L3

Maximum Security

Regulated industries, government, or high-risk targets.

Hardware-backed authentication, real-time threat containment, and continuous monitoring. Designed for zero-tolerance security requirements.

Higher operational overhead, maximum security posture

55
Controls
18
Critical
23
Auto-Fix
9
New at L3

What's Included

  • Everything in Level 2
  • Phishing-resistant MFA for all users
  • Hardware security key requirements for admins
  • Full just-in-time access for all privileged roles
  • Continuous access evaluation
  • Real-time threat response

Framework Alignment

CIS Microsoft Entra ID Foundations Benchmark (All)NIST 800-53FedRAMP HighISO 27001

Controls (55)

Identity & Authentication5

ID-01User MFA Registration
Critical
ID-02Block Legacy Authentication
High
ID-03Enable Self-Service Password Reset
Medium
ID-05Configure Smart Lockout Protection
High
ID-04Require Phishing-Resistant MFA for All Users
Critical

Privileged Access8

PA-01Limit Global Administrators to 2-4
Critical
PA-02Use Dedicated Admin Accounts
High
PA-03Configure Emergency Access Accounts
Critical
PA-01-L2Eliminate Permanent Global Administrators
Critical
PA-04Require PIM for All Privileged Roles
Critical
PA-05Require Phishing-Resistant MFA for Admins
Critical
PA-06Require FIDO2 Security Keys for Administrators
Critical
PA-07Enable Continuous Access Evaluation
Critical

Conditional Access12

CA-01Require MFA via Conditional Access Policy
Critical
CA-02Require MFA for All Administrators
Critical
CA-08Block Access from High-Risk Countries
Medium
CA-11Enforce Session Lifetime Limits for Guests and Admins
Medium
DV-01Require Compliant Devices for Admin Access
High
CA-03Block or Require MFA for Risky Sign-Ins
High
CA-04Remediate High-Risk Users Automatically
High
CA-10Enable Token Protection
High
DV-02Require Compliant Devices for Global Admins
Critical
CA-05Require App Protection for Mobile Access
High
CA-09Zero Trust Network Access
Critical
CA-06Restrict Admin Access to Privileged Access Workstations
High

Workload Identity & Applications9

APP-01Application Ownership for Apps with Credentials
Low
APP-02Enforce Application Credential Expiration
Critical
APP-05Service Principal Credential Hygiene
Critical
APP-08Restrict User Application Consent
High
APP-09Enforce Certificate Credentials for Applications
Medium
APP-03Internal App Registration Permissions
High
APP-04Enable Admin Consent Workflow
Medium
APP-06Third-Party Enterprise App Permissions
High
APP-07Identify Unused Service Principals
Medium

Guest & External Access7

EXT-01Restrict Guest Invitation Permissions
High
EXT-02Require MFA for Guest Users
Medium
EXT-06External Sharing Visibility
Medium
EXT-07Detect External Mail Forwarding
Critical
EXT-04Configure Guest Access Expiration
Medium
EXT-08Audit Mailbox Delegation
Medium
EXT-03Restrict Guest Access to Allowlisted Domains
High

Governance & Hygiene6

GOV-01Review Stale User Accounts
Medium
GOV-05Maintain Group Naming Conventions
Low
GOV-07Audit Privileged Role Assignments
High
GOV-02Automatically Disable Stale Accounts
Medium
GOV-03Conduct Quarterly Privileged Access Reviews
High
GOV-04Automate Threat Response with SOAR
High

Logging & Visibility5

LOG-01Enable Unified Audit Logging
High
LOG-04Configure Privileged Operation Alerts
Critical
LOG-02Export Logs to Long-Term Storage
Medium
LOG-05Admin Activity Anomaly Detection
High
LOG-03Stream All Security Events to SIEM in Real-Time
High

Data Protection2

DLP-01Enable Sensitive Data Classification
High
DLP-02Block Bulk Data Exfiltration
Critical

License Management1

LIC-01License Utilization Visibility
Low

Ready to implement this baseline?

TrueConfig scans your Microsoft 365 tenant and shows which controls need attention.