Back to App
Documentation/Troubleshoot/Baseline Questions

Baseline Questions

Answers to common questions about baseline configuration, control evaluation, and managing exclusions.

Why Is Control X Failing?

Understanding Control Failures

When a control shows as "Failing" or "Non-Compliant", it means your tenant's current configuration doesn't match the baseline's expected state.

Common Reasons for Failures

  • 1.
    Configuration doesn't match expected state

    For example, PA-01 expects 2-4 Global Administrators. If you have 5, the control fails.

  • 2.
    Missing Conditional Access policy

    Controls like ID-02 (Block Legacy Auth) or CA-01 (Require MFA) need a specific CA policy to exist and be enabled.

  • 3.
    Threshold not met

    ID-01 (MFA Registration) requires 95%+ of users to have MFA registered. Even 94% counts as failing.

  • 4.
    Recent configuration change (drift)

    Someone may have changed the setting since your last passing scan. Check the drift timeline.

How to Investigate

  1. Click on the failing control to expand its details
  2. Read the "Expected State" section to understand what TrueConfig is checking
  3. Compare against your current configuration in Entra admin center
  4. Check the "Remediation" section for step-by-step fix instructions
  5. Review drift events to see if something recently changed
Pro Tip
If a control keeps failing after you've made changes, trigger a manual scan to refresh the evaluation. Configuration changes in Microsoft 365 can take a few minutes to propagate.

How Do I Exclude a User from Evaluation?

User Exclusions

TrueConfig automatically excludes break-glass accounts and can be configured to exclude specific users or groups from certain controls.

Automatic Exclusions

TrueConfig automatically excludes certain accounts from evaluation:

  • Break-glass accounts — Accounts following naming patterns like "BreakGlass", "EmergencyAccess", or "BG-" are excluded from controls like MFA requirements
  • Service accounts — Non-interactive accounts are excluded from user-focused controls
  • Directory sync accounts — Azure AD Connect accounts are handled separately

Manual Exclusions

To exclude specific users or groups from control evaluation:

  1. Go to Tenant SettingsExclusions
  2. Click Add Exclusion
  3. Select the control(s) to exclude from
  4. Choose users or groups to exclude
  5. Add a justification (required for audit trail)
  6. Click Save
Use Exclusions Sparingly
Every exclusion weakens your security posture. Document why each exclusion is necessary and review them quarterly. Exclusions are logged in the audit trail for compliance purposes.

Why Is a Control Showing "Not Applicable"?

Understanding "Not Applicable" Status

A control shows "Not Applicable" when the prerequisites for evaluation aren't met in your tenant.

Common Reasons

  • 1.
    Missing license

    Some controls require specific Microsoft 365 licenses. For example, PIM-related controls require Entra ID P2 or Entra ID Governance licenses.

    License requirements by control type:
    • • PIM controls → Entra ID P2
    • • Access reviews → Entra ID P2 or Governance
    • • Conditional Access → Entra ID P1+
    • • Information Protection → E5 or E5 Security
  • 2.
    Feature not enabled

    Controls that evaluate PIM show as N/A if PIM isn't enabled in your tenant.

  • 3.
    No applicable objects

    A control evaluating guest users shows N/A if you have no guest users in your tenant.

  • 4.
    Baseline level mismatch

    Controls only evaluate if your baseline level includes them. Level 1 doesn't evaluate Level 2+ controls.

N/A vs. Passing
"Not Applicable" means the control wasn't evaluated — it doesn't count as passing or failing. If you want a control to be evaluated, ensure you have the required license and features enabled.

How Do I Change Baseline Level?

Baseline Level Overview

TrueConfig offers three baseline levels with progressively stricter security requirements. Level 1 is auto-adopted during tenant connection.

Available Levels

Level 1Recommended Secure

Advisory baseline for most organizations. Low operational risk, high security return. Aligned with CIS benchmarks and Microsoft Secure Defaults.

Level 2Enhanced Security

Active enforcement for security-conscious organizations. Adds PIM requirements, phishing-resistant MFA for admins, and device compliance.

Level 3Maximum Security

Strict enforcement for high-security environments. Zero-tolerance for deviations. Phishing-resistant MFA for all users, hardware keys for admins.

To Change Your Baseline Level

  1. Go to Tenant SettingsBaseline Configuration
  2. Review the comparison of your current level vs. the new level
  3. Click Change Level and select the desired level
  4. Review the list of new controls that will be evaluated
  5. Confirm the change
  6. A new scan will run automatically to evaluate against the new baseline
Start with Level 1
We recommend starting with Level 1 and achieving full compliance before moving to Level 2. This builds organizational trust in TrueConfig's recommendations and ensures you have a solid foundation.

Why This Matters

Moving to a higher baseline level demonstrates security maturity. For organizations in regulated industries, Level 2 or 3 may be required for compliance with frameworks like FedRAMP, NIST 800-53, or ISO 27001.

Why Did My Control Count Change After Update?

Control Count Updates

TrueConfig periodically updates its control library to address new threats, align with updated CIS benchmarks, or improve evaluation accuracy.

Why Counts Change

  • 1.
    New controls added

    TrueConfig adds new controls when Microsoft releases new security features or when new attack vectors emerge.

  • 2.
    Controls retired

    Occasionally, controls are retired when Microsoft deprecates a feature or when a control becomes redundant.

  • 3.
    Controls split or merged

    A single control may be split into multiple more specific controls, or multiple related controls may be merged.

  • 4.
    Level reassignment

    A control may move from Level 2 to Level 1 (or vice versa) based on updated risk assessments.

What to Expect

  • Release notes accompany any control library updates
  • New controls start with a 7-day grace period before affecting your posture score
  • Historical data is preserved — you can compare against previous baselines
  • In-app notifications alert you to significant baseline changes
Version Tracking
Each baseline version is tracked. You can see which version you're currently using in Tenant Settings → Baseline Configuration. Major updates are versioned (e.g., v2024.1, v2024.2).

Additional Questions

Can I create a custom baseline?

Currently, TrueConfig provides three pre-defined baseline levels aligned with industry standards. Custom baselines are on the roadmap for future releases. In the meantime, you can use exclusions to tailor evaluations to your needs.

How often are baselines updated?

Baselines are reviewed quarterly and updated when CIS releases new benchmarks, Microsoft introduces new security features, or emerging threats require new controls. Minor updates (bug fixes, evaluation improvements) may occur more frequently.

What happens if I downgrade from Level 2 to Level 1?

Controls specific to Level 2 will no longer be evaluated. Your posture score will be recalculated based only on Level 1 controls. Historical data from when you were on Level 2 is preserved.

Are baseline changes retroactive?

No. Baseline changes only affect future scans. Historical posture data reflects the baseline that was active at the time of each scan. This ensures your historical trends remain accurate and comparable.

Still Have Questions?

If you can't find the answer you're looking for, our support team is here to help.

Remediation IssuesControl Catalog