L2

Enhanced Security

Security-conscious teams ready for just-in-time access.

Adds time-limited admin access and advanced threat detection. Admins activate permissions only when needed, reducing your attack window.

Moderate operational impact, significantly improved security

46
Controls
13
Critical
20
Auto-Fix
20
New at L2

What's Included

  • Everything in Level 1
  • PIM required for privileged roles
  • Phishing-resistant MFA for admins
  • Device compliance requirements
  • Automated stale account disabling

Not Included

  • Phishing-resistant MFA for all users
  • Hardware key requirements
  • Full just-in-time access model

Framework Alignment

CIS Microsoft Entra ID Foundations Benchmark (Level 2)Microsoft Zero TrustNIST 800-63B

Controls (46)

Identity & Authentication4

ID-01User MFA Registration
Critical
ID-02Block Legacy Authentication
High
ID-03Enable Self-Service Password Reset
Medium
ID-05Configure Smart Lockout Protection
High

Privileged Access6

PA-01Limit Global Administrators to 2-4
Critical
PA-02Use Dedicated Admin Accounts
High
PA-03Configure Emergency Access Accounts
Critical
PA-01-L2Eliminate Permanent Global Administrators
Critical
PA-04Require PIM for All Privileged Roles
Critical
PA-05Require Phishing-Resistant MFA for Admins
Critical

Conditional Access10

CA-01Require MFA via Conditional Access Policy
Critical
CA-02Require MFA for All Administrators
Critical
CA-08Block Access from High-Risk Countries
Medium
CA-11Enforce Session Lifetime Limits for Guests and Admins
Medium
DV-01Require Compliant Devices for Admin Access
High
CA-03Block or Require MFA for Risky Sign-Ins
High
CA-04Remediate High-Risk Users Automatically
High
CA-10Enable Token Protection
High
DV-02Require Compliant Devices for Global Admins
Critical
CA-05Require App Protection for Mobile Access
High

Workload Identity & Applications9

APP-01Application Ownership for Apps with Credentials
Low
APP-02Enforce Application Credential Expiration
Critical
APP-05Service Principal Credential Hygiene
Critical
APP-08Restrict User Application Consent
High
APP-09Enforce Certificate Credentials for Applications
Medium
APP-03Internal App Registration Permissions
High
APP-04Enable Admin Consent Workflow
Medium
APP-06Third-Party Enterprise App Permissions
High
APP-07Identify Unused Service Principals
Medium

Guest & External Access6

EXT-01Restrict Guest Invitation Permissions
High
EXT-02Require MFA for Guest Users
Medium
EXT-06External Sharing Visibility
Medium
EXT-07Detect External Mail Forwarding
Critical
EXT-04Configure Guest Access Expiration
Medium
EXT-08Audit Mailbox Delegation
Medium

Governance & Hygiene5

GOV-01Review Stale User Accounts
Medium
GOV-05Maintain Group Naming Conventions
Low
GOV-07Audit Privileged Role Assignments
High
GOV-02Automatically Disable Stale Accounts
Medium
GOV-03Conduct Quarterly Privileged Access Reviews
High

Logging & Visibility4

LOG-01Enable Unified Audit Logging
High
LOG-04Configure Privileged Operation Alerts
Critical
LOG-02Export Logs to Long-Term Storage
Medium
LOG-05Admin Activity Anomaly Detection
High

Data Protection1

DLP-01Enable Sensitive Data Classification
High

License Management1

LIC-01License Utilization Visibility
Low

Ready to implement this baseline?

TrueConfig scans your Microsoft 365 tenant and shows which controls need attention.