Governance & Hygiene

Account lifecycle and hygiene practices

11controls
1critical
1auto-remediable
GOV-01MediumLevel 1

Review Stale User Accounts

Unused accounts are common attacker footholds. Former employees, contractors, or forgotten accounts can be compromised without detection. Regular review ensures only active users retain access.

GOV-05LowLevel 1

Maintain Group Naming Conventions

Consistent naming conventions improve governance, make groups easier to find, and indicate their purpose at a glance. Random or inconsistent group names suggest poor organizational hygiene and make administration harder.

GOV-07InfoLevel 1

Audit Privileged Role Assignments

Privilege creep happens gradually. Without a baseline of who should have admin rights, you cannot detect unauthorized role assignments. Regular auditing ensures only authorized users retain privileged access.

GOV-09MediumLevel 1

Restrict Tenant Creation

If any user can create tenants, they can spin up identity boundaries outside your governance and monitoring. This shadow IT creates ungoverned environments that bypass security controls and complicate incident response.

GOV-10LowLevel 1

Restrict Security Group Creation

Security groups are used in access grants and policy targeting. If any user can create them, group sprawl and ungoverned access assignments follow, weakening least-privilege and complicating access reviews.

GOV-11LowLevel 1

Disable Self-Service Sign-Up

Self-service sign-up lets external users join the tenant on their own, creating ungoverned external identities without admin oversight. Disabling it ensures every external identity enters through a controlled, reviewable path.

GOV-02MediumLevel 2Auto-fix

Automatically Disable Stale Accounts

Manual reviews miss accounts. Automated disabling ensures that former employees, forgotten accounts, and inactive identities cannot be used by attackers. The 14-day warning prevents disruption for legitimate users.

GOV-03HighLevel 2

Conduct Quarterly Privileged Access Reviews

Over time, users accumulate privileges they no longer need. Access reviews force managers to justify each privileged assignment, preventing privilege creep and reducing risk from over-entitled accounts.

GOV-06MediumLevel 2

Entitlement Management

Without structured access provisioning, users accumulate permissions over time. Entitlement management bundles resources into governed access packages with approval workflows and automatic expiration.

GOV-08LowLevel 2

Administrative Unit Boundaries

Without administrative boundaries, any admin with sufficient permissions can manage all users. Administrative units create delegation boundaries, and restricted management prevents higher-privileged admins from overriding unit-scoped administrators.

GOV-04CriticalLevel 3

Automate Threat Response with SOAR

Manual incident response takes hours. Automated playbooks respond to threats in seconds. Level 3 organizations minimize attacker dwell time by automatically containing compromised accounts.

Ready to implement governance & hygiene controls?

TrueConfig continuously monitors your Microsoft 365 tenant and helps you maintain compliance with these security controls.