L1

Recommended Secure

Most organizations. Ideal starting point.

Protects against common attacks without disrupting daily work. Blocks credential theft, legacy vulnerabilities, and unauthorized access.

Low operational risk, high security return

26
Controls
9
Critical
9
Auto-Fix
26
New at L1

What's Included

  • Stops common identity attacks
  • Aligns with CIS and Microsoft defaults
  • Avoids lockouts
  • Builds trust in TrueConfig recommendations

Not Included

  • Phishing-resistant MFA for all users
  • Strict PIM-only privilege model
  • Device compliance for admins
  • Automated role or permission removal

Framework Alignment

CIS Microsoft Entra ID Foundations BenchmarkMicrosoft Secure DefaultsMicrosoft Zero Trust Identity Pillar

Controls (26)

Identity & Authentication4

ID-01User MFA Registration
Critical
ID-02Block Legacy Authentication
High
ID-03Enable Self-Service Password Reset
Medium
ID-05Configure Smart Lockout Protection
High

Privileged Access3

PA-01Limit Global Administrators to 2-4
Critical
PA-02Use Dedicated Admin Accounts
High
PA-03Configure Emergency Access Accounts
Critical

Conditional Access4

CA-01Require MFA via Conditional Access Policy
Critical
CA-02Require MFA for All Administrators
Critical
CA-08Block Access from High-Risk Countries
Medium
CA-11Enforce Session Lifetime Limits for Guests and Admins
Medium

Workload Identity & Applications5

APP-01Application Ownership for Apps with Credentials
Low
APP-02Enforce Application Credential Expiration
Critical
APP-05Service Principal Credential Hygiene
Critical
APP-08Restrict User Application Consent
High
APP-09Enforce Certificate Credentials for Applications
Medium

Guest & External Access4

EXT-01Restrict Guest Invitation Permissions
High
EXT-02Require MFA for Guest Users
Medium
EXT-06External Sharing Visibility
Medium
EXT-07Detect External Mail Forwarding
Critical

Governance & Hygiene3

GOV-01Review Stale User Accounts
Medium
GOV-05Maintain Group Naming Conventions
Low
GOV-07Audit Privileged Role Assignments
High

Logging & Visibility2

LOG-01Enable Unified Audit Logging
High
LOG-04Configure Privileged Operation Alerts
Critical

License Management1

LIC-01License Utilization Visibility
Low

Ready to implement this baseline?

TrueConfig scans your Microsoft 365 tenant and shows which controls need attention.