Describe your current setup in three minutes. See where it sits against the Microsoft Zero Trust framework, the real-world risks, and the concrete steps that lower risk — including students who can't use a phone.
For each group of people, pick how they sign in today and the device(s) they use — a group can have both a laptop and a mobile. Tick the devices that apply and set ownership and management separately. Leave anything that doesn't apply as it is.
Each group is scored against the Microsoft Zero Trust framework. Flip any card to turn its risk into a prioritised action plan with the maturity uplift.
Every card is derived from your Step 1 choices using a fixed, transparent rubric. The grey "Your input" line on each card echoes exactly what you selected, so you can trace each result back to its inputs.
Identity strength (from "Sign-in today"): Password only = 0 · SMS/voice = 1 · Authenticator app = 2 · Passwordless/security key = 3.
Device posture (from each device's management): Unmanaged = 0 · MAM only = 1 · Managed = 2. When a group has several devices, the weakest one sets the posture (assume breach).
Maturity stage: Optimal needs identity 3 + device 2 · Advanced needs identity ≥2 + device ≥1 · otherwise Traditional.
Risk level: Admins are High until they reach Optimal. For everyone else, Password or SMS = High, Optimal = Low, anything in between = Medium.
The "fix" side targets the highest stage your device situation can support, and each step is tagged with the maturity jump it delivers. Device type (laptop vs mobile) doesn't change the score, but it tailors the recommended method (Windows Hello / FIDO2 keys for laptops; passkeys in Authenticator for mobiles) and the management model (MDM vs MAM).
Set these once at the tenant level. They underpin every group above and are the highest-leverage controls in a Zero Trust rollout.
Closes old protocols that bypass MFA entirely. Do this first — it protects every account.
Identity Protection reacts to risky sign-ins and users automatically (step-up or block).
Binds sign-in tokens to the device so stolen tokens can't be replayed elsewhere.
Revokes access in near real time when risk or conditions change — not just at next sign-in.
Cuts helpdesk load and supports smooth passwordless onboarding.
Enable TAP/FIDO2 for students, keep Authenticator for staff, exclude SMS where it isn't wanted.
Use compensating controls: require a compliant/managed device and/or restrict sign-in to the school network (a named location). A weaker control than phishing-resistant sign-in — treat it as temporary, and see the Passwordless for Students guidance.