L1

TrueConfig Recommended Secure Baseline

Most organizations. First secure posture.

Advisory baseline for most organizations. Establishes a strong security foundation with low operational risk.

Low operational risk, high security return

25

Total Controls

7

Critical

9

Auto-Remediable

25

New at L1

What's Included

Stops common identity attacks
Aligns with CIS and Microsoft defaults
Avoids lockouts
Builds trust in TrueConfig recommendations

Not Included (Available at Higher Levels)

Phishing-resistant MFA for all users
Strict PIM-only privilege model
Device compliance for admins
Automated role or permission removal

Framework Alignment

CIS Microsoft Entra ID Foundations BenchmarkMicrosoft Secure DefaultsMicrosoft Zero Trust Identity Pillar

Controls Included

Identity & Authentication4 controls

ID-01User MFA Registration

ID-02Block Legacy Authentication

ID-03Enable Self-Service Password Reset

ID-05Configure Smart Lockout Protection

Privileged Access3 controls

PA-01Limit Global Administrators to 2-4

PA-02Use Dedicated Admin Accounts

PA-03Configure Emergency Access Accounts

Conditional Access4 controls

CA-01Require MFA via Conditional Access Policy

CA-02Require MFA for All Administrators

CA-08Block Access from High-Risk Countries

CA-11Enforce Session Lifetime Limits

Workload Identity & Applications4 controls

APP-01Assign Owners to All Applications

APP-02Enforce Application Credential Expiration

APP-05Service Principal Credential Hygiene

APP-08Restrict User Application Consent

Guest & External Access4 controls

EXT-01Restrict Guest Invitation Permissions

EXT-02Require MFA for Guest Users

EXT-06External Sharing Visibility

EXT-07Detect External Mail Forwarding

Governance & Hygiene3 controls

GOV-01Review Stale User Accounts

GOV-05Maintain Group Naming Conventions

GOV-07Audit Privileged Role Assignments

Logging & Visibility2 controls

LOG-01Enable Unified Audit Logging

LOG-04Configure Privileged Operation Alerts

License Management1 controls

LIC-01License Utilization Visibility

Ready to implement the Recommended Secure baseline?

TrueConfig will scan your Microsoft 365 tenant and show you exactly which controls need attention.