As enterprises migrate workloads to cloud environments, enforcing comprehensive security across multi-tenant architectures is increasingly complex, with challenges that traditional perimeter-based defenses cannot handle effectively. This article proposes a complete zero-trust security architecture specifically designed for multi-tenant Software-as-a-Service systems built on ASP.NET Core microservices, OAuth 2.0 identity frameworks, and Kubernetes orchestration platforms. Traditional implicit trust assumptions are removed by continuously verifying users and devices and application programming interfaces via a sophisticated dynamic trust-scoring engine that assesses contextual parameters such as IP address reputation, session entropy characteristics, behavioral analytics patterns, device posture attributes, and real-time threat intelligence feeds. A metadata-driven security policy engine integrates seamlessly with Kubernetes-based service mesh technologies that allow fine-grained microsegmentation and adaptive access control responding dynamically to changing risk profiles. The proposed architecture was rigorously evaluated across three distinct enterprise-grade workloads: customer relationship management systems, e-commerce platforms, and healthcare data management applications. It demonstrated substantial improvement in security effectiveness through significant reductions in unauthorized access attempts and a mean time to detection of security incidents when compared to traditional perimeter-based models and semi-modern security implementations. This framework enhances real-time visibility into security events, aligns compliance more easily with regulatory requirements, and accomplishes meaningful attack surface reduction through comprehensive defense-in-depth strategies. This article further advances the practical adoption of zero-trust principles by introducing a scalable metadata-driven architectural approach that maintains compatibility with modern continuous integration and continuous deployment pipelines and DevSecOps automation practices, thus letting organizations realize robust security controls without sacrificing development velocity or operational agility.