L2
Enhanced Security
Security-conscious teams ready for just-in-time access.
Adds time-limited admin access and advanced threat detection. Admins activate permissions only when needed, reducing your attack window.
Moderate operational impact, significantly improved security
62
Controls
12
Critical
25
Auto-Fix
30
New at L2
What's Included
- Everything in Level 1
- PIM required for privileged roles
- Phishing-resistant MFA for admins
- Device compliance requirements
- Automated stale account disabling
Not Included
- Phishing-resistant MFA for all users
- Hardware key requirements
- Full just-in-time access model
Framework Alignment
CIS Microsoft Entra ID Foundations Benchmark (Level 2)Microsoft Zero TrustNIST 800-63B
Controls (62)
Privileged Access8
PA-01Limit Global Administrators to 2-4
CriticalPA-02Use Dedicated Admin Accounts
HighPA-03Configure Emergency Access Accounts
CriticalPA-01-L2Eliminate Permanent Global Administrators
CriticalPA-04Require PIM for All Privileged Roles
CriticalPA-05Require Phishing-Resistant MFA for Admins
CriticalPA-08Risky Service Principal Detection
CriticalPA-07Enable Continuous Access Evaluation
MediumConditional Access12
CA-01Require MFA via Conditional Access Policy
CriticalCA-02Require MFA for All Administrators
CriticalCA-08Block Access from High-Risk Countries
HighCA-11Enforce Session Lifetime Limits for Guests and Admins
HighDV-01Require Compliant Devices for Admin Access
HighCA-03Block or Require MFA for Risky Sign-Ins
HighCA-04Remediate High-Risk Users Automatically
HighCA-10Enable Token Protection
HighDV-02Require Compliant Devices for Global Admins
CriticalCA-07Configure Session Controls
MediumCA-12Conditional Access for Workload Identities
HighCA-05Require App Protection for Mobile Access
HighWorkload Identity & Applications11
APP-01Application Ownership for Apps with Credentials
InfoAPP-02Enforce Application Credential Expiration
CriticalAPP-05Service Principal Credential Hygiene
CriticalAPP-08Restrict User Application Consent
HighAPP-09Workload Identity Federation & Certificate Credentials
MediumAPP-12Restrict User App Registration
MediumAPP-03Internal App Registration Permissions
HighAPP-04Enable Admin Consent Workflow
MediumAPP-06Third-Party Enterprise App Permissions
HighAPP-07Identify Unused Service Principals
MediumAPP-10Workload Identity Federation Adoption
MediumGuest & External Access8
EXT-01Restrict Guest Invitation Permissions
HighEXT-02Require MFA for Guest Users
MediumEXT-06External Sharing Visibility
InfoEXT-07Detect External Mail Forwarding
InfoEXT-09Guest User Lifecycle Review
MediumEXT-04Configure Guest Access Expiration
MediumEXT-08Audit Mailbox Delegation
InfoEXT-05Cross-Tenant Access Policy Review
HighGovernance & Hygiene10
GOV-01Review Stale User Accounts
MediumGOV-05Maintain Group Naming Conventions
LowGOV-07Audit Privileged Role Assignments
InfoGOV-09Restrict Tenant Creation
MediumGOV-10Restrict Security Group Creation
LowGOV-11Disable Self-Service Sign-Up
LowGOV-02Automatically Disable Stale Accounts
MediumGOV-03Conduct Quarterly Privileged Access Reviews
HighGOV-06Entitlement Management
MediumGOV-08Administrative Unit Boundaries
LowReady to implement this baseline?
TrueConfig scans your Microsoft 365 tenant and shows which controls need attention.