Back to App
Docs/Controls/Control Reference

Control Reference

Complete catalog of all 55 DSC (Desired State Configuration) controls available in TrueConfig. Controls are organized by baseline level and category, with mappings to industry compliance frameworks.

Compliance Framework Alignment

TrueConfig controls are mapped to industry-standard security frameworks to help you meet compliance requirements:

CISCIS Benchmarks

CIS Microsoft 365 Foundations Benchmark and CIS Microsoft Entra ID Benchmark controls.

View benchmark
NISTNIST 800-53

NIST Special Publication 800-53 security and privacy controls for federal information systems.

View publication
ISOISO 27001

ISO/IEC 27001 information security management controls (Annex A) for select high-impact controls.

View standard
26
Level 1 Controls
Recommended Secure
19
Level 2 Controls
Enhanced Security
10
Level 3 Controls
Maximum Security

Control Categories

Controls are organized into the following categories based on their security domain:

Identity & Authentication

User authentication and identity protection controls

Privileged Access

Administrative role and privilege management

Conditional Access

Access policies and conditional requirements

Workload Identity & Applications

Application registrations and service principals

Guest & External Access

Guest users and external collaboration

Governance & Hygiene

Account lifecycle and hygiene practices

Logging & Visibility

Audit logs and monitoring capabilities

Data Protection

Data loss prevention and information protection

License Management

License utilization and cost optimization

Level 1: Recommended Secure (26 controls)

Foundational security controls that every organization should implement. These controls establish basic security hygiene and prevent common attack vectors.

Identity & Authentication

IDTitleSeverityFrameworksLicense
ID-01User MFA Registrationcritical
CIS 6.1.1CIS 6.1.2IA-2IA-2(1)
None
ID-02Block Legacy Authenticationhigh
CIS 6.1.3IA-2(6)AC-17(2)
None
ID-03Enable Self-Service Password Resetmedium
CIS 5.1.2IA-5(1)IA-6
None
ID-05Configure Smart Lockout Protectionhigh
CIS 5.2.1CIS 5.2.2AC-7IA-5(1)
None

Privileged Access

IDTitleSeverityFrameworksLicense
PA-01Limit Global Administrators to 2-4critical
CIS 5.1.1CIS 5.1.2AC-6(5)AC-2(7)
None
PA-02Use Dedicated Admin Accountshigh
CIS 5.1.3AC-6(2)AC-5
None
PA-03Configure Emergency Access Accountscritical
CIS 5.1.4AC-2(2)CP-2
None

Conditional Access

IDTitleSeverityFrameworksLicense
CA-01Require MFA via Conditional Access Policycritical
CIS 6.1.1IA-2(1)IA-2(2)
P1
CA-02Require MFA for All Administratorscritical
CIS 6.1.2AC-6(5)IA-2(1)
P1
CA-08Block Access from High-Risk Countriesmedium
CIS 6.1.6AC-4SC-7
P1
CA-11Enforce Session Lifetime Limits for Guests and Adminsmedium
CIS 6.2.4AC-12SC-10
P1

Workload Identity & Applications

IDTitleSeverityFrameworksLicense
APP-01Application Ownership for Apps with Credentialslow
CIS 7.1.1CM-8PM-5
None
APP-02Enforce Application Credential Expirationcritical
CIS 7.1.2IA-5(1)SC-12
None
APP-05Service Principal Credential Hygienecritical
CIS 7.1.3IA-5(1)SC-12
None
APP-08Restrict User Application Consenthigh
CIS 7.2.4AC-6(10)CM-5
None
APP-09Enforce Certificate Credentials for Applicationsmedium-None

Guest & External Access

IDTitleSeverityFrameworksLicense
EXT-01Restrict Guest Invitation Permissionshigh
CIS 8.1.1AC-4AC-17
None
EXT-02Require MFA for Guest Usersmedium
CIS 8.1.2IA-2(1)AC-17
None
EXT-06External Sharing Visibilitymedium
CIS 8.2.2AU-12AC-4
None
EXT-07Detect External Mail Forwardingcritical
CIS 8.2.3AU-12SI-4
None

Governance & Hygiene

IDTitleSeverityFrameworksLicense
GOV-01Review Stale User Accountsmedium
CIS 5.3.1AC-2(3)PS-4
None
GOV-05Maintain Group Naming Conventionslow
CIS 5.3.5CM-2CM-8
None
GOV-07Audit Privileged Role Assignmentshigh
CIS 5.3.6AC-2AU-6
None

Logging & Visibility

IDTitleSeverityFrameworksLicense
LOG-01Enable Unified Audit Logginghigh
CIS 9.1.1AU-2AU-3
None
LOG-04Configure Privileged Operation Alertscritical
CIS 9.1.3AU-5IR-5
None

License Management

IDTitleSeverityFrameworksLicense
LIC-01License Utilization Visibilitylow
CIS 5.4.1CM-8CM-10
None
Baseline Evaluation
When you select Level 1 baseline, only these 26 controls are evaluated. Higher baseline levels include these controls plus additional controls.

