Baseline Configuration
The Baseline Configuration policy allows administrators to define a standard configuration for key application access settings in Enterprise Applications. This helps ensure consistency across the tenant and reduces the risk of configuration drift over time.
Baseline Configuration is available exclusively in the Professional plan. It applies only to Enterprise Application policies, not App Registration policies.
What the Baseline Configuration policy does
The Baseline Configuration policy monitors and enforces specific Azure configuration settings on Enterprise Applications:
- Defines expected configuration: Specify the expected values for key application access settings
- Detects configuration drift: Identifies applications that deviate from the defined baseline
- Enables self-service remediation: Application owners can review and fix configuration through the EasyLife 365 Identity user portal
Available configuration settings
The Baseline Configuration policy can enforce the following Azure configuration options:
Enabled for users to sign-in
This setting controls whether users can sign in to the application.
| Value | Description |
|---|---|
| Yes | Users can authenticate and access the application |
| No | Users cannot sign in to the application, effectively disabling it |
Why enforce this setting:
- Ensure applications are properly enabled when they should be available
- Verify that deprecated or decommissioned applications remain disabled
- Maintain consistency in application availability across the tenant
Assignment required
This setting controls whether users must be explicitly assigned to the application before they can access it.
| Value | Description |
|---|---|
| Yes | Only users and groups explicitly assigned to the application can access it |
| No | All users in the tenant can access the application (subject to other access controls) |
Why enforce this setting:
- Enforce least-privilege access by requiring explicit assignment
- Ensure compliance with security policies that mandate access controls
- Prevent accidental exposure of applications to all tenant users
Why use Baseline Configuration
Maintain security standards
Problem: Applications can be misconfigured to allow broader access than intended, such as disabling assignment requirements or enabling disabled applications.
Solution: The Baseline Configuration policy ensures that all applications adhere to your organization's security standards for access configuration.
Benefits:
- Enforce least-privilege access consistently
- Prevent accidental changes that weaken security
- Demonstrate compliance with security policies
Prevent configuration drift
Problem: Over time, application configurations can drift from their intended state due to manual changes, troubleshooting, or administrative errors.
Solution: The Baseline Configuration policy continuously monitors for deviations and notifies owners when applications fall out of compliance.
Benefits:
- Detect unauthorized or accidental configuration changes
- Maintain audit trails for configuration compliance
- Enable proactive remediation before issues escalate
Standardize governance
Problem: Without centralized configuration standards, different teams may configure applications inconsistently, leading to security gaps and operational complexity.
Solution: The Baseline Configuration policy establishes a single source of truth for application configuration expectations.
Benefits:
- Consistent configuration across all Enterprise Applications
- Simplified compliance reporting
- Reduced operational overhead for governance teams
Enable self-service remediation
Problem: Traditional governance approaches require IT teams to manually identify and fix configuration issues, creating bottlenecks.
Solution: Application owners can review policy requirements and remediate configuration directly through the EasyLife 365 Identity user portal.
Benefits:
- Faster remediation through distributed responsibility
- Reduced burden on central IT teams
- Empowered application owners with clear guidance
How it works
Configuration monitoring
EasyLife 365 Identity evaluates Enterprise Applications against the Baseline Configuration policy:
- Daily evaluation: Applications are checked daily for compliance with the baseline
- Configuration comparison: Current settings are compared to the expected values
- Non-compliance detection: Any deviation from the baseline triggers non-compliance
Compliance evaluation
When a policy with Baseline Configuration is applied:
- Check current settings: Read the application's current configuration in Entra ID
- Compare to baseline: Determine if settings match the expected values
- Mark non-compliant: If settings differ from the baseline, the application becomes non-compliant
- Send notifications: Notify application owners of non-compliance
- Re-evaluate daily: Check again each day
- Trigger escalation: If non-compliance persists, execute escalation actions
Self-service remediation
Application owners can resolve non-compliance through the EasyLife 365 Identity user portal:
- View policy requirements: See which settings need to be corrected
- Remediate configuration: Apply the expected configuration directly
- Automatic compliance: Once remediated, the application returns to compliance
Configuration
Selecting settings to enforce
You can choose to enforce one or both of the available settings:
| Configuration | Use Case |
|---|---|
| Enabled for users to sign-in only | Ensure applications are consistently enabled or disabled |
| Assignment required only | Enforce access control requirements without affecting availability |
| Both settings | Full baseline enforcement for maximum governance control |
Expected values
For each setting you choose to enforce, specify the expected value:
Enabled for users to sign-in:
- Yes: Applications should allow user sign-in
- No: Applications should be disabled
Assignment required:
- Yes: Applications should require explicit user/group assignment
- No: Applications should allow all tenant users
Notifications
Configure how owners are notified about non-compliant applications:
Notification count: Number of reminder emails sent before escalation Notification interval: Days between each notification
Escalation
Define what happens if the application remains non-compliant after all notifications:
Email escalation: Send email to governance team, IT leadership, or compliance team Webhook escalation: Trigger automated actions in external systems
Use cases
Security hardening policy
Goal: Ensure all Enterprise Applications require explicit user assignment.
