L2

Enhanced Security

Security-conscious teams ready for just-in-time access.

Adds time-limited admin access and advanced threat detection. Admins activate permissions only when needed, reducing your attack window.

Moderate operational impact, significantly improved security

58
Controls
15
Critical
25
Auto-Fix
30
New at L2

What's Included

  • Everything in Level 1
  • PIM required for privileged roles
  • Phishing-resistant MFA for admins
  • Device compliance requirements
  • Automated stale account disabling

Not Included

  • Phishing-resistant MFA for all users
  • Hardware key requirements
  • Full just-in-time access model

Framework Alignment

CIS Microsoft Entra ID Foundations Benchmark (Level 2)Microsoft Zero TrustNIST 800-63B

Controls (58)

Identity & Authentication6

ID-01User MFA Registration
Critical
ID-02Block Legacy Authentication
High
ID-03Enable Self-Service Password Reset
Medium
ID-05Configure Smart Lockout Protection
High
ID-06Complete Authentication Methods Policy Migration
High
ID-07Passkey Adoption Coverage
Medium

Privileged Access8

PA-01Limit Global Administrators to 2-4
Critical
PA-02Use Dedicated Admin Accounts
High
PA-03Configure Emergency Access Accounts
Critical
PA-01-L2Eliminate Permanent Global Administrators
Critical
PA-04Require PIM for All Privileged Roles
Critical
PA-05Require Phishing-Resistant MFA for Admins
Critical
PA-08Risky Service Principal Detection
Critical
PA-07Enable Continuous Access Evaluation
Critical

Conditional Access12

CA-01Require MFA via Conditional Access Policy
Critical
CA-02Require MFA for All Administrators
Critical
CA-08Block Access from High-Risk Countries
Medium
CA-11Enforce Session Lifetime Limits for Guests and Admins
Medium
DV-01Require Compliant Devices for Admin Access
High
CA-03Block or Require MFA for Risky Sign-Ins
High
CA-04Remediate High-Risk Users Automatically
High
CA-10Enable Token Protection
High
DV-02Require Compliant Devices for Global Admins
Critical
CA-07Configure Session Controls
Medium
CA-12Conditional Access for Workload Identities
High
CA-05Require App Protection for Mobile Access
High

Workload Identity & Applications10

APP-01Application Ownership for Apps with Credentials
Low
APP-02Enforce Application Credential Expiration
Critical
APP-05Service Principal Credential Hygiene
Critical
APP-08Restrict User Application Consent
High
APP-09Workload Identity Federation & Certificate Credentials
Medium
APP-03Internal App Registration Permissions
High
APP-04Enable Admin Consent Workflow
Medium
APP-06Third-Party Enterprise App Permissions
High
APP-07Identify Unused Service Principals
Medium
APP-10Workload Identity Federation Adoption
Medium

Guest & External Access8

EXT-01Restrict Guest Invitation Permissions
High
EXT-02Require MFA for Guest Users
Medium
EXT-06External Sharing Visibility
Medium
EXT-07Detect External Mail Forwarding
Critical
EXT-09Guest User Lifecycle Review
Medium
EXT-04Configure Guest Access Expiration
Medium
EXT-08Audit Mailbox Delegation
Medium
EXT-05Cross-Tenant Access Policy Review
High

Governance & Hygiene7

GOV-01Review Stale User Accounts
Medium
GOV-05Maintain Group Naming Conventions
Low
GOV-07Audit Privileged Role Assignments
High
GOV-02Automatically Disable Stale Accounts
Medium
GOV-03Conduct Quarterly Privileged Access Reviews
High
GOV-06Entitlement Management
Medium
GOV-08Administrative Unit Boundaries
Low

Logging & Visibility5

LOG-01Enable Unified Audit Logging
High
LOG-04Configure Privileged Operation Alerts
Critical
LOG-02Export Logs to Long-Term Storage
Medium
LOG-05Admin Activity Anomaly Detection
High
LOG-06Sign-In Log Anomaly Baseline
Medium

Data Protection1

DLP-01Enable Sensitive Data Classification
High

License Management1

LIC-01License Utilization Visibility
Low

Ready to implement this baseline?

TrueConfig scans your Microsoft 365 tenant and shows which controls need attention.