# TrueConfig - Full Documentation

> Desired State Configuration for Microsoft 365 identity and access

TrueConfig is a SaaS platform that helps IT administrators and security teams maintain their desired security configuration for Microsoft 365 (M365) environments. It continuously monitors Microsoft Entra ID tenants, detects configuration drift from defined baselines, and can automatically remediate deviations.

## What is Desired State Configuration (DSC)?

Desired State Configuration is a management approach where you define what your system should look like (the "desired state"), and tooling continuously ensures the actual state matches that definition. For Microsoft 365, this means:

1. **Define**: Choose or customize a security baseline
2. **Scan**: TrueConfig checks your tenant configuration
3. **Compare**: Identify deviations from your baseline
4. **Remediate**: Fix deviations manually or automatically

## How TrueConfig Works

### 1. Connect Your Tenant
TrueConfig connects to your Microsoft 365 tenant via OAuth and Microsoft Graph API with read-only permissions (write permissions only for auto-remediation if enabled).

### 2. Adopt a Baseline
Choose from predefined baselines (Minimum, Recommended Secure, Advanced, Maximum) or customize your own security requirements.

### 3. Continuous Monitoring
Scheduled scans (hourly, daily, or weekly) check your tenant against your baseline.

### 4. Deviation Detection
When configuration drift is detected, TrueConfig alerts you with severity ratings and remediation guidance.

### 5. Auto-Remediation (Optional)
Enable automatic fixing for low-risk deviations with built-in safety checks.

---

## Security Baselines


### TrueConfig Recommended Secure Baseline

Protects against common attacks without disrupting daily work. Blocks credential theft, legacy vulnerabilities, and unauthorized access.

- **Slug**: recommended-secure
- **URL**: https://www.trueconfig.io/baselines/recommended-secure


### Enhanced Security Baseline

Adds time-limited admin access and advanced threat detection. Admins activate permissions only when needed, reducing your attack window.

- **Slug**: enhanced-security
- **URL**: https://www.trueconfig.io/baselines/enhanced-security


### Maximum Security Baseline

Hardware-backed authentication, real-time threat containment, and continuous monitoring. Designed for zero-tolerance security requirements.

- **Slug**: maximum-security
- **URL**: https://www.trueconfig.io/baselines/maximum-security


---

## Security Control Categories


### Identity & Authentication

User authentication and identity protection controls

- **Slug**: identity
- **URL**: https://www.trueconfig.io/controls/category/identity


### Privileged Access

Administrative role and privilege management

- **Slug**: privileged-access
- **URL**: https://www.trueconfig.io/controls/category/privileged-access


### Conditional Access

Access policies and conditional requirements

- **Slug**: conditional-access
- **URL**: https://www.trueconfig.io/controls/category/conditional-access


### Workload Identity & Applications

Application registrations and service principals

- **Slug**: applications
- **URL**: https://www.trueconfig.io/controls/category/applications


### Guest & External Access

Guest users and external collaboration

- **Slug**: external
- **URL**: https://www.trueconfig.io/controls/category/external


### Governance & Hygiene

Account lifecycle and hygiene practices

- **Slug**: governance
- **URL**: https://www.trueconfig.io/controls/category/governance


### Logging & Visibility

Audit logs and monitoring capabilities

- **Slug**: logging
- **URL**: https://www.trueconfig.io/controls/category/logging


### Data Protection

Data loss prevention and information protection

- **Slug**: data-protection
- **URL**: https://www.trueconfig.io/controls/category/data-protection


### License Management

License utilization and cost optimization

- **Slug**: licensing
- **URL**: https://www.trueconfig.io/controls/category/licensing


---

## All Security Controls


### ID-01: User MFA Registration

MFA blocks over 99.9% of account compromise attacks. Even with a CA policy requiring MFA, users must actually register MFA methods to be protected. Low registration means users are vulnerable.

