L3
Maximum Security
Regulated industries, government, or high-risk targets.
Hardware-backed authentication, real-time threat containment, and continuous monitoring. Designed for zero-tolerance security requirements.
Higher operational overhead, maximum security posture
67
Controls
19
Critical
29
Auto-Fix
9
New at L3
What's Included
- Everything in Level 2
- Phishing-resistant MFA for all users
- Hardware security key requirements for admins
- Full just-in-time access for all privileged roles
- Continuous access evaluation
- Real-time threat response
Framework Alignment
CIS Microsoft Entra ID Foundations Benchmark (All)NIST 800-53FedRAMP HighISO 27001
Controls (67)
Identity & Authentication7
ID-01User MFA Registration
CriticalID-02Block Legacy Authentication
HighID-03Enable Self-Service Password Reset
MediumID-05Configure Smart Lockout Protection
HighID-06Complete Authentication Methods Policy Migration
HighID-07Passkey Adoption Coverage
MediumID-04Require Phishing-Resistant MFA for All Users
CriticalPrivileged Access9
PA-01Limit Global Administrators to 2-4
CriticalPA-02Use Dedicated Admin Accounts
HighPA-03Configure Emergency Access Accounts
CriticalPA-01-L2Eliminate Permanent Global Administrators
CriticalPA-04Require PIM for All Privileged Roles
CriticalPA-05Require Phishing-Resistant MFA for Admins
CriticalPA-08Risky Service Principal Detection
CriticalPA-06Require FIDO2 Security Keys for Administrators
CriticalPA-07Enable Continuous Access Evaluation
CriticalConditional Access15
CA-01Require MFA via Conditional Access Policy
CriticalCA-02Require MFA for All Administrators
CriticalCA-08Block Access from High-Risk Countries
MediumCA-11Enforce Session Lifetime Limits for Guests and Admins
MediumDV-01Require Compliant Devices for Admin Access
HighCA-03Block or Require MFA for Risky Sign-Ins
HighCA-04Remediate High-Risk Users Automatically
HighCA-10Enable Token Protection
HighDV-02Require Compliant Devices for Global Admins
CriticalCA-07Configure Session Controls
MediumCA-12Conditional Access for Workload Identities
HighCA-05Require App Protection for Mobile Access
HighCA-09Zero Trust Network Access
CriticalCA-06Restrict Admin Access to Privileged Access Workstations
HighDV-03Require Device Compliance for All Users
MediumWorkload Identity & Applications10
APP-01Application Ownership for Apps with Credentials
LowAPP-02Enforce Application Credential Expiration
CriticalAPP-05Service Principal Credential Hygiene
CriticalAPP-08Restrict User Application Consent
HighAPP-09Workload Identity Federation & Certificate Credentials
MediumAPP-03Internal App Registration Permissions
HighAPP-04Enable Admin Consent Workflow
MediumAPP-06Third-Party Enterprise App Permissions
HighAPP-07Identify Unused Service Principals
MediumAPP-10Workload Identity Federation Adoption
MediumGuest & External Access9
EXT-01Restrict Guest Invitation Permissions
HighEXT-02Require MFA for Guest Users
MediumEXT-06External Sharing Visibility
MediumEXT-07Detect External Mail Forwarding
CriticalEXT-09Guest User Lifecycle Review
MediumEXT-04Configure Guest Access Expiration
MediumEXT-08Audit Mailbox Delegation
MediumEXT-05Cross-Tenant Access Policy Review
HighEXT-03Restrict Guest Access to Allowlisted Domains
HighGovernance & Hygiene8
GOV-01Review Stale User Accounts
MediumGOV-05Maintain Group Naming Conventions
LowGOV-07Audit Privileged Role Assignments
HighGOV-02Automatically Disable Stale Accounts
MediumGOV-03Conduct Quarterly Privileged Access Reviews
HighGOV-06Entitlement Management
MediumGOV-08Administrative Unit Boundaries
LowGOV-04Automate Threat Response with SOAR
HighReady to implement this baseline?
TrueConfig scans your Microsoft 365 tenant and shows which controls need attention.