Governance & Hygiene
Account lifecycle and hygiene practices
Review Stale User Accounts
Unused accounts are common attacker footholds. Former employees, contractors, or forgotten accounts can be compromised without detection. Regular review ensures only active users retain access.
Maintain Group Naming Conventions
Consistent naming conventions improve governance, make groups easier to find, and indicate their purpose at a glance. Random or inconsistent group names suggest poor organizational hygiene and make administration harder.
Audit Privileged Role Assignments
Privilege creep happens gradually. Without a baseline of who should have admin rights, you cannot detect unauthorized role assignments. Regular auditing ensures only authorized users retain privileged access.
Restrict Tenant Creation
If any user can create tenants, they can spin up identity boundaries outside your governance and monitoring. This shadow IT creates ungoverned environments that bypass security controls and complicate incident response.
Restrict Security Group Creation
Security groups are used in access grants and policy targeting. If any user can create them, group sprawl and ungoverned access assignments follow, weakening least-privilege and complicating access reviews.
Disable Self-Service Sign-Up
Self-service sign-up lets external users join the tenant on their own, creating ungoverned external identities without admin oversight. Disabling it ensures every external identity enters through a controlled, reviewable path.
Automatically Disable Stale Accounts
Manual reviews miss accounts. Automated disabling ensures that former employees, forgotten accounts, and inactive identities cannot be used by attackers. The 14-day warning prevents disruption for legitimate users.
Conduct Quarterly Privileged Access Reviews
Over time, users accumulate privileges they no longer need. Access reviews force managers to justify each privileged assignment, preventing privilege creep and reducing risk from over-entitled accounts.
Entitlement Management
Without structured access provisioning, users accumulate permissions over time. Entitlement management bundles resources into governed access packages with approval workflows and automatic expiration.
Administrative Unit Boundaries
Without administrative boundaries, any admin with sufficient permissions can manage all users. Administrative units create delegation boundaries, and restricted management prevents higher-privileged admins from overriding unit-scoped administrators.
Automate Threat Response with SOAR
Manual incident response takes hours. Automated playbooks respond to threats in seconds. Level 3 organizations minimize attacker dwell time by automatically containing compromised accounts.
Ready to implement governance & hygiene controls?
TrueConfig continuously monitors your Microsoft 365 tenant and helps you maintain compliance with these security controls.