- **Category**: Identity & Authentication
- **URL**: https://www.trueconfig.io/controls/id-01
- **Enforcement**: advisory


### ID-02: Block Legacy Authentication

Legacy protocols like IMAP and POP3 cannot enforce MFA. Attackers specifically target these protocols to bypass your MFA policies. Blocking them closes a major attack vector.

- **Category**: Identity & Authentication
- **URL**: https://www.trueconfig.io/controls/id-02
- **Enforcement**: advisory


### ID-03: Enable Self-Service Password Reset

SSPR allows users to securely reset passwords without helpdesk intervention. It reduces password reset tickets by up to 70% while maintaining security through MFA verification during reset.

- **Category**: Identity & Authentication
- **URL**: https://www.trueconfig.io/controls/id-03
- **Enforcement**: advisory


### PA-01: Limit Global Administrators to 2-4

Global Administrators have unrestricted access to your entire tenant. Too many increases your attack surface; too few risks lockout. Service principals and groups with Global Admin are especially dangerous - service principals can be compromised via app credentials, and groups hide who actually has the role. Microsoft recommends 2-4 permanent Global Admins for most organizations.

- **Category**: Privileged Access
- **URL**: https://www.trueconfig.io/controls/pa-01
- **Enforcement**: advisory


### PA-02: Use Dedicated Admin Accounts

When an attacker compromises a daily work account through phishing or malware, they should not gain admin access. Dedicated admin accounts limit blast radius and enable stricter controls like device requirements.

- **Category**: Privileged Access
- **URL**: https://www.trueconfig.io/controls/pa-02
- **Enforcement**: advisory


### PA-03: Configure Emergency Access Accounts

Emergency access accounts prevent permanent lockout if MFA systems fail, Conditional Access is misconfigured, or a federation service goes down. Microsoft recommends 2 accounts with FIDO2 keys stored securely offline.

- **Category**: Privileged Access
- **URL**: https://www.trueconfig.io/controls/pa-03
- **Enforcement**: auto_remediate


### CA-01: Require MFA via Conditional Access Policy

Conditional Access policies provide granular MFA enforcement with proper exclusions. Unlike Security Defaults, CA policies allow you to exclude emergency access accounts while still protecting all users.

- **Category**: Conditional Access
- **URL**: https://www.trueconfig.io/controls/ca-01
- **Enforcement**: advisory


### CA-02: Require MFA for All Administrators

Administrator accounts are prime targets for attackers. Even if MFA is required for all users, a dedicated policy for admins ensures they cannot bypass MFA under any condition and provides visibility into admin authentication.

- **Category**: Conditional Access
- **URL**: https://www.trueconfig.io/controls/ca-02
- **Enforcement**: advisory


### CA-08: Block Access from High-Risk Countries

Blocking access from high-risk countries reduces geopolitical risk and helps comply with export control regulations (ITAR, EAR). While VPNs can bypass this control, it stops opportunistic attacks and reduces your attack surface from nation-state threat actors.

- **Category**: Conditional Access
- **URL**: https://www.trueconfig.io/controls/ca-08
- **Enforcement**: advisory


### APP-01: Application Ownership for Apps with Credentials

Apps with credentials (secrets or certificates) benefit from having owners for accountability during credential rotation. Apps without credentials don't need ownership tracking. Note: Owners can add credentials, so for privileged apps, restrict ownership to administrators.

- **Category**: Workload Identity & Applications
- **URL**: https://www.trueconfig.io/controls/app-01
- **Enforcement**: advisory


### APP-02: Enforce Application Credential Expiration

Long-lived or non-expiring secrets are a supply chain attack risk. If a secret is leaked, it remains valid indefinitely. Rotating credentials limits the window of exposure from compromised secrets.

- **Category**: Workload Identity & Applications
- **URL**: https://www.trueconfig.io/controls/app-02
- **Enforcement**: advisory


### EXT-01: Restrict Guest Invitation Permissions

Unrestricted guest invitations allow any user to bring external identities into your tenant. This creates uncontrolled access paths and potential data exposure. Limiting invitations to authorized personnel ensures oversight.

