Skip to Content
PurviewZero Trust Maturity Baseline
SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload
▸ View skill file
---
name: Zero Trust Maturity Baseline
description: Scores a Microsoft 365 tenant against the AT.8xxx Zero Trust control family across five pillars, with control-level evidence pointers and uplift steps.
---

# Zero Trust Maturity Baseline

> **TL;DR:** This skill scores a Microsoft 365 tenant against the AT.8xxx Zero Trust maturity control family across identity, devices, network, applications, and data, producing a five-pillar maturity table with control-level evidence pointers.

## How does the Zero Trust Maturity Baseline skill score tenant posture?

This skill establishes the current Zero Trust maturity of a Microsoft 365 tenant across the five canonical pillars — identity, devices, network, applications, and data. It assesses Microsoft Entra MFA coverage, Conditional Access, privileged identity management and agent identity governance, Intune device compliance, Private and Internet Access, application consent hygiene, and sensitivity labelling, DLP, and encryption. Each AT.8xxx control is scored with an evidence pointer so the baseline can be re-run quarterly. It supports Essential Eight ML2 evidence for Control 8.

## When should you run this skill?

- "Score Zero Trust maturity"
- "Audit Zero Trust posture against AT.8xxx"
- "Baseline our tenant before a Zero Trust uplift"
- "Build the Zero Trust scorecard for the steering committee"

## How this skill works, step by step

1. Identity pillar: assess MFA coverage, Conditional Access posture, privileged identity management, agent identity governance
2. Devices pillar: assess Intune enrolment, compliance policies, device-based Conditional Access
3. Network pillar: assess Private Access / Internet Access deployment, network segmentation, named locations
4. Applications pillar: assess application proxy use, application registration hygiene, app consent governance
5. Data pillar: assess sensitivity labelling coverage, DLP, encryption at rest and in transit
6. Score each AT.8xxx control: Traditional / Initial / Advanced / Optimal
7. Record one evidence pointer per control (report URL, query, document path)
8. Produce the scorecard below

## Output format

| Pillar | Control | Maturity | Evidence | Next Step |

Followed by:

- Pillar averages: Identity / Devices / Network / Applications / Data
- Overall maturity: Traditional | Initial | Advanced | Optimal
- Top three uplift opportunities

## Scope and safety

Read-only. This skill does NOT:

- Modify any tenant configuration (read-only)
- Replace a formal Zero Trust deployment plan
- Score third-party platforms outside Microsoft 365

## Licensing and permissions

### Licences and add-ons

| Capability used | Minimum licence |
| --- | --- |
| Conditional Access, MFA and Privileged Identity Management posture | Microsoft Entra ID P1 (PIM and risk-based access require P2) |
| Intune device enrolment and compliance posture | Microsoft Intune Plan 1 |
| Sensitivity labelling, DLP and encryption posture | Microsoft Purview (Microsoft 365 E5 Compliance or equivalent add-on) |

### Least-privilege roles

- Global Reader — read-only visibility across Entra, Intune and Purview configuration
- Security Reader — read Conditional Access, identity protection and security posture
- Compliance Administrator (read) — review sensitivity labels, DLP policies and encryption settings

### Microsoft Graph permissions (read-only)

- `Policy.Read.All` — read Conditional Access and authentication method policies
- `RoleManagement.Read.Directory` — read privileged role and PIM assignments
- `DeviceManagementConfiguration.Read.All` — read Intune compliance and configuration policies
- `DeviceManagementManagedDevices.Read.All` — read enrolled device compliance state
- `Application.Read.All` — read application registrations and consent grants
- `InformationProtectionPolicy.Read.All` — read sensitivity label configuration

Note: sensitivity labelling, DLP and encryption posture is reviewed via the Microsoft Purview portal and Security and Compliance PowerShell, not all of which is exposed through Microsoft Graph.

## Sources and compliance

- Aligned to Microsoft's Zero Trust maturity model and the AT.8xxx internal control family
- Supports E8 ML2 evidence for Control 8 (multi-factor authentication) and adjacent identity controls
- Reference: [https://learn.microsoft.com/en-us/security/zero-trust/zero-trust-overview](https://learn.microsoft.com/en-us/security/zero-trust/zero-trust-overview)
- Re-baseline quarterly to demonstrate maturity progression to leadership
- Output in Australian English
How to use this skill
  1. Get the file. Download or copy the SKILL.md from the panel above.
  2. Load it into your host:
    • Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
    • Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
    • Any chat host — paste the file contents as your prompt.
  3. Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
  4. Provide your tenant scope and run it (a site, a collection, or the whole tenant).
  5. Review the report and action the risk-ranked recommendations.

