Control Reference
Complete catalog of all DSC (Desired State Configuration) controls available in TrueConfig. Controls are organized by category and baseline level.
Control Categories
Controls are organized into the following categories based on their security domain:
Privileged Access (PA)
Controls governing administrative access, Global Admin posture, PIM usage, and emergency access accounts.
Conditional Access (CA)
Controls for authentication policies, legacy auth blocking, risk-based access, and device compliance.
Identity Hygiene (ID)
Controls for password protection, SSPR, MFA enforcement, and identity synchronization health.
Applications (APP)
Controls for app consent workflows, high-risk permissions, and third-party application governance.
Governance (GOV)
Controls for stale accounts, guest access, privileged access reviews, and external collaboration.
Logging (LOG)
Controls for audit log retention, SIEM integration, and security monitoring.
Level 1: Recommended Security (13 controls)
Foundational security controls that every organization should implement. These controls establish basic security hygiene and prevent common attack vectors.
| Control ID | Title | Severity |
|---|---|---|
| PA-01 | Standing Global Admin Posture | Critical |
| PA-02 | Emergency Access Compliance | High |
| PA-03 | PIM Coverage and Posture | High |
| EA-01 | Break-Glass Accounts Configured | High |
| CA-01 | Legacy Authentication Blocking | Critical |
| CA-02 | Device Compliance for Admins | High |
| ID-01 | Synchronized Identity Health | Medium |
| ID-02 | Password Protection Enabled | High |
| ID-03 | Self-Service Password Reset Configured | Medium |
| GOV-01 | Stale User Accounts | Medium |
| EXT-01 | Guest User Access Restricted | High |
| APP-01 | High-Risk Application Permissions Restricted | High |
| LOG-01 | Audit Log Retention and Export | Medium |
Level 2: Enhanced Security (11 additional controls)
Advanced security controls for organizations with higher security requirements. Includes all Level 1 controls plus:
| Control ID | Title | License |
|---|---|---|
| PA-04 | PIM Required for Privileged Roles | Entra ID P2 |
| PA-05 | Phishing-Resistant MFA for Privileged Users | Entra ID P1 |
| CA-03 | Risk-Based Sign-In Protection | Entra ID P2 |
| CA-04 | User Risk Protection | Entra ID P2 |
| DV-01 | Admin Device Trust Requirements | Entra ID P1, Intune |
| APP-03 | High-Risk Graph Permissions Review | None |
| APP-04 | Admin Consent Workflow | None |
| GOV-02 | Automated Stale Account Remediation | Entra ID P2 |
| GOV-03 | Privileged Access Reviews | Entra ID P2 |
| LOG-02 | Extended Log Retention | Entra ID P1 |
| PA-01-L2 | Zero Permanent Global Administrators | Entra ID P2 |
Level 3: Maximum Security (10 additional controls)
Zero-trust security controls for highly regulated industries. Includes all Level 1 and Level 2 controls plus:
| Control ID | Title | License |
|---|---|---|
| PA-06 | Hardware Security Key Required for Admins | Entra ID P2 |
| PA-07 | Continuous Access Evaluation | Entra ID P1 |
| CA-05 | Zero Trust Network Access | Entra ID P2, Intune |
| CA-06 | Privileged Access Workstations | Entra ID P2, Intune |
| ID-04 | Phishing-Resistant MFA for All Users | Entra ID P1 |
| EXT-03 | Strict External Collaboration | Entra ID P1 |
| GOV-04 | Real-Time Threat Response | Entra ID P2 |
| LOG-03 | Real-Time Security Monitoring | Entra ID P2, Sentinel |
Control Evaluation
Controls are evaluated during each tenant sync. The DSC evaluation engine:
- Fetches current configuration from Microsoft Graph API
- Compares against desired state defined in control
- Records deviations with detailed context
- Triggers remediation workflows if auto-remediation is enabled