Boosting our Security First Initiative at Microsoft with a transformed approach to wired network security


If you asked Sean Adams, Justin Griffin, Sajith Balan, or Shyam Sunder Gogi to provide a one-word answer that describes their current focus, you’d get the same answer:
“Security.”
Adams, Griffin, Balan, and Gogi are all part of a team in Microsoft Digital, our internal IT organization, that’s implementing internet-first, policy-based security for every single wired network device here at Microsoft.
This immense effort spans our global network and ensures that every device connecting to our network—regardless of how or where—is identified, attested, authenticated, and placed on the proper network first.
“Our default network posture for any device that connects is internet-first,” Adams says. “The majority of tools Microsoft employees use are cloud-based and internet-friendly in our modern workplace, so it only makes sense. The concept of a corporate network where we inherently trust physically connected devices is long-gone—and good riddance.”
It’s one example of how we’re demonstrating our organization-wide commitment to security.
In May 2024, CEO Satya Nadella committed that we would prioritize security above all else here at Microsoft. At the center of that commitment is our Microsoft Secure Future Initiative (SFI), which brings together every part of the company to advance cybersecurity protection across new products and our legacy infrastructure.
The SFI provides Microsoft with an overarching set of principles and pillars that we’re building upon with everything we do, from the broadest reaches of our cloud networking infrastructure to each individual wired network port in our buildings and datacenters.
Secure Future Initiative commitment

The SFI is the single largest cybersecurity initiative engineering project in our history, with more than 34,000 engineers committed to advancing the principles laid out in the SFI. Three principles define exactly how we’re prioritizing cybersecurity in our products and infrastructure.
- Secure by design. Security comes first when designing any product or service.
- Secure by default. Security protections are enabled and enforced by default, require no extra effort, and aren’t optional.
- Secure operations. Security controls and monitoring will be continuously improved to meet current and future cyberthreats.
These principles anchor our approach to security internally at Microsoft. We’re continuously applying what we’ve learned from incidents to improve our methods and practices, ensuring that security is paramount in everything we do, create, and provide.
Applying practical pillars
We apply these principles through our security pillars, which are to:
- Protect identities and secrets. Reduce the risk of unauthorized access by implementing and enforcing best-in-class standards across all identity and secrets infrastructure, plus user and application authentication and authorization.
- Protect tenants and isolate systems. Protect all our tenants and production environments using consistent, best-in-class security practices and strict isolation to minimize breadth of impact.
- Protect engineering systems. Protect software assets and continuously improve code security through governance of the software supply chain and engineering systems infrastructure.
- Monitor and detect cyberthreats. Provide comprehensive coverage and automatic detection of cyberthreats to our production infrastructure and services.
- Accelerate response and remediation. Prevent exploitation of vulnerabilities discovered by external and internal entities through comprehensive and timely remediation.
- Protect networks. Protect our production networks and implement network isolation of Microsoft and customer resources.
“The SFI aligns seamlessly with Zero Trust principles,” Balan says. “With Zero Trust, everything within the network is scrutinized and verified, which supports exactly how the SFI should impact our network. We started off with Zero Trust networking, which is now directly aligned with SFI. It’s about strengthening security while minimizing any employee disruption.”
Based on the principle of verified trust—to trust, you must first verify—Zero Trust eliminates the inherent trust that is assumed inside the traditional corporate network. Zero Trust architecture reduces risk across all environments by establishing strong identity verification, validating device compliance prior to granting access, and ensuring least privilege access to only explicitly authorized resources.
Zero Trust requires that every transaction between systems (user identity, device, network, and applications) be validated and proven trustworthy before the transaction can occur. In an ideal Zero Trust environment, the following behaviors are required:
- Identities are validated and secure with multifactor authentication (MFA) everywhere. Using multifactor authentication eliminates password expirations and eventually will eliminate passwords.
- Devices are managed and validated as healthy. Device health validation is required. All device types and operating systems must meet a required minimum health state as a condition of access to any Microsoft resource.
