Back to App
DocsHome
Documentation/Core Concepts/Controls

DSC Controls

Controls are the individual security checks that make up your baseline. Each control evaluates a specific aspect of your Microsoft 365 security configuration and provides remediation guidance when deviations are detected.

What are DSC Controls?

DSC stands for Desired State Configuration. A control defines a specific security requirement, how to detect when your environment deviates from that requirement, and how to remediate the deviation.

Example: PA-01 Control

Let's look at a common control to understand how they work:

Control ID: PA-01

Limit Permanent Global Administrators

What it checks:

No more than 3 permanent Global Administrators should exist in your tenant

Why it matters:

Excessive permanent privileged accounts increase attack surface and insider threat risk. Each Global Admin account is a potential path for attackers to gain full control of your tenant.

How it evaluates:

During a scan, TrueConfig counts all permanent Global Administrator assignments. If the count exceeds 3, the control fails and provides a list of affected users.

Result:

Pass if 3 or fewer, Fail if more than 3, with details about which accounts need review

Centralized Control Management
All controls are centrally managed by TrueConfig and automatically updated when we improve detection logic or add new security checks.

Control Categories

TrueConfig organizes controls into eight security domains. Each category addresses a different aspect of identity security.

Identity & Authentication (ID-XX)

Controls that govern how users authenticate and prove their identity.

ID-01MFA enforcement for all users
ID-02Block legacy authentication protocols
ID-03Self-service password reset (SSPR) enabled
ID-04L3Phishing-resistant MFA for all users

Privileged Access (PA-XX)

Controls for administrator accounts, privileged roles, and just-in-time access.

PA-01Limit permanent Global Administrators (≤3)
PA-02Dedicated admin accounts (separate from regular users)
PA-03Break-glass emergency access accounts configured
PA-04L2PIM enabled for privileged roles
PA-05L2Phishing-resistant MFA for admins
PA-06L3Hardware security keys for admins
PA-07L3Continuous Access Evaluation (CAE) enabled

Conditional Access (CA-XX)

Policy-based access controls that enforce context-aware security requirements.

CA-01MFA required for all users
CA-02MFA required for admin roles
CA-03L2Risk-based policies (Identity Protection)
CA-04L2User risk policy (leaked credentials)
CA-05L3Zero Trust network access (device compliance required)
CA-06L3Privileged Access Workstation (PAW) requirement

Application Hygiene (APP-XX)

Controls for app registrations, service principals, and API permissions.

APP-01All apps have designated owners
APP-02Secrets expire within 12 months
APP-03L2Review high-risk permissions quarterly
APP-04L2Admin consent workflow enabled

Guest & External Users (EXT-XX)

Controls for external collaboration and B2B access.

EXT-01Guest access restricted and monitored
EXT-02Guest access reviews configured
EXT-03L3Cross-tenant access policies (B2B restrictions)

Governance (GOV-XX)

Lifecycle management, access reviews, and automated governance.

GOV-01Stale account detection (90+ days inactive)
GOV-02L2Automated stale account disabling
GOV-03L2Access reviews configured
GOV-04L3Real-time threat response (SOC integration)

Audit & Logging (LOG-XX)

Log retention, SIEM integration, and security monitoring.

LOG-01Audit logs enabled (30-day retention)
LOG-02L2Extended retention + SIEM integration
LOG-03L3Real-time monitoring and critical event alerting

How Control Evaluation Works

During each scan, TrueConfig evaluates your Microsoft 365 environment against your baseline controls. Here's what happens:

Evaluation Flow

1

Collect Current State

TrueConfig gathers information about your tenant - users, administrator roles, Conditional Access policies, app registrations, and security settings.

2

Load Your Baseline

Based on your selected baseline level (Level 1, 2, or 3), TrueConfig loads the appropriate controls. Level 1 includes 13 foundational controls, Level 2 adds 12 more (25 total), and Level 3 adds 9 additional controls (34 total).

3

Check Each Control

TrueConfig evaluates each control against your current configuration. For example, the PA-01 control counts permanent Global Administrators and compares it to the threshold of 3. If you have 5, the control fails and shows you which accounts are excessive.

4

Save Results

All evaluation results are saved, creating a history of your compliance posture over time. You can track whether your security is improving or declining.

5

Create Audit Trail

Every scan creates immutable audit records for compliance tracking and historical analysis. These records cannot be modified or deleted.

Fast Scans
Most scans complete in 30-90 seconds. TrueConfig evaluates multiple controls simultaneously to minimize scan time.

Control Status & Severity

Evaluation Status

Each control evaluation produces one of five statuses:

Pass

Your configuration meets the baseline requirement. No action needed.

Fail

Your configuration deviates from the baseline. Remediation required.

Warning

Partial compliance or minor issues detected. Review recommended.

Not Applicable

Control prerequisites not met (e.g., PIM control when no P2 licenses).

!

Error

Evaluation failed due to technical issue (API error, permission denied, etc.).

Severity Levels

Controls are assigned severity levels based on their security impact:

Critical

Configurations that could lead to complete tenant compromise (e.g., no break-glass accounts before enforcing MFA)

High

Major security risks that should be addressed quickly (excessive Global Admins, missing MFA, legacy authentication enabled)

Medium

Important but less urgent issues (apps without owners, long-lived secrets)

Low

Best practice recommendations (audit log retention, documentation)

Critical Findings
Critical-severity findings indicate configurations that could lead to complete tenant compromise. Address these immediately before making other changes.

Evidence & Remediation Guidance

When a control fails, TrueConfig provides detailed evidence and actionable remediation guidance.

What Evidence Shows You

When a control fails, TrueConfig provides detailed evidence explaining exactly what's wrong:

Example: PA-01 Evidence (Excessive Global Admins)

  • Total number of Global Admins found: 5
  • Maximum allowed by baseline: 3
  • List of all affected users with their names and email addresses
  • When each admin was assigned the role

Example: APP-02 Evidence (Secret Expiration)

  • Total secrets in your tenant: 25
  • Secrets expiring after 12 months: 8
  • Secrets that never expire: 3
  • List of problematic apps with their secret expiration dates

Remediation Modes

Controls support different remediation modes based on their risk profile:

Advisory

Advisory Mode

TrueConfig provides step-by-step instructions with links to Microsoft documentation. You manually implement the fix. Best for high-risk changes or learning mode.

Manual

Manual Mode

One-click remediation after you review and approve the planned changes. TrueConfig shows you exactly what will change before you commit. Requires approval for each execution.

Auto

Auto Mode

Automatic remediation with safety gates. TrueConfig detects the drift, validates safety gates pass, applies the fix, and records audit events. Only available for low-blast-radius controls.

Remediation Safety
All remediation actions (manual and auto) include rollback windows, safety gate checks, and audit logging. Learn more in the Auto-Remediation documentation.

Control Lifecycle

Controls evolve through their lifecycle from implementation to production:

β

Beta Controls

New controls in testing. Enabled for Pro and Scale plans only. May have incomplete evaluators or provisional remediation guidance.

Stable Controls

Production-ready controls with complete evaluators, remediation guidance, and audit trails. Available to all plan tiers.

Deprecated Controls

Controls being phased out (e.g., replaced by improved version). Remain enabled for backward compatibility but new baselines use the replacement.

Next Steps

Complete Control Reference

Detailed documentation for all 34 controls including evaluation logic, evidence schema, and remediation procedures.

Browse controls

Auto-Remediation Guide

Learn how to safely enable automatic remediation with safety gates, approval workflows, and rollback procedures.

Configure remediation