L2

Enhanced Security Baseline

Organizations with dedicated security teams.

Active enforcement for security-conscious organizations. Adds PIM requirements and stricter controls.

Moderate operational impact, significantly improved security

45

Total Controls

11

Critical

19

Auto-Remediable

20

New at L2

What's Included

Everything in Level 1
PIM required for privileged roles
Phishing-resistant MFA for admins
Device compliance requirements
Automated stale account disabling

Not Included (Available at Higher Levels)

Phishing-resistant MFA for all users
Hardware key requirements
Full just-in-time access model

Framework Alignment

CIS Microsoft Entra ID Foundations Benchmark (Level 2)Microsoft Zero TrustNIST 800-63B

Controls Included

Identity & Authentication4 controls

ID-01User MFA Registration

ID-02Block Legacy Authentication

ID-03Enable Self-Service Password Reset

ID-05Configure Smart Lockout Protection

Privileged Access6 controls

PA-01Limit Global Administrators to 2-4

PA-02Use Dedicated Admin Accounts

PA-03Configure Emergency Access Accounts

PA-01-L2Eliminate Permanent Global Administrators

PA-04Require PIM for All Privileged Roles

PA-05Require Phishing-Resistant MFA for Admins

Conditional Access10 controls

CA-01Require MFA via Conditional Access Policy

CA-02Require MFA for All Administrators

CA-08Block Access from High-Risk Countries

CA-11Enforce Session Lifetime Limits

DV-01Require Compliant Devices for Admin Access

CA-03Block or Require MFA for Risky Sign-Ins

CA-04Remediate High-Risk Users Automatically

CA-10Enable Token Protection

DV-02Require Compliant Devices for Global Admins

CA-05Require App Protection for Mobile Access

Workload Identity & Applications8 controls

APP-01Assign Owners to All Applications

APP-02Enforce Application Credential Expiration

APP-05Service Principal Credential Hygiene

APP-08Restrict User Application Consent

APP-03Internal App Registration Permissions

APP-04Enable Admin Consent Workflow

APP-06Third-Party Enterprise App Permissions

APP-07Identify Unused Service Principals

Guest & External Access6 controls

EXT-01Restrict Guest Invitation Permissions

EXT-02Require MFA for Guest Users

EXT-06External Sharing Visibility

EXT-07Detect External Mail Forwarding

EXT-04Configure Guest Access Expiration

EXT-08Audit Mailbox Delegation

Governance & Hygiene5 controls

GOV-01Review Stale User Accounts

GOV-05Maintain Group Naming Conventions

GOV-07Audit Privileged Role Assignments

GOV-02Automatically Disable Stale Accounts

GOV-03Conduct Quarterly Privileged Access Reviews

Logging & Visibility4 controls

LOG-01Enable Unified Audit Logging

LOG-04Configure Privileged Operation Alerts

LOG-02Export Logs to Long-Term Storage

LOG-05Admin Activity Anomaly Detection

Data Protection1 controls

DLP-01Enable Sensitive Data Classification

License Management1 controls

LIC-01License Utilization Visibility

Ready to implement the Enhanced Security baseline?

TrueConfig will scan your Microsoft 365 tenant and show you exactly which controls need attention.