What We Shipped
This release adds 12 new security controls and upgrades 12 existing ones, bringing TrueConfig from 55 to 67 evaluated controls across your Microsoft 365 tenant. Every new control follows the same pattern: detect the gap, explain why it matters, and offer a fix — automated where safe, guided where it is not.
Here is what is new, organized by the problem each control solves.
New: Workload Identity Protection
Service principals and app registrations are the most undermonitored attack surface in most Microsoft 365 tenants. They authenticate without MFA, often hold broad permissions, and rarely get reviewed. This update adds three controls specifically targeting workload identity risk.
CA-12: Conditional Access for Workload Identities
You can now create Conditional Access policies targeting service principal authentication — not just user authentication. TrueConfig detects whether any CA policy covers workload identities and can create one in report-only mode with a single click.
This requires Microsoft's Workload Identities Premium license. If you have it, this control goes from advisory to actionable.
PA-08: Risky Service Principal Detection
If your tenant has Workload Identities Premium, Microsoft Identity Protection monitors service principals for compromise signals — just like it does for users. TrueConfig now reads this data and flags any service principal with medium or high risk.
When a risky SP is detected, the "Fix Now" button disables it immediately. For service principals, speed matters — a compromised SP can exfiltrate data at machine speed without triggering user-facing alerts.
APP-10: Workload Identity Federation Adoption
Client secrets are the weakest link in app authentication. Workload identity federation eliminates them entirely by using trusted identity providers (GitHub Actions, Azure DevOps, etc.) instead of shared secrets.
TrueConfig now tracks what percentage of your app registrations use federation vs. certificates vs. client secrets, and flags apps that could migrate away from secrets.
New: Passkey and Authentication Methods Monitoring
ID-06: Authentication Methods Policy Migration
Microsoft is retiring the legacy per-user MFA system in favor of the unified Authentication Methods policy. TrueConfig now checks your migration state — preMigration, migrationInProgress, or migrationComplete — and flags tenants that have not completed the migration.
If you read our passkeys preparation guide, this control verifies you have actually done the work.
ID-07: Passkey Adoption Coverage
Beyond policy configuration, this control measures actual passkey registration across your user base. It calculates the percentage of active users who have registered FIDO2 or device-bound passkey methods and flags adoption below 50% as needing attention.
This is the difference between "we enabled passkeys" and "our users are actually using them."
New: Cross-Tenant and Guest Lifecycle Controls
EXT-05: Cross-Tenant Access Policy Review
Your cross-tenant access defaults determine whether external organizations can collaborate with your tenant without explicit approval. TrueConfig now reads your cross-tenant access policy, checks whether defaults are overly permissive, and verifies that partner-specific configurations exist.
The "Fix Now" button restricts defaults automatically — blocking inbound/outbound direct connect while preserving B2B collaboration for organizations you have explicitly approved.
EXT-09: Guest User Lifecycle Review
Guest accounts that have not signed in for 90+ days are a liability. This control identifies stale guests, guests that never signed in, and active guests — then offers one-click disabling for the stale ones.
Unlike the existing GOV-01 stale account control (which targets internal users), EXT-09 focuses specifically on guest lifecycle with guest-appropriate thresholds and remediation.
New: Governance and Visibility Controls
GOV-06: Entitlement Management
For tenants with P2 licensing, TrueConfig now checks whether access packages are configured in Identity Governance. Access packages bundle resources with approval workflows and automatic expiration — the structured alternative to ad-hoc permission grants.
GOV-08: Administrative Unit Boundaries
Administrative units enable delegated administration with clear boundaries. This control checks whether admin units exist and whether restricted management is enabled to prevent scope creep across delegation boundaries.
LOG-06: Sign-In Log Anomaly Baseline
TrueConfig now analyzes your audit logs for patterns of privileged operations — role assignment changes, CA policy modifications, application consent grants — and flags unusual activity levels. This is the foundation for anomaly detection: you need to know what "normal" looks like before you can detect "abnormal."
DV-03: Device Compliance for All Users
Previously, TrueConfig checked device compliance for admin access (DV-01). This new Level 3 control extends the requirement to all users — verifying that a CA policy requires compliant or hybrid-joined devices for all cloud app access.