- Telemetry is pervasive. Pervasive data and telemetry are used to understand the current security state, identify gaps in coverage, validate the impact of new controls, and correlate data across all applications and services in the environment.
- Least privilege access is enforced. Limit access to only the applications, services, and infrastructure required to perform the job function.
Our wired network connectivity policy is rooted in the SFI and Zero Trust. The security posture that this policy creates for every wired network device at Microsoft is critical to applying the principles of SFI and Zero Trust.
“Our wired network security puts physically connected devices in almost the exact same position as wireless devices,” Griffin says. “With Zero Trust, being physically connected means nothing, as far as security goes. Every device, every connection, every resource request is authenticated, authorized, and monitored, from end to end.”
Using the internet as the default network for devices is at the core of Microsoft’s wired network security. Unless the need is critical—and authorized—every device that connects to our network is routed to the internet, by default.
Griffin and the team have been working consistently for the past five years to implement comprehensive wired network security. The policy engines, networking hardware, and supporting technology for wired network security enforcement require time, effort, and—in many cases—physical presence to implement the solution properly.
The scope and impact are massive.
“This is probably the single largest network change our enterprise has ever seen,” Adams says.
With more than 700 buildings, 4,000 network switches, and almost 300,000 wired network devices, getting a device onto the appropriate network segment happens multiple times every second across our network.
The network segmentation strategy for wired network security is a critical component of the overall security framework. This strategy involves several key practices and principles to ensure robust security and efficient network management.
We use macro-segmentation to create distinct segments within the corporate network. This approach restricts access to only the necessary systems within each segment, thereby reducing the risk of unauthorized access and lateral movement within the network.
Micro-segmentation is applied to further isolate network resources. Least-privilege access policies ensure that users and devices have only the minimum level of access required for their roles. This principle extends to both on-premises environments and cloud resources, including infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) resources.
Our layered defense approach includes using monitoring tools, access control lists (ACLs), network security groups, network address translation (NAT) gateways, and bastions to secure the network environment. These measures help to detect and prevent malicious activities, ensuring that the network remains secure even in the face of potential threats.
Using iteration and consistency in implementation
Implementation of our wired network security used a phased approach, and it began more than five years ago.
During the COVID-19 pandemic, significant testing was conducted to ensure that the supporting network infrastructure could continue to function independently and support all devices and networks without interruption even when connectivity issues arose. The team created robust policies that allowed for seamless re-authentication and re-attestation after connectivity was restored.
In those initial phases, confirming configuration and monitoring results were important, so the team started small and learned from their progress.
“Using a phased approach isn’t new at Microsoft,” Gogi says. “However, our success in rolling out wired port security depended directly on how we planned and structured our phases or, more accurately, rings.”
The ring-based approach was designed to minimize disruptions and ensure that security measures were robust and reliable. Changes gradually rolled out in stages, starting with smaller, controlled environments before being expanded to the entire network. This approach allowed for continuous monitoring and adjustments, ensuring that any issues could be addressed promptly without affecting the entire network.
Adams highlights the importance of the iterative approach.
“At our scale, we had to be efficient and accurate,” he says. “Downtime was out of the question, and we certainly didn’t want gaps in service availability or applied security measures.”
Automation played a crucial role in the implementation process. Automated tools were developed to standardize configurations across all network switches, ensuring a consistent and predictable user experience. Standardizing through automation helped maintain adequate security measures while also making the deployment process more efficient.
Automating user-initiated device onboarding
Our GetConnected portal is an essential tool for securely connecting devices to our corporate network. The GetConnected portal, hosted on our internal corporate intranet site, ensures that all devices meet necessary security standards to protect employees, customers, and data.
The portal provides a centralized location for all network access needs, allowing our employees to:
- Register managed or personal devices to specific Microsoft networks
- Delete devices from Microsoft networks
- Move devices between different Microsoft networks
- Manage changes to both managed and personal devices
When connecting a managed device to the wired network in one of our buildings, devices are placed into an internet-connected segment with enterprise-quality connection and bandwidth. To access tools or services on the corporate network, devices must be registered at the GetConnected portal. The portal uses Microsoft Entra ID’s Conditional Access capabilities to enforce user access based on device groupings and user profiles, connecting the user-directed registration process to our cloud-based identity management systems.