- **Category**: Guest & External Access
- **URL**: https://www.trueconfig.io/controls/ext-01
- **Enforcement**: advisory


### EXT-02: Require MFA for Guest Users

Guest accounts often have weaker security than internal accounts. Requiring MFA for guests ensures external collaborators meet the same authentication standards as your employees.

- **Category**: Guest & External Access
- **URL**: https://www.trueconfig.io/controls/ext-02
- **Enforcement**: advisory


### GOV-01: Review Stale User Accounts

Unused accounts are common attacker footholds. Former employees, contractors, or forgotten accounts can be compromised without detection. Regular review ensures only active users retain access.

- **Category**: Governance & Hygiene
- **URL**: https://www.trueconfig.io/controls/gov-01
- **Enforcement**: advisory


### GOV-05: Maintain Group Naming Conventions

Consistent naming conventions improve governance, make groups easier to find, and indicate their purpose at a glance. Random or inconsistent group names suggest poor organizational hygiene and make administration harder.

- **Category**: Governance & Hygiene
- **URL**: https://www.trueconfig.io/controls/gov-05
- **Enforcement**: advisory


### LOG-01: Enable Unified Audit Logging

Without audit logs, you cannot detect compromises, investigate incidents, or meet compliance requirements. Logs are your forensic evidence and early warning system.

- **Category**: Logging & Visibility
- **URL**: https://www.trueconfig.io/controls/log-01
- **Enforcement**: advisory


### LOG-04: Configure Privileged Operation Alerts

Without alerts on privileged operations, attackers can modify security settings undetected. Real-time alerting on role changes, CA policy edits, and consent grants enables rapid incident response.

- **Category**: Logging & Visibility
- **URL**: https://www.trueconfig.io/controls/log-04
- **Enforcement**: advisory


### APP-05: Service Principal Credential Hygiene

Service principals are the #1 attack vector for M365 supply chain compromises. Long-lived credentials on service principals (like those used in SolarWinds, Midnight Blizzard) bypass MFA entirely and provide persistent access.

- **Category**: Workload Identity & Applications
- **URL**: https://www.trueconfig.io/controls/app-05
- **Enforcement**: advisory


### APP-08: Restrict User Application Consent

OAuth phishing attacks trick users into granting malicious apps access to their data. By blocking user consent, you force all app permission requests through admin review, stopping this attack vector.

- **Category**: Workload Identity & Applications
- **URL**: https://www.trueconfig.io/controls/app-08
- **Enforcement**: advisory


### APP-09: Enforce Certificate Credentials for Applications

Client secrets are frequently compromised through accidental commits to source code, exposure in application logs, phishing attacks targeting developers, or insecure sharing via email and chat. Certificate credentials eliminate these risks by using cryptographic key pairs where the private key remains secured on your infrastructure and never needs to be transmitted or shared. Microsoft's Baseline Security Mode now blocks password-based credentials on applications.

- **Category**: Workload Identity & Applications
- **URL**: https://www.trueconfig.io/controls/app-09
- **Enforcement**: advisory


### CA-11: Enforce Session Lifetime Limits for Guests and Admins

Guests and admins represent elevated risk. Guest accounts access your data from unmanaged devices; limiting session lifetime reduces exposure if credentials are compromised. Admin sessions should be short-lived. Regular users on managed devices can have longer sessions to avoid productivity impact.

- **Category**: Conditional Access
- **URL**: https://www.trueconfig.io/controls/ca-11
- **Enforcement**: advisory


### EXT-06: External Sharing Visibility

External sharing is the most common data leakage vector. Without visibility into what is shared externally, you cannot assess your data exposure risk or detect sensitive data being shared inappropriately.

- **Category**: Guest & External Access
- **URL**: https://www.trueconfig.io/controls/ext-06
- **Enforcement**: advisory


### EXT-07: Detect External Mail Forwarding

Attackers commonly set up mail forwarding rules after compromising accounts. These rules silently copy all emails to external addresses, enabling ongoing data theft even after the initial compromise is remediated.

