How the Essential Eight maps to Microsoft 365

Most Essential Eight conversations in Australia go one of two ways. Either a consultant hands over a 60-page posture report that never names a product, or a vendor runs through a slide deck where every strategy is solved by whatever they sell. Neither helps you on a Monday morning.

This is the honest version. For each of the ACSC's eight mitigation strategies, here's the Microsoft 365 or Microsoft security control that does the real work, and where the tooling stops and operational discipline has to take over.

1. Application control

The goal: only approved applications can execute on workstations and servers. At ML1 you're blocking executables in user-writable directories. At ML2 you're enforcing Microsoft's recommended application block rules across workstations and internet-facing servers. At ML3 you're adding the driver block list and proving it with audit.

The Microsoft tool: Windows Defender Application Control (WDAC). Deployed and managed via Intune. Defender for Endpoint surfaces what would be blocked before you turn enforcement on. Plan for an audit-mode phase of at least 30 days before you enforce — this is the control that most often breaks legitimate line-of-business apps.

2. Patch applications

The goal: internet-facing apps, browsers, Office and PDF readers patched on a schedule matched to the risk. ML2 requires critical patches within two weeks, or 48 hours if a working exploit exists. ML3 is 48 hours for exploited vulns, full stop.

The Microsoft tools: Microsoft Defender Vulnerability Management for inventory and severity, Windows Autopatch for first-party updates, and Intune Win32 app policies (or a connector like Patch My PC) for third-party apps. If you're still relying on WSUS and a spreadsheet, you're not at ML1.

3. Configure Microsoft Office macros

The goal: macros only run from trusted locations or when digitally signed by a trusted publisher. Macros from the internet blocked at source. This is not optional.

The Microsoft tools: Cloud Policy for Microsoft 365 Apps (to set tenant-wide macro behaviour), Intune Settings Catalog or ADMX templates (for trusted locations and file block settings), ASR rules in Defender for Endpoint, and Safe Attachments in Defender for Office 365 for inbound mail. Four controls, working together.

4. User application hardening

Browsers block Flash, Java and ads on the internet. PowerShell is logged and constrained. IE11 is retired. Office has Attack Surface Reduction rules enforced. At ML3, unneeded features like OLE are disabled centrally.

The Microsoft tools: Intune Security Baselines for Windows, Edge and Office. ASR rules deployed via Intune Endpoint Security. PowerShell Constrained Language Mode + Script Block Logging via Intune policy. Drift monitored in Defender XDR. For IE11 retirement, Edge IE Mode with a tightly scoped site list is the pragmatic path.

5. Restrict administrative privileges

The most leveraged strategy and the most ignored. Admin accounts separate from day-to-day accounts. No web browsing, no email on privileged accounts. Privileged access validated annually. At ML3, just-in-time elevation only — zero standing Global Administrators.

The Microsoft tools: Entra ID for separated accounts, Conditional Access to block web and email on admin roles, Privileged Identity Management (PIM) for JIT elevation, Privileged Access Workstations (PAWs) enrolled and compliance-gated in Intune, and Entra ID Identity Protection for sign-in risk policies on the accounts that matter most.

6. Patch operating systems

Same principle as patching apps, applied to Windows and server OS. ML2: critical patches within two weeks. ML3: 48-hour patching for exploited vulnerabilities, weekly authenticated scans, zero unsupported OS in the fleet.

The Microsoft tools: Windows Autopatch for workstations. Azure Update Manager for Windows and Linux servers. Intune compliance policies to enforce OS version floors. Defender Vulnerability Management to track CVE exposure. If you're running Server 2012 R2 somewhere, you're out of ML1 on this strategy by definition.

7. Multi-factor authentication

The goal at ML2 is MFA on every user sign-in with phishing-resistant methods on privileged accounts. At ML3, phishing-resistant MFA everywhere, all the time, for everyone.

The Microsoft tools: Entra ID Conditional Access to require MFA, Authentication Strengths to restrict which MFA methods count, Microsoft Authenticator with number-matching for phone-based MFA, and Windows Hello for Business or FIDO2 keys for phishing-resistant authentication. Token protection / device-bound session tokens in Conditional Access close the AiTM gap that standard MFA leaves open.

One subtle gotcha: SMS-based MFA still counts for ML1 on non-privileged accounts, but doesn't count at ML2 on admin roles. If your policy is 'MFA is on', check which factor is actually enforced on your admins today.

8. Regular backups

Most orgs think they've got this, and most orgs fail a restore drill. ML1 is weekly backups with an annual restore test. ML2 introduces encryption, access restriction, and quarterly restore tests. ML3 requires immutable offline or offsite copies and privileged backup access gated via PIM.

The Microsoft tools: Purview retention policies for Exchange, SharePoint and OneDrive, plus a third-party M365 backup product (Veeam, AvePoint or Keepit are the ones we see most) for immutable backups outside the tenant trust boundary. Azure Backup for infrastructure workloads. And discipline — because the technology is the easy bit; the restore drill is the hard bit.

What actually moves a Maturity Level

Essential Eight doesn't score you on what you've bought — it scores you on what you've operated. Every strategy above has a tool that ships with Microsoft 365 Business Premium or E5. The gap between a tenant at ML0 and one at ML2 is rarely licence cost. It's configuration, change management and the discipline to run the controls week after week.