Architecture

Zero-Trust Architecture for Microsoft 365 Data Access

GraphWarden Team·April 3, 2025·7 min read

What Zero-Trust Means for APIs

Zero-trust has become the dominant security model for modern enterprises. The core principle is deceptively simple: never trust, always verify. No device, user, or application gets implicit access to anything - every request must be authenticated, authorized, and validated before it is fulfilled.

Most organizations apply zero-trust to their network perimeter. VPNs are replaced by identity-aware proxies. Lateral movement is constrained with micro-segmentation. Device posture checks happen before granting access to internal resources. These are meaningful improvements.

But there is a blind spot. When it comes to data access through APIs - particularly Microsoft Graph API - most organizations still operate on an implicit trust model. An application that holds a valid OAuth token with User.Read.All is trusted to access every user in the tenant, every property on every object, with no per-request verification. The token is the trust boundary, and it is far too broad.

Microsoft 365 and the Trust Problem

Microsoft 365 is the data backbone of the modern enterprise. User profiles, group memberships, mail metadata, calendar entries, Teams activity, SharePoint documents - all accessible through a single unified API. Microsoft Graph is extraordinarily powerful, and that power creates risk.

The Graph API permission model is binary. An application either has User.Read.All or it does not. There is no User.Read.HROnly, no User.Read.SelectedProperties, no User.Read.ThisGroupOnly. Once a permission is granted, it applies uniformly across the entire tenant.

This means every application with directory read access can enumerate your complete workforce: executives, contractors, service accounts, and test users alike. It receives every property the API exposes, including sensitive fields like mobilePhone, passwordProfile, and onPremisesExtensionAttributes. The application may only need five properties for fifty users, but it receives forty properties for five thousand.

In a zero-trust world, this is unacceptable. The gap between what an application needs and what it can access is precisely the attack surface that zero-trust aims to eliminate.

The Three Pillars of Zero-Trust Graph API Access

Applying zero-trust principles to Microsoft Graph API access requires three pillars, each addressing a different dimension of the problem.

Pillar 1: Verify Every Call

In a zero-trust model, every API request is evaluated independently. Holding a valid token is not enough. The system must verify: Which application is making this request? What endpoint is it calling? When is the request happening? Does it match an authorized pattern?

This per-request evaluation is fundamentally different from the platform's approach, where a token grants blanket access for its entire lifetime. A zero-trust intermediary checks each call against a policy - not just the token's scope, but the specific context of the request: the target endpoint, the HTTP method, the query parameters, and even the time of day.

Pillar 2: Enforce Least Privilege at the Data Level

The principle of least privilege demands that an application receives only the data it needs to function - nothing more. For Graph API, this means three layers of restriction:

  • Object-level filtering. If an HR application serves a department of 47 people, it should see only those 47 users - not the full directory. Filtering by Azure AD group membership provides this boundary.
  • Property-level filtering. If the application needs displayName, mail, and jobTitle, it should not receive mobilePhone, passwordProfile, or extension attributes. Stripping unauthorized properties from the response enforces this.
  • Data transformation. Sometimes the application needs a property in a modified form. A CRM might need to know the email domain without the full address. An analytics tool might need a hashed identifier instead of the real user ID. Transforms like masking, hashing, and redaction preserve utility while protecting the underlying data.

Pillar 3: Log Everything

Zero-trust assumes that breaches will happen. When they do, you need a complete record of every data access event: which application made the call, which endpoint it hit, which rule was evaluated, how many objects were returned versus filtered, and how long the request took. This audit trail is not optional - it is the foundation of incident response, compliance reporting, and continuous improvement.

Immutable, structured logs also serve a proactive role. Pattern analysis can reveal anomalous access - an application suddenly querying ten times more objects than usual, a script running outside its normal schedule, or a blocked endpoint being repeatedly targeted.

How a Proxy Model Enables Zero Trust

Microsoft Graph does not natively support per-request policy evaluation, object-level filtering, property stripping, or data transformation. These capabilities must be provided by an external layer - an intelligent proxy that sits between your applications and the Graph API.

The proxy model works as follows. Applications no longer connect directly to graph.microsoft.com. Instead, they point at the proxy and authenticate with proxy-specific credentials. The proxy intercepts every request, evaluates it against a YAML-based policy engine, and only then forwards it to Microsoft Graph using the real credentials (stored securely in Azure Key Vault). When the response arrives, the proxy filters objects, strips properties, applies transforms, and logs the full transaction before returning the sanitized data to the application.

This architecture delivers all three zero-trust pillars simultaneously:

  • Verify: Every request is evaluated against the rule engine before forwarding
  • Least privilege: Responses are filtered to the minimum data set each application requires
  • Log: Every transaction is recorded with complete context for compliance and forensics

Critically, your applications change almost nothing. A PowerShell script updates two lines: the token endpoint and the base URL. The application logic stays identical - the proxy is transparent to the data consumer.

Building Your Zero-Trust Graph API Strategy

Implementing zero-trust for Graph API access is not an all-or-nothing proposition. It can be deployed incrementally, starting with visibility and progressing to enforcement.

  1. Audit your current state. Identify every application that accesses Microsoft Graph in your tenant. Document their permissions, how they authenticate, where credentials are stored, and what data they actually use. Most organizations are surprised by what they find.
  2. Deploy a proxy in observation mode. Route Graph traffic through a policy-aware proxy with logging enabled but no blocking rules. This gives you immediate visibility into which apps call which endpoints, how often, and how much data they consume.
  3. Define per-application policies. Based on observed traffic, create rules that match each application's actual data needs: allowed endpoints, permitted HTTP methods, authorized objects (by group), and approved properties. Use a what-if simulator to validate rules before enforcing them.
  4. Enable enforcement gradually. Start by stripping sensitive properties that no application needs (like passwordProfile). Then add object-level filtering for applications that only serve specific departments. Then block unauthorized write operations. Each step reduces your attack surface.
  5. Monitor and iterate. Use dashboards and alerts to track policy effectiveness. Look for blocked calls that indicate misconfigured applications, anomalous patterns that suggest compromised credentials, and new applications that need onboarding.

The Path Forward

Zero-trust for network access is no longer optional - it is the baseline expectation. Zero-trust for API data access is the next frontier. Organizations that apply these principles to their Microsoft Graph API traffic will close one of the largest unaddressed security gaps in their Microsoft 365 environment.

The technology exists today. A proxy-based approach delivers per-request verification, data-level least privilege, and comprehensive audit - without requiring changes to your application code or your Microsoft 365 configuration.

GraphWarden implements this model as a lightweight, deployable solution. If you are ready to bring zero-trust to your Graph API access, we are ready to help.

Request a Demo