- **Category**: Guest & External Access
- **URL**: https://www.trueconfig.io/controls/ext-07
- **Enforcement**: advisory


### GOV-07: Audit Privileged Role Assignments

Privilege creep happens gradually. Without a baseline of who should have admin rights, you cannot detect unauthorized role assignments. Regular auditing ensures only authorized users retain privileged access.

- **Category**: Governance & Hygiene
- **URL**: https://www.trueconfig.io/controls/gov-07
- **Enforcement**: advisory


### ID-05: Configure Smart Lockout Protection

Password spray attacks try common passwords across many accounts. Smart lockout detects these patterns and blocks attackers while allowing legitimate users to authenticate. Weak settings leave you vulnerable.

- **Category**: Identity & Authentication
- **URL**: https://www.trueconfig.io/controls/id-05
- **Enforcement**: advisory


### LIC-01: License Utilization Visibility

Most organizations overpay for M365 licenses. Unused licenses represent wasted budget. Understanding your license utilization helps optimize costs and ensures users have appropriate entitlements.

- **Category**: License Management
- **URL**: https://www.trueconfig.io/controls/lic-01
- **Enforcement**: advisory


### PA-01-L2: Eliminate Permanent Global Administrators

Permanent Global Admin accounts are always-on attack targets. With PIM, admins activate access only when needed, reducing the attack window from 24/7 to minutes per day. This is a fundamental Zero Trust control.

- **Category**: Privileged Access
- **URL**: https://www.trueconfig.io/controls/pa-01-l2
- **Enforcement**: auto_remediate


### PA-04: Require PIM for All Privileged Roles

PIM enforces just-in-time access with audit trails. Instead of "always admin," users activate roles when needed, provide justification, and get approval for sensitive roles. This reduces risk and creates accountability.

- **Category**: Privileged Access
- **URL**: https://www.trueconfig.io/controls/pa-04
- **Enforcement**: auto_remediate


### PA-05: Require Phishing-Resistant MFA for Admins

Traditional MFA (push notifications, SMS) can be bypassed through social engineering and MFA fatigue attacks. Phishing-resistant methods like FIDO2 keys cannot be phished because they require physical presence and cryptographic proof.

- **Category**: Privileged Access
- **URL**: https://www.trueconfig.io/controls/pa-05
- **Enforcement**: advisory


### DV-01: Require Compliant Devices for Admin Access

A compromised or unmanaged device can have keyloggers, malware, or screen capture tools. Requiring managed, compliant devices for admin access ensures that privileged actions occur from endpoints you control and monitor.

- **Category**: Conditional Access
- **URL**: https://www.trueconfig.io/controls/dv-01
- **Enforcement**: advisory


### CA-03: Block or Require MFA for Risky Sign-Ins

Microsoft analyzes each sign-in for anomalies (impossible travel, anonymous IP, malware-linked IPs). Risk-based policies automatically escalate protection when threats are detected, without user friction during normal access.

- **Category**: Conditional Access
- **URL**: https://www.trueconfig.io/controls/ca-03
- **Enforcement**: auto_remediate


### CA-04: Remediate High-Risk Users Automatically

When Microsoft detects that a user's credentials have been leaked (dark web, breach databases), the user risk policy forces a password change before the attacker can use those credentials.

- **Category**: Conditional Access
- **URL**: https://www.trueconfig.io/controls/ca-04
- **Enforcement**: auto_remediate


### APP-03: Internal App Registration Permissions

Internal app registrations are applications you created and control. While you own the code, misconfigured permissions can expose excessive access. Regular review ensures your own apps only have necessary permissions.

- **Category**: Workload Identity & Applications
- **URL**: https://www.trueconfig.io/controls/app-03
- **Enforcement**: advisory


### APP-04: Enable Admin Consent Workflow

Without admin consent workflow, any user can grant an OAuth app access to their data. Attackers use illicit consent grant attacks to trick users into granting malicious apps access. Admin approval stops this attack vector.