Configuration:
- Assignment required: Yes
- Notifications: 3 (7 days apart)
- Escalation: Email to security team
Workflow:
- Applications without assignment requirement are flagged
- Owners receive 3 notifications over 21 days
- If not remediated, security team is notified for manual intervention
- Security team can enforce configuration or work with owners
Application availability governance
Goal: Ensure critical applications remain enabled and accessible.
Configuration:
- Enabled for users to sign-in: Yes
- Notifications: 2 (3 days apart)
- Escalation: Webhook to create urgent ticket
Workflow:
- Applications that are disabled are flagged
- Owners receive notifications to re-enable if intentional
- If still disabled, urgent ticket created for IT operations
- Operations team investigates and resolves
Comprehensive baseline enforcement
Goal: Maintain full configuration consistency across all Enterprise Applications.
Configuration:
- Enabled for users to sign-in: Yes
- Assignment required: Yes
- Notifications: 3 (7 days apart)
- Escalation: Email to governance team
Workflow:
- Applications deviating from either setting are flagged
- Owners can remediate through self-service portal
- Governance team handles escalations for unresponsive owners
- Regular reporting shows overall compliance trends
Decommissioned application monitoring
Goal: Ensure deprecated applications remain disabled.
Configuration:
- Enabled for users to sign-in: No
- Notifications: 1 (immediate)
- Escalation: Webhook to alert security operations
Workflow:
- Deprecated applications are assigned to a policy expecting them to be disabled
- If someone re-enables the application, it becomes non-compliant
- Immediate notification and rapid escalation
- Security operations investigates unauthorized enablement
Best practices
Start with assignment required
For most organizations, enforcing Assignment required = Yes provides the highest security value:
- Prevents accidental exposure of applications
- Enforces least-privilege access
- Aligns with zero-trust principles
Recommendation: Begin with assignment required enforcement, then expand to other settings.
Combine with ownership rules
Use Baseline Configuration alongside ownership rules for comprehensive governance:
Ownership rules: Ensure someone is responsible for responding to non-compliance Baseline Configuration: Ensure applications meet configuration standards
Example policy:
- Minimum application owner: 1
- Minimum technical owner: 1
- Assignment required: Yes
Result: Every application has a designated owner who will receive notifications if configuration drifts.
Use graduated enforcement
Start lenient and tighten over time:
Phase 1 (Months 1-2):
- Enforce assignment required only
- Notifications: 2
- Escalation: Email only
- Goal: Establish baseline awareness
Phase 2 (Months 3-4):
- Add enabled for sign-in enforcement
- Notifications: 3
- Escalation: Create tickets
- Goal: Full configuration coverage
Phase 3 (Months 5+):
- Shorten notification intervals
- Add automated remediation webhooks
- Goal: Rapid, automated governance
Handle exceptions
Some applications may have legitimate reasons for deviating from the baseline:
All-users applications: Some applications (like company portals) intentionally don't require assignment Disabled applications: Applications in maintenance mode may be intentionally disabled
Solution: Create separate policies with different baseline configurations for these application categories, or exclude them from baseline policies.
Document expected configurations
Maintain clear documentation of your baseline standards:
- Why each setting is required
- What the expected value should be
- How to request exceptions
- How to remediate non-compliance
This helps application owners understand requirements and reduces escalation friction.
Self-service remediation
How owners remediate
When an application is non-compliant with the Baseline Configuration policy:
- Notification received: Owner receives email with details of the non-compliance
- Access user portal: Owner navigates to EasyLife 365 Identity user portal
- View policy details: See which settings need to be corrected
- Apply remediation: Owner can apply the expected configuration directly through the portal
- Compliance restored: Application returns to compliant state
Benefits of self-service
Speed: Owners can remediate immediately without waiting for IT Accountability: Owners take responsibility for their applications Scalability: Governance scales across hundreds or thousands of applications Empowerment: Owners understand what's expected and can act on it
Limitations and considerations
Enterprise Applications only
The Baseline Configuration policy applies only to Enterprise Application policies:
- App Registrations do not support Baseline Configuration
- Focus configuration governance on enterprise applications and service principals
Professional plan requirement
Baseline Configuration is only available in the Professional plan:
- Organizations on the Basic plan can still use ownership rules for governance
- Consider upgrading to Professional if configuration governance is important for your use case
Limited to access settings
Currently, Baseline Configuration supports two settings:
- Enabled for users to sign-in
- Assignment required
Additional configuration settings may be added in future releases.
Remediation requires permissions
For self-service remediation to work:
- Application owners must have appropriate permissions in Entra ID to modify the application
- If owners lack permissions, they may need to escalate to administrators
Related concepts
- Policies - Learn about policy evaluation and escalation
- Enterprise Application Policies - See Baseline Configuration in context
- Ownership Rules - Combine configuration and ownership governance
- Activity Rule - Monitor application usage alongside configuration
- Best Practices - Learn how to implement effective policy governance