Security Controls Reference

54 security controls for Microsoft 365 and Entra ID. Browse by category, severity, or baseline level to find the controls you need.

54
Total Controls
17
Critical
22
Auto-Remediable
9
Categories

Browse by Category

Identity & Authentication

5 controls

User authentication and identity protection controls

Privileged Access

8 controls

Administrative role and privilege management

Conditional Access

12 controls

Access policies and conditional requirements

Workload Identity & Applications

8 controls

Application registrations and service principals

Guest & External Access

7 controls

Guest users and external collaboration

Governance & Hygiene

6 controls

Account lifecycle and hygiene practices

Logging & Visibility

5 controls

Audit logs and monitoring capabilities

Data Protection

2 controls

Data loss prevention and information protection

License Management

1 controls

License utilization and cost optimization

All Controls

ID-01CriticalL1

User MFA Registration

Identity & Authentication

ID-02HighL1

Block Legacy Authentication

Identity & Authentication

ID-03MediumL1

Enable Self-Service Password Reset

Identity & Authentication

PA-01CriticalL1

Limit Global Administrators to 2-4

Privileged Access

PA-02HighL1

Use Dedicated Admin Accounts

Privileged Access

PA-03CriticalL1

Configure Emergency Access Accounts

Privileged Access

CA-01CriticalL1

Require MFA via Conditional Access Policy

Conditional Access

CA-02CriticalL1

Require MFA for All Administrators

Conditional Access

CA-08MediumL1

Block Access from High-Risk Countries

Conditional Access

APP-01MediumL1

Assign Owners to All Applications

Workload Identity & Applications

APP-02HighL1

Enforce Application Credential Expiration

Workload Identity & Applications

EXT-01MediumL1

Restrict Guest Invitation Permissions

Guest & External Access

EXT-02MediumL1

Require MFA for Guest Users

Guest & External Access

GOV-01MediumL1

Review Stale User Accounts

Governance & Hygiene

GOV-05LowL1

Maintain Group Naming Conventions

Governance & Hygiene

LOG-01HighL1

Enable Unified Audit Logging

Logging & Visibility

LOG-04CriticalL1

Configure Privileged Operation Alerts

Logging & Visibility

APP-05CriticalL1

Service Principal Credential Hygiene

Workload Identity & Applications

APP-08HighL1

Restrict User Application Consent

Workload Identity & Applications

CA-11HighL1

Enforce Session Lifetime Limits

Conditional Access

EXT-06HighL1

External Sharing Visibility

Guest & External Access

EXT-07HighL1

Detect External Mail Forwarding

Guest & External Access

GOV-07MediumL1

Audit Privileged Role Assignments

Governance & Hygiene

ID-05MediumL1

Configure Smart Lockout Protection

Identity & Authentication

LIC-01LowL1

License Utilization Visibility

License Management

PA-01-L2CriticalL2

Eliminate Permanent Global Administrators

Privileged Access

PA-04CriticalL2

Require PIM for All Privileged Roles

Privileged Access

PA-05CriticalL2

Require Phishing-Resistant MFA for Admins

Privileged Access

DV-01HighL2

Require Compliant Devices for Admin Access

Conditional Access

CA-03HighL2

Block or Require MFA for Risky Sign-Ins

Conditional Access

CA-04HighL2

Remediate High-Risk Users Automatically

Conditional Access

APP-03HighL2

Internal App Registration Permissions

Workload Identity & Applications

APP-04MediumL2

Enable Admin Consent Workflow

Workload Identity & Applications

GOV-02MediumL2

Automatically Disable Stale Accounts

Governance & Hygiene

GOV-03HighL2

Conduct Quarterly Privileged Access Reviews

Governance & Hygiene

LOG-02MediumL2

Export Logs to Long-Term Storage

Logging & Visibility

LOG-05HighL2

Admin Activity Anomaly Detection

Logging & Visibility

APP-06HighL2

Third-Party Enterprise App Permissions

Workload Identity & Applications

APP-07MediumL2

Identify Unused Service Principals

Workload Identity & Applications

CA-10HighL2

Enable Token Protection

Conditional Access

DV-02CriticalL2

Require Compliant Devices for Global Admins

Conditional Access

EXT-04MediumL2

Configure Guest Access Expiration

Guest & External Access

EXT-08MediumL2

Audit Mailbox Delegation

Guest & External Access

DLP-01HighL2

Enable Sensitive Data Classification

Data Protection

ID-04CriticalL3

Require Phishing-Resistant MFA for All Users

Identity & Authentication

PA-06CriticalL3

Require FIDO2 Security Keys for Administrators

Privileged Access

PA-07HighL3

Enable Continuous Access Evaluation

Privileged Access

CA-05HighL2

Require App Protection for Mobile Access

Conditional Access

CA-09CriticalL3

Zero Trust Network Access

Conditional Access

CA-06CriticalL3

Restrict Admin Access to Privileged Access Workstations

Conditional Access

EXT-03HighL3

Restrict Guest Access to Allowlisted Domains

Guest & External Access

GOV-04CriticalL3

Automate Threat Response with SOAR

Governance & Hygiene

LOG-03HighL3

Stream All Security Events to SIEM in Real-Time

Logging & Visibility

DLP-02CriticalL3

Block Bulk Data Exfiltration

Data Protection

Ready to secure your Microsoft 365 tenant?

TrueConfig continuously monitors your tenant against all 54 security controls and helps you fix deviations automatically.