The Australian Signals Directorate's Essential Eight Maturity Level 2 is the practical baseline for most Australian organisations in 2026. Frontrow's earlier note set out the 90-day plan to move from Maturity Level 1 to Maturity Level 2. This guide is the companion piece — each of the eight mitigation strategies mapped, control by control, to the specific Microsoft 365 service, configuration and licence tier that delivers it.
For most Australian mid-market tenants the licensing to land ML2 is already in place. Microsoft 365 E3 covers most of it, E5 closes the remainder, and Microsoft 365 Business Premium gets a 300-seat-or-under tenant materially of the way there. Where a control needs an add-on, the map below names it.
1. Patch applications
Microsoft Intune with Intune Autopatch for Windows and Microsoft Update for Business for firmware. The 48-hour patch window for internet-facing applications and the 14-day window for other applications is enforced through Intune update rings and confirmed through Intune Reporting. Microsoft Defender for Endpoint surfaces the vulnerable-application picture and Threat and Vulnerability Management closes the loop on what was found and what was missed. Evidence: Intune patch latency report, exported monthly.
2. Patch operating systems
Same control plane as application patching. Intune Autopatch carries Windows updates with the 48-hour window for internet-facing systems. Server patching where Azure Arc is in scope sits inside Microsoft Defender for Cloud's update management. Evidence: the Intune Autopatch deployment report and the Defender for Cloud update compliance dashboard.
3. Multi-factor authentication
Microsoft Entra ID with phishing-resistant MFA for privileged accounts (Microsoft Authenticator passwordless or FIDO2 keys), and MFA for all users on internet-facing services through Conditional Access. Number matching on, SMS OTP off across the tenant. Conditional Access baseline policies live with no permanent exclusions for staff. Evidence: the Microsoft Entra ID sign-in logs filtered for password-only authentication across a 30-day window — the target is zero.
4. Restrict administrative privileges
Microsoft Entra Privileged Identity Management with eligibility rather than active assignment for all privileged roles, just-in-time activation with MFA, time-bounded sessions and approval workflow on the highest-impact roles. Local administrator accounts on workstations brokered through Microsoft Intune Endpoint Privilege Management (an E5 Security add-on). Service accounts inventoried and reviewed quarterly. Evidence: PIM activation audit and the EPM policy report. ML2 expects standing privilege to be measured and trending towards zero.
5. Application control
This is the single control most ML1 tenants have only partially implemented. ML2 requires enforcement on workstations, not monitoring. Microsoft Defender Application Control or AppLocker, with a tested allow list scoped per persona — knowledge worker, developer, finance, executive — rather than a single tenant-wide policy. Microsoft Intune deploys and monitors the policies. Evidence: the Defender Application Control policy report with documented exception review.
6. Restrict Microsoft Office macros
Microsoft Intune configuration profiles disable Office macros from the internet, allow only digitally signed macros where macros are required, and prevent users from changing the macro setting. Macros sourced from internet locations blocked at the Office level, with Mark-of-the-Web enforced. Microsoft Defender for Endpoint Attack Surface Reduction rules layered on for blocking Office child processes, executable content creation and code injection. Evidence: the ASR rules report with no permanent exclusions below the agreed baseline.
7. User application hardening
Block Java, Flash, ads and untrusted content in browsers via Microsoft Edge for Business policy, deployed through Intune. Disable PowerShell version 2.0 and constrain the remaining PowerShell to Constrained Language Mode for non-admin users via Intune device configuration. Microsoft Defender for Endpoint ASR rules cover the residual hardening — credential theft, executable from email, persistence through WMI. Microsoft Defender SmartScreen on at the network and app level. Evidence: the Edge for Business policy compliance report and the ASR rules report.
8. Regular backups
ML2 separates daily backup from tested restore. Microsoft 365 Backup (Microsoft's native backup add-on) for Exchange, SharePoint and OneDrive backups with point-in-time restore. Azure Backup for Azure-hosted workloads. The differentiator at ML2 is the documented restore exercise. Run a real restore on a defined cadence, time it, write up the recovery time objective and recovery point objective measured against target. Evidence: the restore test report on a defined quarterly cadence.
Where E3 stops and E5 starts
Microsoft 365 E3 covers most of ML2 with Intune, Defender for Endpoint Plan 1, Entra ID P1 and the Office macro and update controls. The pieces that need E5 (or the targeted add-ons) are Defender for Endpoint Plan 2 (the deeper EDR and ASR depth that ML2's monitoring expectations lean on), Entra ID P2 (PIM, Identity Protection, Access Reviews), and Microsoft Purview at the higher tier where the audit retention and Insider Risk Management evidence sits. Microsoft Intune Endpoint Privilege Management is its own add-on and delivers the local admin reduction quickly. For tenants on Microsoft 365 Business Premium, the gap to ML2 is the EDR depth and the PIM functionality — both addressable through targeted add-ons.
Evidence pack — what an auditor wants to see
- Intune patch latency report, monthly export, last 12 months.
- Microsoft Entra ID sign-in logs filtered for password-only authentication, 30-day rolling, with the count at zero or trending to zero.
- PIM activation audit, 30-day rolling, with no standing privileged assignments at the top tier.
- Defender Application Control policy report with documented exception register.
- ASR rules report by ASR ID, exclusion register, and the exception approval workflow.
- Microsoft 365 Backup configuration export and the latest tested restore report with measured RTO and RPO.
- Microsoft Purview Audit configuration showing the higher retention tier and the configured retention policy for security workloads.
Try it
Score the tenant against ML2 with the Microsoft 365 mapping built in
Twelve questions, an ML1, ML2 and ML3 score, and the prioritised gap list with Microsoft-native remediation paths for each control.
Score each of the 8 strategies
Where are you on the Essential Eight — honestly?
Eight strategies. Four levels each. Pick the statement closest to your reality today. We'll map it to the Microsoft 365 tooling that closes the gap.
What's your target Maturity Level?
Maturity Level 2 — most orgs' pragmatic target
- 01
Application control
Only approved applications can execute on workstations and servers.
- 02
Patch applications
Internet-facing apps, browsers, Office, PDF readers patched promptly.
- 03
Microsoft Office macros
Macros disabled unless from trusted locations and signed by a trusted publisher.
- 04
User application hardening
Web browsers and productivity apps hardened against the most common attacks.
- 05
Restrict administrative privileges
Admin accounts limited, separated and reviewed — the crown jewels of the tenant.
- 06
Patch operating systems
Operating system patches applied on a schedule that matches the risk.
- 07
Multi-factor authentication
MFA everywhere that matters — privileged accounts, remote access, important data.
- 08
Regular backups
Backups of important data, configuration and software — and restores you have actually tested.
Frontrow runs the ML2 mapping inside an Australian tenant as a four-week engagement that ends with the evidence pack above and a quarterly assurance cadence to keep the controls live. Phone 1300 012 466 or book a chat through the contact page.