Security Baselines
Baselines are the foundation of TrueConfig's DSC approach. They define your desired state, which controls are active, and how strictly they're enforced.
What is a Security Baseline?
A security baseline is a set of minimum security controls that define your organization's desired state. Think of it as "configuration as code" - you declare what your environment should look like, and TrueConfig ensures it stays that way.
TrueConfig's baselines are based on industry-standard frameworks including:
- CIS Microsoft Entra ID Foundations Benchmark: Industry consensus security guidelines
- Microsoft Zero Trust Identity Pillar: Microsoft's recommended security model
- NIST 800-63B & 800-53: US government security standards
- FedRAMP High: Federal cloud security requirements
- ISO 27001: International security management standard
Three-Tier Baseline Levels
TrueConfig offers three baseline levels that represent different risk appetites and operational maturity. Levels are cumulative - Level 2 includes all Level 1 controls plus additional controls, and Level 3 includes all Level 1 and 2 controls plus advanced controls.
Level 1: Recommended Secure Baseline
Advisory mode - Low operational risk, high security return
Who It's For
Most organizations establishing their first security baseline. Ideal for SMBs, startups, and organizations new to identity configuration management.
Security Focus
Stops the most common identity attacks with minimal operational disruption:
- Enforce MFA for all users (ID-01)
- Block legacy authentication protocols (ID-02)
- Limit Global Administrator accounts to 3 or fewer (PA-01)
- Require break-glass emergency accounts (PA-03)
- Ensure apps have designated owners (APP-01)
- Enforce secret expiration (12 months max) (APP-02)
- Restrict guest access (EXT-01)
Framework Alignment
Enforcement Mode
Advisory mode by default. TrueConfig detects deviations and provides remediation guidance, but does not automatically make changes. This builds trust and allows you to understand the impact before enabling stricter enforcement.
Level 2: Enhanced Security Baseline
Active enforcement - Moderate impact, significant security gains
Who It's For
Security-conscious organizations with dedicated IT teams. Organizations that have mastered Level 1 and are ready for stricter controls.
Security Focus
Everything in Level 1, plus:
- PIM-Only Privilege Model: No permanent Global Administrators (PA-01-L2, PA-04)
- Phishing-Resistant MFA for Admins: FIDO2, Windows Hello for Business (PA-05)
- Device Compliance: Managed devices required for admin portals (DV-01)
- Risk-Based Policies: Identity Protection integration (CA-03, CA-04)
- Automated Governance: Stale account disabling, access reviews (GOV-02, GOV-03)
- Extended Logging: SIEM integration, extended retention (LOG-02)
License Requirements
Level 2 controls require Microsoft Entra ID P2 licenses for privileged users:
- Privileged Identity Management (PIM)
- Identity Protection (risk-based policies)
- Access Reviews
Framework Alignment
Enforcement Mode
Auto-remediation mode recommended. Controls with low blast radius can auto-remediate (with safety gates). High-impact controls require manual approval.
Level 3: Maximum Security Baseline
Strict enforcement - High overhead, maximum security
Who It's For
Regulated industries (finance, healthcare, government), organizations handling highly sensitive data, or those subject to strict compliance requirements (FedRAMP, ISO 27001, NIST 800-53).
Security Focus
Everything in Level 1 and 2, plus:
- Universal Phishing-Resistant MFA: All users require FIDO2/passkeys (ID-04)
- Hardware Security Keys for Admins: Physical key requirement (PA-06)
- Continuous Access Evaluation: Real-time session revocation (PA-07)
- Zero Trust Network Access: All access requires compliant device (CA-05)
- Privileged Access Workstations: PAW enforcement for admin tasks (CA-06)
- Real-Time Threat Response: Automated session revocation (GOV-04)
- Advanced Logging: Real-time SIEM, critical event alerting (LOG-03)
License Requirements
Level 3 requires Microsoft Entra ID P2 for all users, plus:
- Microsoft Defender for Cloud Apps (CASB)
- Microsoft Sentinel (SIEM)
- Hardware security keys (YubiKeys, FIDO2 devices)
- Managed devices (Intune or third-party MDM)
Framework Alignment
Enforcement Mode
Strict enforcement mode. Zero-tolerance for deviations. Auto-remediation with comprehensive safety gates and immediate alerting on drift.
How Baselines Work
Baselines in TrueConfig are more than just a list of controls - they're a complete desired state framework with versioning, inheritance, and customization capabilities.
Control Inheritance (Cumulative Levels)
Baseline levels are cumulative. When you select Level 2, you get all 13 Level 1 controls plus 12 additional Level 2 controls. This ensures you never lose security coverage when upgrading.
Level 1: 13 controls (foundational)
Identity authentication, privileged access basics, conditional access foundations, app hygiene, guest access, governance, and logging
Level 2: 25 controls (Level 1 + 12 new)
All Level 1 controls plus PIM requirements, device compliance, risk-based policies, advanced app governance, and extended logging
Level 3: 34 controls (Level 1 + 2 + 9 new)
All Level 1 and 2 controls plus phishing-resistant MFA for all users, hardware security keys, continuous access evaluation, zero trust network access, and real-time monitoring
Baseline Versioning
Baselines are versioned to track changes over time. When TrueConfig updates baseline definitions (new controls, updated thresholds), your tenant continues using the adopted version until you explicitly upgrade.
For example, if TrueConfig releases an updated baseline with two new controls and a changed threshold for Global Administrator limits, your environment stays on the current version until you review the changes and choose to upgrade.
Customizing Baselines
While TrueConfig's baselines are designed to work for most organizations out of the box, you can customize them to fit your specific requirements.
How to Customize Baselines
You can customize baselines through the TrueConfig dashboard by adjusting thresholds, changing remediation modes, or disabling controls that don't apply to your environment.
Common Customizations
Threshold Adjustments
Modify numeric thresholds to match your organization's size:
- PA-01: Change max Global Admins from 3 to 5 for large orgs
- APP-02: Extend secret expiration from 12 to 18 months
- GOV-01: Adjust stale account threshold from 90 to 60 days
Remediation Mode Overrides
Change how controls enforce compliance:
- Advisory to Manual: Require manual approval before remediation
- Auto to Manual: Disable auto-remediation for high-risk controls
- Manual to Auto: Enable auto-remediation after testing (requires safety gate verification)
Control Disabling
Temporarily disable controls that don't apply to your environment. For example, if your organization doesn't allow external collaboration, you can disable the guest access controls.
Note: Always document why you disabled a control so you can review the decision later.
Best Practices
Start with Level 1
Even if your goal is Level 2 or 3, start with Level 1 to establish a foundation. Verify controls work in your environment before increasing strictness.
Test in a Dev Tenant
If you have a test/development Microsoft 365 tenant, connect it to TrueConfig first. Test baseline changes there before applying to production.
Document Overrides
When customizing baselines, document why each override exists. Include the business justification, approval date, and review schedule.
Review Quarterly
Security requirements evolve. Review your baseline level and overrides quarterly. As your team matures, consider upgrading to a higher baseline level.
Don't Skip Levels
Avoid jumping directly from Level 1 to Level 3. The operational changes are significant. Progress through levels incrementally to give your team time to adapt.