At what scope?	Resource, resource group, subscription
For how long?	Permanent, temporary, just-in-time
Under what conditions?	MFA, approved device, approved workflow
How is it monitored?	Activity logs, alerts, access reviews
How is it revoked?	Group removal, PIM, cleanup process

In this mini-lab, you will translate the technical fix into an access model.

The goal is to explain the model in human language:

Who needs access?
Why?
To what?
At which scope?
How do we know it is still correct?

Identity	Needs access to	Role	Scope	Why
Backend managed identity	Key Vault secret value	Key Vault Secrets User	Key Vault	The backend needs to read one application secret
Student user	Lab resources	Reader or lab-specific permissions	Resource group	The student needs to inspect the environment
Terraform operator	Azure resources	Deployment role	Resource group	Terraform needs to create and update lab resources
Monitoring operator	Logs	Monitoring Reader	Log Analytics workspace	Operator needs to investigate events

Screenshot suggestion

Add a screenshot of the final role assignments.

Suggested screenshots:

Tips

Zero Trust is not only a product or a checkbox.

It is a way of designing access so that trust is never unlimited.