- **Category**: Workload Identity & Applications
- **URL**: https://www.trueconfig.io/controls/app-04
- **Enforcement**: auto_remediate


### GOV-02: Automatically Disable Stale Accounts

Manual reviews miss accounts. Automated disabling ensures that former employees, forgotten accounts, and inactive identities cannot be used by attackers. The 14-day warning prevents disruption for legitimate users.

- **Category**: Governance & Hygiene
- **URL**: https://www.trueconfig.io/controls/gov-02
- **Enforcement**: auto_remediate


### GOV-03: Conduct Quarterly Privileged Access Reviews

Over time, users accumulate privileges they no longer need. Access reviews force managers to justify each privileged assignment, preventing privilege creep and reducing risk from over-entitled accounts.

- **Category**: Governance & Hygiene
- **URL**: https://www.trueconfig.io/controls/gov-03
- **Enforcement**: advisory


### LOG-02: Export Logs to Long-Term Storage

Default Entra log retention is 30-90 days. APT attacks often go undetected for months. Long-term retention enables forensic investigation of compromises that happened weeks or months ago.

- **Category**: Logging & Visibility
- **URL**: https://www.trueconfig.io/controls/log-02
- **Enforcement**: advisory


### LOG-05: Admin Activity Anomaly Detection

Compromised admin accounts often exhibit unusual patterns: signing in from new locations, performing bulk operations, or working at unusual hours. Detecting these anomalies enables early response to account compromise.

- **Category**: Logging & Visibility
- **URL**: https://www.trueconfig.io/controls/log-05
- **Enforcement**: advisory


### APP-06: Third-Party Enterprise App Permissions

Third-party enterprise apps are applications from external vendors that you consented to but do not control. These apps pose supply chain risk - a compromised vendor could access your tenant data. Review vendor security certifications and limit permissions to minimum necessary.

- **Category**: Workload Identity & Applications
- **URL**: https://www.trueconfig.io/controls/app-06
- **Enforcement**: advisory


### APP-07: Identify Unused Service Principals

Dormant service principals with valid credentials are invisible persistence mechanisms. Attackers can use forgotten apps with stale credentials to maintain access long after initial compromise detection.

- **Category**: Workload Identity & Applications
- **URL**: https://www.trueconfig.io/controls/app-07
- **Enforcement**: advisory


### CA-10: Enable Token Protection

Stolen tokens can be replayed from any device or location. Token protection binds tokens to specific devices, making stolen tokens useless. This is the primary defense against token theft attacks.

- **Category**: Conditional Access
- **URL**: https://www.trueconfig.io/controls/ca-10
- **Enforcement**: advisory


### DV-02: Require Compliant Devices for Global Admins

Admin credentials on non-compliant devices are at high risk. Keyloggers, malware, and credential theft are common on unmanaged devices. Requiring compliance ensures admin actions occur from secured endpoints.

- **Category**: Conditional Access
- **URL**: https://www.trueconfig.io/controls/dv-02
- **Enforcement**: advisory


### EXT-04: Configure Guest Access Expiration

Guest accounts created for temporary projects often outlive their intended use. Without expiration, ex-partners and former vendors retain access indefinitely. Automatic expiration ensures guest access is time-bound.

- **Category**: Guest & External Access
- **URL**: https://www.trueconfig.io/controls/ext-04
- **Enforcement**: advisory


### EXT-08: Audit Mailbox Delegation

Mailbox delegation enables users to send email as others or access their mailboxes. Unauthorized delegation can be used for impersonation attacks or to access sensitive communications without detection.

- **Category**: Guest & External Access
- **URL**: https://www.trueconfig.io/controls/ext-08
- **Enforcement**: advisory


### DLP-01: Enable Sensitive Data Classification

Without data classification, you cannot protect what you cannot identify. Sensitivity labels enable targeted protection policies, ensuring sensitive data receives appropriate controls regardless of where it is stored or shared.

