ESSENTIAL EIGHT —
MAPPED TO MICROSOFT 365.

Score each of the 8 strategies

Where are you on the Essential Eight — honestly?

Eight strategies. Four levels each. Pick the statement closest to your reality today. We'll map it to the Microsoft 365 tooling that closes the gap.

• 01

  Application control

  Only approved applications can execute on workstations and servers.

  ML0Users can install and run whatever they want. No allow-list.ML1Blocking executables in user directories on workstations. Basic enforcement.ML2Microsoft recommended block rules applied across workstations and internet-facing servers.ML3Microsoft recommended driver block rules, centrally validated, logged and reviewed.
• 02

  Patch applications

  Internet-facing apps, browsers, Office, PDF readers patched promptly.

  ML0Patching happens when someone remembers. No inventory. No schedule.ML1Critical patches on internet-facing apps within two weeks. Monthly cadence elsewhere.ML2Critical within two weeks (or 48 hours if exploit exists). Automated vuln scanning fortnightly.ML348-hour patching for exploited vulns everywhere. Automated scans weekly. Unsupported apps removed.
• 03

  Microsoft Office macros

  Macros disabled unless from trusted locations and signed by a trusted publisher.

  ML0Macros enabled by default. No restriction. No visibility.ML1Macros from the internet blocked. Users can still enable on local files.ML2Macros only in trusted locations or digitally signed. Security settings locked down.ML3Macros allowlisted by trusted publisher. Blocked from internet. All execution logged and reviewed.
• 04

  User application hardening

  Web browsers and productivity apps hardened against the most common attacks.

  ML0Default browser and Office settings. Flash, Java, ads all live.ML1Browsers block Flash, ads and Java on the internet.ML2Browsers hardened per ASD/vendor guidance. IE11 disabled. PowerShell command line logging on.ML3Unneeded features (OLE, PowerShell) disabled or constrained. Hardening centrally enforced and audited.
• 05

  Restrict administrative privileges

  Admin accounts limited, separated and reviewed — the crown jewels of the tenant.

  ML0Shared admin accounts. Standing global admin rights. No review.ML1Admin accounts separate from normal user accounts. Privileged accounts do not browse the web or read email.ML2Privileged access validated annually. Privileged accounts on secured admin workstations. MFA on all admin auth.ML3Just-in-time elevation via PIM. Privileged events logged centrally and reviewed. No standing global admins.
• 06

  Patch operating systems

  Operating system patches applied on a schedule that matches the risk.

  ML0OS patching ad hoc. Devices and servers go months without updates.ML1OS patched within one month. Internet-facing servers within two weeks.ML2Critical patches within two weeks. Automated vuln scans fortnightly. Unsupported OS removed.ML348-hour patching for exploited vulns. Weekly automated scans. Only supported OS versions in the fleet.
• 07

  Multi-factor authentication

  MFA everywhere that matters — privileged accounts, remote access, important data.

  ML0No MFA, or MFA only for a subset of users. SMS-based where it exists.ML1MFA on privileged accounts, remote access, and access to important data repositories.ML2MFA phishing-resistant (e.g. Windows Hello, FIDO2) on privileged accounts. All users have MFA.ML3Phishing-resistant MFA for every user on every sign-in to the tenant, including customers where applicable.
• 08

  Regular backups

  Backups of important data, configuration and software — and restores you have actually tested.

  ML0Backups happen somewhere. Nobody has tested a restore in living memory.ML1Important data backed up weekly. Restores tested at least annually.ML2Backups encrypted, access restricted, retention aligned to business needs. Quarterly restore tests.ML3Immutable offline/offsite copies. Restore tests quarterly, documented, signed off. Privileged backup access gated.