Level 2: Enhanced Security (+19 controls)

Advanced security controls for organizations with higher security requirements. Includes all Level 1 controls plus:

Privileged Access

IDTitleSeverityFrameworksLicense
PA-01-L2Eliminate Permanent Global Administratorscritical
CIS 5.1.1CIS 5.1.2AC-6(5)AC-2(7)
P2
PA-04Require PIM for All Privileged Rolescritical
CIS 5.2.2.1CIS 5.2.2.2AC-2(5)AC-6(7)
P2
PA-05Require Phishing-Resistant MFA for Adminscritical
CIS 6.1.4IA-2(6)IA-2(8)
P1

Conditional Access

IDTitleSeverityFrameworksLicense
DV-01Require Compliant Devices for Admin Accesshigh
CIS 6.3.1CM-8AC-19
P1
CA-03Block or Require MFA for Risky Sign-Inshigh
CIS 6.2.1IA-5(13)SI-4
P2
CA-04Remediate High-Risk Users Automaticallyhigh
CIS 6.2.2IA-5(13)IR-6
P2
CA-10Enable Token Protectionhigh
CIS 6.2.3SC-23SC-23(1)
P1
DV-02Require Compliant Devices for Global Adminscritical
CIS 6.3.2CM-8AC-19
P1

Workload Identity & Applications

IDTitleSeverityFrameworksLicense
APP-03Internal App Registration Permissionshigh
CIS 7.2.1AC-6CM-7
None
APP-04Enable Admin Consent Workflowmedium
CIS 7.2.2AC-6(10)CM-5
None
APP-06Third-Party Enterprise App Permissionshigh
CIS 7.2.3SA-9SA-12
None
APP-07Identify Unused Service Principalsmedium
CIS 7.1.4CM-8SI-4
P2

Governance & Hygiene

IDTitleSeverityFrameworksLicense
GOV-02Automatically Disable Stale Accountsmedium
CIS 5.3.2AC-2(3)AC-2(4)
P2
GOV-03Conduct Quarterly Privileged Access Reviewshigh
CIS 5.3.3AC-2(4)AC-6(7)
P2

Logging & Visibility

IDTitleSeverityFrameworksLicense
LOG-02Export Logs to Long-Term Storagemedium
CIS 9.1.2AU-4AU-11
P1
LOG-05Admin Activity Anomaly Detectionhigh
CIS 9.2.2AU-6SI-4(5)
P2

Guest & External Access

IDTitleSeverityFrameworksLicense
EXT-04Configure Guest Access Expirationmedium
CIS 8.1.3AC-2(3)AC-17
P2
EXT-08Audit Mailbox Delegationmedium
CIS 8.2.4AU-12AC-3
None

Data Protection

IDTitleSeverityFrameworksLicense
DLP-01Enable Sensitive Data Classificationhigh
CIS 10.1.1SC-8SC-13
E5_COMPLIANCE

Level 3: Maximum Security (+10 controls)

Zero-trust security controls for highly regulated industries. Includes all Level 1 and Level 2 controls plus:

Identity & Authentication

IDTitleSeverityFrameworksLicense
ID-04Require Phishing-Resistant MFA for All Userscritical
CIS 6.1.4IA-2(6)IA-2(8)
P1

Privileged Access

IDTitleSeverityFrameworksLicense
PA-06Require FIDO2 Security Keys for Administratorscritical
CIS 6.1.5IA-2(12)IA-5(2)
P2
PA-07Enable Continuous Access Evaluationcritical
CIS 5.2.2.3AC-2(12)SC-10
P1

Conditional Access

IDTitleSeverityFrameworksLicense
CA-05Require App Protection for Mobile Accesshigh
CIS 6.3.1AC-19CM-7
P1
CA-09Zero Trust Network Accesscritical
CIS 6.3.2AC-4SC-7
P2
CA-06Restrict Admin Access to Privileged Access Workstationshigh
CIS 5.1.6SC-7SC-7(4)
P2

Guest & External Access

IDTitleSeverityFrameworksLicense
EXT-03Restrict Guest Access to Allowlisted Domainshigh
CIS 8.2.1AC-4AC-17(1)
P1

Governance & Hygiene

IDTitleSeverityFrameworksLicense
GOV-04Automate Threat Response with SOARhigh
CIS 5.3.4IR-4IR-6
P2

Logging & Visibility

IDTitleSeverityFrameworksLicense
LOG-03Stream All Security Events to SIEM in Real-Timehigh
CIS 9.2.1AU-6SI-4
P2

Data Protection

IDTitleSeverityFrameworksLicense
DLP-02Block Bulk Data Exfiltrationcritical
CIS 10.1.2SC-7SI-4
E5_COMPLIANCE
License Requirements
Level 2 and Level 3 controls may require specific Microsoft licenses (Entra ID P1/P2, Microsoft Intune). Verify your organization has the required licenses before enabling these controls.

Control Evaluation

Controls are evaluated during each tenant sync. The DSC evaluation engine:

  • Fetches current configuration from Microsoft Graph API
  • Compares against desired state defined in control
  • Records deviations with detailed context
  • Triggers remediation workflows if auto-remediation is enabled
Best Practice
Start with Level 1 baseline for new implementations. Monitor for 2-4 weeks, review deviations, then progressively adopt Level 2 and Level 3 controls as your security maturity increases.
Baseline QuestionsRoles & Permissions