After two decades implementing identity architecture in enterprise environments, Zero Trust stopped being a model I read about and became a framework I argue about in design reviews. Most of what gets written about it stays at the principle level — never implicit trust, always verify, assume breach. Those principles are correct. What's less often discussed is what they actually demand from the identity stack underneath, and where the friction lives in organisations that didn't start from scratch.

This post is about Zero Trust in hybrid environments specifically — where Active Directory still runs, where Entra ID is the cloud layer on top, and where the identity pipeline connecting them carries assumptions built fifteen years ago. That's where most enterprises actually are.

The Model in One Sentence

Zero Trust is a security model that grants access based on verified identity, device health, and context — not on network location. Whether a request comes from inside the corporate perimeter or from a home office makes no difference; the same verification applies. The perimeter is not the network. The perimeter is the identity.

Where Hybrid Environments Complicate This

The challenge in hybrid AD DS + Entra ID environments is that trust was historically anchored to domain membership. A device joined to the domain, on the corporate network, was trusted. That assumption is baked into Group Policy, Kerberos, legacy application authentication, and the mental model of most infrastructure teams.

Moving toward Zero Trust doesn't mean ripping that out. It means adding verification layers that don't rely on it. In practice this means three things:

Conditional Access as the enforcement point. Every access request — to Microsoft 365, to Azure resources, to federated SaaS applications — should pass through a Conditional Access policy that evaluates identity, device compliance state, location risk, and session risk before granting a token. The policy is the gate. Network location is one signal among many, not the gate itself.

Device compliance as a first-class signal. Domain-joined alone is not enough. A Hybrid Entra ID joined device needs to be enrolled in Intune, reporting compliance status, and meeting a defined baseline — patch level, endpoint protection, disk encryption. Without device compliance as a Conditional Access condition, you're verifying identity but ignoring the endpoint it's coming from. An adversary with valid credentials on an unmanaged device walks straight through.

Identity Governance as the ongoing enforcement layer. Access verified at login degrades over time if entitlements aren't reviewed. Zero Trust requires that the identities being verified are themselves governed — joiners, movers, leavers processed promptly, role assignments reviewed, privileged access time-bounded. An IGA platform (SailPoint, Saviynt, or equivalent) is not optional infrastructure in a mature ZT architecture. It is how you ensure the identity being verified at the gate is still the identity that should have that access.

The Gaps That Actually Cause Incidents

In my experience, Zero Trust implementations fail at three predictable points:

Legacy applications that can't speak modern auth. Conditional Access works for applications that support OAuth2/OIDC or SAML. On-premises applications using NTLM or basic authentication sit outside that enforcement boundary. The gap is usually filled with network controls — VPN, network segmentation — which reintroduces perimeter-based thinking for a subset of the estate. The fix is application modernisation or, where that's not feasible, wrapping legacy apps behind an application proxy that handles the authentication translation.

Service accounts and non-human identities. Zero Trust is well-understood for human users. It's much less mature for the identities that run automated workloads — service accounts, managed identities, pipeline credentials. These identities often carry over-privileged, long-lived credentials and sit outside the Conditional Access and IGA scope. They are the path of least resistance for lateral movement after initial compromise.

The gap between Entra ID and on-premises AD. In hybrid environments, synchronised identities carry attributes and group memberships from AD. If the AD-side governance is weaker — stale accounts, unreviewed group memberships, shadow admin paths through nested groups — the Entra ID identity inherits that weakness. Zero Trust enforced at the cloud layer does not compensate for governance failures on-premises. The AD hygiene problem and the ZT problem are the same problem.

A Practical Starting Point

If you're building a ZT roadmap for a hybrid environment, the sequence that delivers the most impact early is: enforce MFA universally, bring devices under compliance management, build Conditional Access policies around verified identity plus device compliance, and establish an IGA-driven joiner-mover-leaver process that keeps entitlements current. Those four steps close more real risk than any architectural diagram.

Zero Trust is not a product you buy or a project you complete. It is a posture you move toward — and in hybrid environments, the movement is incremental, constrained by what was built before. That's not a reason to delay. It's a reason to start with the controls that compound.