This skill is read-only by default — it inspects and reports, and never changes your tenant.

Zero Trust Maturity Baseline

TL;DR: This skill scores a Microsoft 365 tenant against the AT.8xxx Zero Trust maturity control family across identity, devices, network, applications, and data, producing a five-pillar maturity table with control-level evidence pointers.

How does the Zero Trust Maturity Baseline skill score tenant posture?

This skill establishes the current Zero Trust maturity of a Microsoft 365 tenant across the five canonical pillars — identity, devices, network, applications, and data. It assesses Microsoft Entra MFA coverage, Conditional Access, privileged identity management and agent identity governance, Intune device compliance, Private and Internet Access, application consent hygiene, and sensitivity labelling, DLP, and encryption. Each AT.8xxx control is scored with an evidence pointer so the baseline can be re-run quarterly. It supports Essential Eight ML2 evidence for Control 8.

When should you run this skill?

  • “Score Zero Trust maturity”
  • “Audit Zero Trust posture against AT.8xxx”
  • “Baseline our tenant before a Zero Trust uplift”
  • “Build the Zero Trust scorecard for the steering committee”

How this skill works, step by step

  1. Identity pillar: assess MFA coverage, Conditional Access posture, privileged identity management, agent identity governance
  2. Devices pillar: assess Intune enrolment, compliance policies, device-based Conditional Access
  3. Network pillar: assess Private Access / Internet Access deployment, network segmentation, named locations
  4. Applications pillar: assess application proxy use, application registration hygiene, app consent governance
  5. Data pillar: assess sensitivity labelling coverage, DLP, encryption at rest and in transit
  6. Score each AT.8xxx control: Traditional / Initial / Advanced / Optimal
  7. Record one evidence pointer per control (report URL, query, document path)
  8. Produce the scorecard below

Output format

| Pillar | Control | Maturity | Evidence | Next Step |

Followed by:

  • Pillar averages: Identity / Devices / Network / Applications / Data
  • Overall maturity: Traditional | Initial | Advanced | Optimal
  • Top three uplift opportunities

Scope and safety

Read-only. This skill does NOT:

  • Modify any tenant configuration (read-only)
  • Replace a formal Zero Trust deployment plan
  • Score third-party platforms outside Microsoft 365

Licensing and permissions

Licences and add-ons

Capability usedMinimum licence
Conditional Access, MFA and Privileged Identity Management postureMicrosoft Entra ID P1 (PIM and risk-based access require P2)
Intune device enrolment and compliance postureMicrosoft Intune Plan 1
Sensitivity labelling, DLP and encryption postureMicrosoft Purview (Microsoft 365 E5 Compliance or equivalent add-on)

Least-privilege roles

  • Global Reader — read-only visibility across Entra, Intune and Purview configuration
  • Security Reader — read Conditional Access, identity protection and security posture
  • Compliance Administrator (read) — review sensitivity labels, DLP policies and encryption settings

Microsoft Graph permissions (read-only)

  • Policy.Read.All — read Conditional Access and authentication method policies
  • RoleManagement.Read.Directory — read privileged role and PIM assignments
  • DeviceManagementConfiguration.Read.All — read Intune compliance and configuration policies
  • DeviceManagementManagedDevices.Read.All — read enrolled device compliance state
  • Application.Read.All — read application registrations and consent grants
  • InformationProtectionPolicy.Read.All — read sensitivity label configuration

Note: sensitivity labelling, DLP and encryption posture is reviewed via the Microsoft Purview portal and Security and Compliance PowerShell, not all of which is exposed through Microsoft Graph.

Sources and compliance

  • Aligned to Microsoft’s Zero Trust maturity model and the AT.8xxx internal control family
  • Supports E8 ML2 evidence for Control 8 (multi-factor authentication) and adjacent identity controls
  • Reference: https://learn.microsoft.com/en-us/security/zero-trust/zero-trust-overview 
  • Re-baseline quarterly to demonstrate maturity progression to leadership
  • Output in Australian English

Licensed under CC BY 4.0  by Educ4te . Adapted from the open HybridSP skills catalogue.

Last updated on
E8 Evidence PackagerMicrosoft Secure Score Improvement Plan