- **Category**: Data Protection
- **URL**: https://www.trueconfig.io/controls/dlp-01
- **Enforcement**: advisory


### ID-04: Require Phishing-Resistant MFA for All Users

Phishing attacks can bypass traditional MFA. At Level 3, the entire organization uses authentication methods that cryptographically prove user presence, eliminating MFA bypass attacks entirely.

- **Category**: Identity & Authentication
- **URL**: https://www.trueconfig.io/controls/id-04
- **Enforcement**: strict


### PA-06: Require FIDO2 Security Keys for Administrators

Hardware security keys provide the highest authentication assurance. Unlike software-based MFA, keys cannot be phished, cloned, or remotely compromised. Level 3 mandates this protection for all admin access.

- **Category**: Privileged Access
- **URL**: https://www.trueconfig.io/controls/pa-06
- **Enforcement**: strict


### PA-07: Enable Continuous Access Evaluation

Standard OAuth tokens are valid for 60-90 minutes. If an admin is compromised and you disable their account, the attacker still has that time window. CAE revokes access within seconds of critical events.

- **Category**: Privileged Access
- **URL**: https://www.trueconfig.io/controls/pa-07
- **Enforcement**: advisory


### CA-05: Require App Protection for Mobile Access

Mobile devices accessing corporate data should use apps with protection policies. This prevents data leakage through unmanaged apps and ensures corporate data remains protected on personal devices.

- **Category**: Conditional Access
- **URL**: https://www.trueconfig.io/controls/ca-05
- **Enforcement**: advisory


### CA-09: Zero Trust Network Access

Full Zero Trust: never trust, always verify. Every access request is validated against device health, user risk, and location. This ensures compromised devices and credentials cannot access resources.

- **Category**: Conditional Access
- **URL**: https://www.trueconfig.io/controls/ca-09
- **Enforcement**: strict


### CA-06: Restrict Admin Access to Privileged Access Workstations

Privileged Access Workstations (PAWs) are hardened devices dedicated to admin tasks. By restricting admin portals to PAWs, you prevent credential theft from compromised daily-use devices.

- **Category**: Conditional Access
- **URL**: https://www.trueconfig.io/controls/ca-06
- **Enforcement**: strict


### EXT-03: Restrict Guest Access to Allowlisted Domains

At Level 3, external collaboration is tightly controlled. Only pre-approved partner organizations can access your tenant. This prevents social engineering and limits data exposure to vetted third parties.

- **Category**: Guest & External Access
- **URL**: https://www.trueconfig.io/controls/ext-03
- **Enforcement**: strict


### GOV-04: Automate Threat Response with SOAR

Manual incident response takes hours. Automated playbooks respond to threats in seconds. Level 3 organizations minimize attacker dwell time by automatically containing compromised accounts.

- **Category**: Governance & Hygiene
- **URL**: https://www.trueconfig.io/controls/gov-04
- **Enforcement**: strict


### LOG-03: Stream All Security Events to SIEM in Real-Time

Real-time log streaming enables immediate threat detection and correlation across your security stack. Level 3 organizations can detect and respond to attacks within minutes, not days.

- **Category**: Logging & Visibility
- **URL**: https://www.trueconfig.io/controls/log-03
- **Enforcement**: advisory


### DLP-02: Block Bulk Data Exfiltration

Insider threats and ransomware attackers exfiltrate data before deploying payloads. Detecting and blocking bulk data movement stops data theft in progress and provides early warning of compromise.

- **Category**: Data Protection
- **URL**: https://www.trueconfig.io/controls/dlp-02
- **Enforcement**: strict


---

## Documentation Structure

### Getting Started
- **Quick Start**: Step-by-step guide to connect your first tenant
- **Overview**: Understanding TrueConfig's architecture

### Core Concepts
- **Baselines**: How security baselines work
- **Controls**: Understanding individual security controls

### Features
- **Auto-Remediation**: Automated deviation fixing
- **Drift Detection**: Real-time configuration monitoring

### Operations
- **Scanning**: How tenant scans work
- **Notifications**: Alert configuration

### Reference
- **Security**: Our security practices
- **Plans**: Feature comparison by plan tier
- **Roles**: Permission system

---

## Recent Blog Posts


### TrueConfig vs. the Competition: A Practical Guide to M365 Security Tools

The Microsoft 365 security tool market is crowded. Here is an honest breakdown of how TrueConfig compares to manual auditing, Microsoft native tools, and other third-party platforms, and why we built something different.

