Share via

Microsoft Cybersecurity Reference Architectures

  • Article

The Microsoft Cybersecurity Reference Architectures (MCRA) are technical architectures to enable you to adopt end-to-end security using Zero Trust principles. MCRA describes end-to-end security for the ‘hybrid of everything’ technology estate spanning legacy IT, multicloud, Internet of Things (IoT), Operational Technology (OT), Artificial Intelligence (AI), and more.

These reference architectures accelerate planning and execution of security modernization using open standards, Microsoft’s cybersecurity capabilities and technologies, and third-party security technology. MCRA is a component of Microsoft's Security Adoption Framework (SAF) that describes a complete security modernization approach helps security teams modernize their strategy, governance, technical architecture, and operations using Zero Trust principles.

Download the updated April 2025 version of the MCRA

Screenshot of some of the diagrams included in the updated Microsoft Cybersecurity Reference Architecture.

Recent updates

These are the key changes since the previous release (December 2023 version)

  • Updated main capabilities diagram to add Microsoft Security Exposure Management, Windows LAPS, passkeys, and Microsoft Entra Verified ID as well as to show Microsoft Security Copilot as a broad capability.
  • Removed Microsoft Entra Permission Management (Deprecated capability)
  • Clarified representations of Microsoft Security Copilot to show broader capabilities beyond Security Operations
  • Added Microsoft Entra ID Governance to Adaptive Access diagram
  • Updated several slides in introduction sequence and added new “Security must be integrated everywhere” slide.
  • Updated slides in Artificial Intelligence (AI) section
  • Added ‘Standards Mapping’ section and included proposed drafts of Zero Trust Reference Model standard from The Open Group (and Microsoft product mapping to them)
  • Added roles list from The Open Group to people section
  • Added Prioritization slide to the Threats section from upcoming draft Security Matrix standard from The Open Group
  • Replaced several references of Secure Score with Exposure Management
  • Updated threat intelligence daily signals to 78+ Trillion and updated links/resources on various slides.
  • Updated closing slides to show the full security modernization journey and associated Microsoft Unified engagements

MCRA summary

The MCRA helps you understand how Microsoft capabilities work together to help you achieve your end-to-end security goals. The MCRA includes:

  • Antipatterns (common mistakes) and best practices
  • Threat trends, attack patterns, and the importance of an end-to-end security approach and ruthlessly prioritizing security work
  • Guidance for successfully adopting an end-to-end security approach using Zero Trust principles
  • Mapping Microsoft capabilities to Zero Trust standards and organizational roles
  • Detailed diagrams for:
    • Microsoft cybersecurity capabilities
    • Zero Trust user access
    • Security operations (SecOps/SOC)
    • Operational technology (OT)
    • Multicloud and cross-platform capabilities
    • Attack chain coverage
    • Infrastructure and development Security
    • Security organizational functions
  • ...and more

How to use the MCRA

This is typically used for several purposes including

  • Starting template for a security architecture - The most common use case we see is that organizations use the document to help define a target state for cybersecurity capabilities. Organizations find this architecture useful because it covers capabilities across the modern enterprise estate that now spans on-premises, mobile devices, multiple clouds, and IoT / Operational Technology.
  • Comparison reference for security capabilities - Some organizations use this resource to compare Microsoft's recommendations with what they already own and have implemented. Many organizations find that they already own quite a bit of this technology already and weren't aware of it.
  • Learn about Microsoft capabilities - We also see this resource used as a learning tool. In presentation mode, each capability has a "ScreenTip" with a short description of each capability + a link to documentation to learn more.
  • Learn about Microsoft's integration investments - The architecture helps architects and technical teams identify how to take advantage of integration points within Microsoft capabilities and with existing security capabilities.
  • Learn about Cybersecurity - Some folks, particularly people new to cybersecurity, use this resource as a learning tool as they prepare for their first career or a career change.

Next steps