Back to App
Documentation/Getting Started/Overview

Welcome to TrueConfig

Desired State Configuration for Microsoft 365 identity and access. Define your baseline, detect deviations, and restore alignment automatically.

What is TrueConfig?

TrueConfig is a Desired State Configuration (DSC) platform for Microsoft 365 identity and access. You define what "secure" looks like through baselines, and TrueConfig continuously checks your tenant against that desired state, shows where it deviates, and helps you bring it back into alignment.

Unlike traditional security scanning tools that provide point-in-time assessments, TrueConfig operates as a continuous control loop. It detects when your environment deviates from your baseline and can automatically remediate, with configurable safety gates and approval workflows.

Key Capabilities

Security Baselines

Three-tier baseline system (Level 1, 2, 3) aligned with CIS Benchmarks, Microsoft Zero Trust, and industry frameworks. Choose your risk appetite and TrueConfig enforces it.

Drift Detection

Scheduled scans (daily, weekly, or custom intervals) detect when your environment drifts from your baseline. Real-time notifications alert your team to security deviations.

Auto-Remediation

Configure controls to remediate automatically, require manual approval, or operate in advisory mode. Safety gates prevent unintended changes.

Compliance Reporting

Real-time alignment dashboards, historical trend analysis, and audit-ready reports. Track baseline alignment over time across all your tenants.

Multi-Tenant Support

Manage up to 10 Microsoft 365 tenants per organization. Perfect for MSPs, enterprises with multiple environments, or organizations managing customer tenants.

Complete Audit Trail

Immutable audit logs track every scan, evaluation, and remediation action. Full traceability for compliance requirements and security investigations.

Why This Matters for IT Leaders

Breach prevention: Misconfigurations are the #1 cause of cloud security incidents. TrueConfig catches them before attackers do.

Operational efficiency: Stop manually auditing settings across Entra ID. Automated monitoring saves hours each week.

Vendor trust: Our baselines align with CIS Benchmarks and Microsoft's Zero Trust guidance - trusted standards for auditors and customers.

Who is TrueConfig For?

IT Administrators

Security teams responsible for Microsoft 365 governance. TrueConfig automates the tedious work of monitoring privileged access, conditional access policies, and identity hygiene, freeing you to focus on strategic security initiatives.

Managed Service Providers (MSPs)

Service providers managing multiple customer tenants. TrueConfig's multi-tenant architecture lets you monitor all customer environments from a single pane of glass, with role-based access control and per-tenant baseline customization.

Compliance Officers

Organizations subject to regulatory requirements (SOC 2, ISO 27001, NIST, FedRAMP). TrueConfig provides continuous compliance monitoring with audit-ready reports that demonstrate adherence to security frameworks.

Mid-sized IT Teams

Organizations with 200-2000 employees that need enterprise-grade security without a dedicated security operations center. TrueConfig's automated governance gives you the security posture of a larger team.

How It Works

1. Connect Your Tenant

Connect your Microsoft 365 tenant using a secure OAuth connection. TrueConfig requests read-only permissions initially, with optional write permissions if you want to enable auto-remediation later.

Required Permissions (Read-Only)

  • Read user accounts, groups, and administrator roles
  • Read Conditional Access policies and security settings
  • Read app registrations and service principals
  • Read role assignments to track who has elevated access

Optional Permissions (For Auto-Remediation)

  • Modify role assignments (remove excessive admin accounts)
  • Update Conditional Access policies
  • Manage guest access settings
  • Update app registrations and secrets

2. Select Your Baseline

Choose from three security baseline levels based on your risk appetite. Most organizations start with Level 1 (Recommended Secure) and progress to higher levels as their security maturity grows.

  • Level 1: Advisory mode, 26 foundational controls, low operational risk
  • Level 2: Active enforcement, 46 controls including PIM requirements
  • Level 3: Maximum security, 55 controls with phishing-resistant MFA

3. Run Your First Scan

TrueConfig scans your tenant using the Microsoft Graph API, collecting data on users, roles, groups, applications, and conditional access policies. Data is normalized into scan tables and evaluated against your baseline controls.

Scan Performance
A typical scan completes in 30-60 seconds depending on tenant size. TrueConfig uses parallel API requests and caching to minimize Microsoft Graph API quota consumption.

4. Review Control Evaluations

Each control in your baseline is evaluated against the scan data. Controls can have five possible statuses:

  • Pass: Configuration meets baseline requirements
  • Fail: Configuration deviates from baseline
  • Warning: Partial compliance or minor issues
  • Not Applicable: Control prerequisites not met
  • Error: Evaluation failed due to technical issue

5. Remediate Deviations

When controls fail, TrueConfig provides remediation guidance. Depending on the control configuration:

  • Advisory Mode: Step-by-step remediation instructions with Microsoft documentation links
  • Manual Mode: One-click remediation after review and approval
  • Auto Mode: Automatic remediation with safety gates and rollback windows

Next Steps

Quick Start Guide

Get from zero to your first security scan in under 10 minutes. Step-by-step instructions for connecting your tenant and running your first scan.

Get started

Understanding Baselines

Learn about the three baseline levels, how they align with security frameworks, and how to choose the right level for your organization.

Learn more