- **Published**: 2025-01-15
- **Category**: product
- **URL**: https://www.trueconfig.io/blog/trueconfig-vs-competitors-m365-security


### Stop Chasing Alerts: How Desired State Configuration Transforms M365 Security

IT teams waste 15+ hours weekly on compliance reports that never fix the root cause. Desired State Configuration flips the model: define your security baseline once, and let automation maintain it.

- **Published**: 2025-01-15
- **Category**: security
- **URL**: https://www.trueconfig.io/blog/why-desired-state-configuration-beats-compliance-monitoring


### Microsoft Entra ID Privileged Role Drift: The Silent Risk in Your Tenant

That "temporary" Global Admin from six months ago still has access. Here is how privileged role drift happens in every organization, why it creates serious security and compliance risk, and how to catch it before auditors do.

- **Published**: 2025-01-12
- **Category**: security
- **URL**: https://www.trueconfig.io/blog/entra-id-privileged-role-drift-silent-risk


### Auto-Remediation for Microsoft 365: Fix Security Drift Automatically

Someone re-enabled legacy auth at 2 AM. With auto-remediation, it was disabled again by 2:15 AM, no human intervention required. Here is how automatic security remediation works and why safety gates matter.

- **Published**: 2025-01-10
- **Category**: product
- **URL**: https://www.trueconfig.io/blog/auto-remediation-microsoft-365-security


### Microsoft 365 Security Defaults Are Not Enough: 5 Gaps Putting Your Tenant at Risk

Security Defaults block common attacks, but they leave critical gaps in privileged access, guest controls, and policy granularity. Here are the five areas where you need to go beyond the basics.

- **Published**: 2025-01-08
- **Category**: security
- **URL**: https://www.trueconfig.io/blog/microsoft-365-security-defaults-not-enough


### Microsoft Entra Conditional Access: The 4-Tier Policy Framework That Works

Most Conditional Access deployments fail because of policy conflicts, admin lockouts, or gaps that leave attack vectors open. This framework organizes policies into four tiers that are secure, maintainable, and won not break your users.

- **Published**: 2025-01-05
- **Category**: guides
- **URL**: https://www.trueconfig.io/blog/conditional-access-policy-design-guide


---

## Target Audience

- **IT Administrators**: Managing Microsoft 365 environments
- **Security Teams**: Ensuring compliance and security posture
- **MSPs**: Managing multiple client tenants
- **Compliance Officers**: Meeting regulatory requirements

## Key Features

1. **Multi-tenant Support**: Manage up to 10 M365 tenants
2. **Customizable Baselines**: Tailor controls to your needs
3. **Real-time Monitoring**: Immediate drift detection
4. **Auto-Remediation**: Safe, automatic fixes
5. **Audit Logging**: Full traceability of changes
6. **Role-based Access**: Granular permissions

## Pricing Tiers

- **Starter**: 1 tenant, basic monitoring, manual remediation
- **Growth**: 3 tenants, advanced controls, single rollback
- **Scale**: 10 tenants, auto-remediation, bulk operations

## Technical Stack

- Microsoft Graph API integration
- OAuth 2.0 authentication
- Entra ID Conditional Access support
- Privileged Identity Management (PIM) integration

## Contact

- **Support**: support@trueconfig.io
- **Security Issues**: security@trueconfig.io
- **Sales**: hello@trueconfig.io

## Links

- Website: https://www.trueconfig.io
- Documentation: https://www.trueconfig.io/docs
- Sitemap: https://www.trueconfig.io/sitemap.xml
- Basic LLMs.txt: https://www.trueconfig.io/llms.txt

---
Last updated: 2026-01-16