Getting your wired network security right
Five years of network implementation comes with some lessons.
“We’ve learned a lot,” Adams says. “There are some best practices that can make implementation much more efficient and simplify the transition to a secure, internet first posture.”
These practices were not only instrumental in achieving the desired security outcomes but also in ensuring the seamless operation of the entire network infrastructure through implementation. Here are some key strategies and methodologies that proved to be critical in the successful deployment of wired network security at Microsoft:
Plan for global reach. Wired network security efforts must span across the entire infrastructure, encompassing data centers, offices, and remote locations. This ensures that all network segments, regardless of their geographical location, adhere to the same high standards of security.
Comprehensive asset management. Our teams have identified, inventoried, and attributed accountability for more than 99.3% of its physical assets. This foundational step is crucial for implementing effective network security measures.
“This is a critical component,” Balan says. “Device accountability is a first line of defense. Knowing who owns every device on the network ensures faster security response, targeted containment, and accountability. When incidents strike, attribution means quicker resolution and stronger protection.”
Service tagging and traffic identification. Service tagging for new IP address allocations helps to enable precise traffic identification across the network. This capability helps detect malicious activity and simplifies the management of ACLs for both infrastructure and services.
Harden network devices. We’ve put significant effort into hardening network devices and improving lifecycle management policies. This includes developing scalable and automated methods for secret rotation, making secrets unique per device, and implementing unique per-device authentication and one-time passwords for service accounts.
Use microsegmentation and access controls. Implementing microsegmentation ACLs further secures the management of the network. This approach limits access to a known scope of trusted production-ready locked-down machines, significantly reducing the impact of exposed secrets.
Embrace Zero Trust principles. Our entire network security strategy is aligned with Zero Trust principles, ensuring that every access request is thoroughly authenticated and authorized. This involves migrating resources to internet-facing environments and implementing strict access controls.
Scale efficiently with automation and standardization. Automation plays a critical role in maintaining a consistent and predictable user experience across all network switches. Standardizing configurations ensures that the network behaves uniformly at every site, facilitating efficient management and security.
Looking forward
Our future efforts in wired network security will continue to evolve, focusing on supporting Zero Trust principles and the Secure Foundation Initiative (SFI), enhancing security, improving user experience, and ensuring the resilience of our network infrastructure as we go.
We’re continuously improving the employee experience, building on the success of the GetConnected portal. We want to maintain a balance between security and employee experience as we improve the security posture of our network, ensuring that security measures don’t hinder productivity.
The team is excited about the future of wired network security and the SFI at Microsoft.
“This is a significant advancement in our security posture and demonstrates our commitment to protecting our assets against unauthorized access,” Balan says. “Our internet-first posture and alignment with Zero Trust principles ensure that we’ll continuously examine and iterate our network environment to improve our security posture and remain prepared for the future.”

Consider the following best practices when planning to implement wired network security:
- Plan for global reach by ensuring that your network security efforts span across all locations, including data centers, offices, and remote sites.
- Conduct comprehensive asset management by identifying, inventorying, and attributing accountability for physical assets to implement effective security measures.
- Use service tagging for new IP address allocations to enable precise traffic identification and simplify the management of ACLs.
- Harden your network devices by developing scalable and automated methods for secret rotation, unique per-device authentication, and one-time passwords for service accounts.
- Implement microsegmentation and access controls to limit access to trusted, production-ready, locked-down machines, thereby reducing the impact of exposed secrets.
- Embrace Zero Trust principles by thoroughly authenticating and authorizing every access request and migrating resources to internet-facing environments with strict access controls.
- Scale efficiently with automation and standardization to maintain a consistent and predictable user experience across all network switches and ensure uniform behavior at every site.


link