L3
Maximum Security
Regulated industries, government, or high-risk targets.
Hardware-backed authentication, real-time threat containment, and continuous monitoring. Designed for zero-tolerance security requirements.
Higher operational overhead, maximum security posture
71
Controls
16
Critical
27
Auto-Fix
9
New at L3
What's Included
- Everything in Level 2
- Phishing-resistant MFA for all users
- Hardware security key requirements for admins
- Full just-in-time access for all privileged roles
- Continuous access evaluation
- Real-time threat response
Framework Alignment
CIS Microsoft Entra ID Foundations Benchmark (All)NIST 800-53FedRAMP HighISO 27001
Controls (71)
Identity & Authentication7
ID-01User MFA Registration
CriticalID-02Block Legacy Authentication
HighID-03Enable Self-Service Password Reset
InfoID-05Configure Smart Lockout Protection
LowID-06Complete Authentication Methods Policy Migration
HighID-07Passkey Adoption Coverage
MediumID-04Require Phishing-Resistant MFA for All Users
CriticalPrivileged Access9
PA-01Limit Global Administrators to 2-4
CriticalPA-02Use Dedicated Admin Accounts
HighPA-03Configure Emergency Access Accounts
CriticalPA-01-L2Eliminate Permanent Global Administrators
CriticalPA-04Require PIM for All Privileged Roles
CriticalPA-05Require Phishing-Resistant MFA for Admins
CriticalPA-08Risky Service Principal Detection
CriticalPA-06Require FIDO2 Security Keys for Administrators
CriticalPA-07Enable Continuous Access Evaluation
MediumConditional Access15
CA-01Require MFA via Conditional Access Policy
CriticalCA-02Require MFA for All Administrators
CriticalCA-08Block Access from High-Risk Countries
HighCA-11Enforce Session Lifetime Limits for Guests and Admins
HighDV-01Require Compliant Devices for Admin Access
HighCA-03Block or Require MFA for Risky Sign-Ins
HighCA-04Remediate High-Risk Users Automatically
HighCA-10Enable Token Protection
HighDV-02Require Compliant Devices for Global Admins
CriticalCA-07Configure Session Controls
MediumCA-12Conditional Access for Workload Identities
HighCA-05Require App Protection for Mobile Access
HighCA-09Zero Trust Network Access
CriticalCA-06Restrict Admin Access to Privileged Access Workstations
HighDV-03Require Device Compliance for All Users
MediumWorkload Identity & Applications11
APP-01Application Ownership for Apps with Credentials
InfoAPP-02Enforce Application Credential Expiration
CriticalAPP-05Service Principal Credential Hygiene
CriticalAPP-08Restrict User Application Consent
HighAPP-09Workload Identity Federation & Certificate Credentials
MediumAPP-12Restrict User App Registration
MediumAPP-03Internal App Registration Permissions
HighAPP-04Enable Admin Consent Workflow
MediumAPP-06Third-Party Enterprise App Permissions
HighAPP-07Identify Unused Service Principals
MediumAPP-10Workload Identity Federation Adoption
MediumGuest & External Access9
EXT-01Restrict Guest Invitation Permissions
HighEXT-02Require MFA for Guest Users
MediumEXT-06External Sharing Visibility
InfoEXT-07Detect External Mail Forwarding
InfoEXT-09Guest User Lifecycle Review
MediumEXT-04Configure Guest Access Expiration
MediumEXT-08Audit Mailbox Delegation
InfoEXT-05Cross-Tenant Access Policy Review
HighEXT-03Restrict Guest Access to Allowlisted Domains
HighGovernance & Hygiene11
GOV-01Review Stale User Accounts
MediumGOV-05Maintain Group Naming Conventions
LowGOV-07Audit Privileged Role Assignments
InfoGOV-09Restrict Tenant Creation
MediumGOV-10Restrict Security Group Creation
LowGOV-11Disable Self-Service Sign-Up
LowGOV-02Automatically Disable Stale Accounts
MediumGOV-03Conduct Quarterly Privileged Access Reviews
HighGOV-06Entitlement Management
MediumGOV-08Administrative Unit Boundaries
LowGOV-04Automate Threat Response with SOAR
CriticalReady to implement this baseline?
TrueConfig scans your Microsoft 365 tenant and shows which controls need attention.