CA-07: Session Controls (Now Evaluatable)
CA-07 existed as a manual-only control. It now has a full evaluator that checks for CA policies with sign-in frequency enforcement, persistent browser controls, and app-enforced restrictions. The "Fix Now" button creates a session controls policy in report-only mode.
Upgraded Existing Controls
We also improved 12 controls that were already shipping:
PA-05 and ID-04 now read the Authentication Methods policy directly, checking whether SMS/voice are disabled and passkeys are enabled at the policy level — not just in CA policies.
PA-07 (Continuous Access Evaluation) moved from Level 3 to Level 2 and now evaluates CAE configuration instead of returning "manual verification required." It detects strict enforcement mode, session control policies, and CAE-specific configurations.
GOV-03 (Privileged Access Reviews) now reads access review definitions from Microsoft Graph. If you have P2 licensing, it checks whether recurring reviews target privileged roles — replacing the previous "manual verification needed" result with actual evaluation data.
APP-09 was renamed to "Workload Identity Federation & Certificate Credentials" and now scores apps in three tiers: federation (best) > certificates (acceptable) > client secrets (flagged).
LOG-01 (Audit Logging) now verifies by evidence — if audit log data was collected in the scan, audit logging is confirmed active. No more "manual verification required" for something we can infer from the data.
EXT-02 (Guest MFA) was upgraded from manual-only to auto-remediable. The "Fix Now" button creates a CA policy requiring MFA for all guest and external users.
ID-03 and ID-05 now include Authentication Methods policy data when available, providing richer evaluation context.
Under the Hood: 7 New Graph API Data Sources
All of these controls are powered by new data we are collecting from Microsoft Graph during each tenant scan:
| Data Source | Graph Endpoint | Controls |
|---|---|---|
| Authentication Methods Policy | /policies/authenticationMethodsPolicy | ID-06, PA-05, ID-03, ID-05 |
| Cross-Tenant Access Policy | /policies/crossTenantAccessPolicy | EXT-05, PA-07 |
| Federated Identity Credentials | /applications/{id}/federatedIdentityCredentials | APP-10, APP-09 |
| Risky Service Principals | /identityProtection/riskyServicePrincipals | PA-08 |
| Access Review Definitions | /identityGovernance/accessReviews/definitions | GOV-03 |
| Access Packages | /identityGovernance/entitlementManagement/accessPackages | GOV-06 |
| Administrative Units | /directory/administrativeUnits | GOV-08 |
Each new data source degrades gracefully. If your tenant does not have the required license or has not granted the permission, the control returns an advisory result explaining what is needed — it never fails the scan.
One-Click Remediation for 7 Controls
These controls have "Fix Now" buttons that execute safe, reversible actions:
| Control | Action | Safety |
|---|---|---|
| CA-07 | Create session controls policy | Report-only mode |
| CA-12 | Create workload identity CA policy | Report-only mode |
| EXT-05 | Restrict cross-tenant defaults | Preserves B2B collaboration |
| EXT-09 | Disable stale guest accounts | Per-account with audit trail |
| PA-08 | Disable risky service principal | Immediate, reversible |
| DV-03 | Create device compliance policy | Report-only mode |
| EXT-02 | Create guest MFA policy | Report-only mode |
CA policies are always created in report-only mode. TrueConfig never auto-enables CA policies — that decision stays with you, after reviewing the impact in Entra ID.
What This Means for Your Baseline
If you are on the Essential plan, you get 28 Level 1 controls (up from 26), including the new ID-06 and EXT-09.
If you are on the Pro plan, you get 30 Level 2 controls (up from 20), covering workload identity, passkey adoption, cross-tenant access, and governance controls.
If you are on the Scale plan, you get 9 Level 3 controls (unchanged count, but PA-07 moved to Level 2 and DV-03 was added).
Run a scan after updating to see the new controls in your dashboard. Controls that need additional Graph permissions will show advisory results explaining exactly which permission to grant.
TrueConfig monitors your Microsoft 365 security configuration against your defined baseline. When something changes, you know about it — with context on what changed, why it matters, and how to fix it. Start a free trial and connect your first tenant in under 5 minutes.