The eight strategies
The Essential Eight are: 1) Application control — only approved apps can run; 2) Patch applications — apply patches to internet-facing apps within tight timeframes; 3) Configure Microsoft Office macro settings — block macros from the internet; 4) User application hardening — block Flash, web ads, Java in browsers; 5) Restrict administrative privileges — least-privilege admin model with regular review; 6) Patch operating systems — patch OS within 48 hours for internet-facing systems; 7) Multi-factor authentication — phishing-resistant MFA for privileged users and remote access; 8) Regular backups — backups tested, isolated, and immutable.
The four maturity levels
Maturity Level 0 means the strategy is not implemented or is implemented in a way that does not meet ML1. ML1 defends against opportunistic adversaries using widely-available techniques. ML2 defends against adversaries with a modest step-up in capability and is the most common pragmatic target for AU midmarket and enterprise. ML3 defends against adversaries with capability and intent — typically reserved for federal government, critical infrastructure (SOCI) and high-value targets.
How the Microsoft 365 stack covers each strategy
Microsoft 365 with the right SKU mix covers all eight strategies natively. Application control: Intune Application Control / Windows Defender Application Control. Patch applications: Intune update rings + Microsoft Defender for Endpoint vulnerability management. Office macros: Cloud Policy Service in M365 Apps + Defender for Office. User application hardening: Defender for Endpoint attack surface reduction rules + Edge security baselines. Restrict admin privileges: Entra ID PIM + Conditional Access + access reviews. OS patching: Windows Update for Business via Intune + autopatch. MFA: Entra MFA with phishing-resistant methods (FIDO2, Windows Hello, Authenticator passkeys). Backups: Microsoft 365 Backup or third-party (Veeam, AvePoint, Barracuda).
Common gaps Australian businesses miss
The two strategies most often misread are application control and restrict administrative privileges. Application control is more than antivirus — it requires an explicit allow-list mechanism. Most AU midmarket tenants think they have it because they have Defender; they don't, until WDAC or Intune Application Control is configured. Restrict admin privileges fails when global admin is shared between four people permanently rather than activated through PIM with a justification and time limit.