Frontrow Technology
← Wiki

Cyber & compliance frameworks

Essential Eight Maturity Level 1 — what the controls are and how Microsoft 365 covers them

Essential Eight Maturity Level 1 represents the foundational cybersecurity posture expected of Australian non-government organisations to mitigate common threats.

Last reviewed 3 July 2026

What Essential Eight ML1 Does

Maturity Level 1 of the ACSC’s Essential Eight defines a set of eight baseline controls designed to significantly reduce an organisation’s attack surface. These controls address common attack vectors and provide a practical starting point for improving cybersecurity posture. They include application control on workstations, timely patching of applications and operating systems (critical patches within two weeks, others within one month), macro configuration, hardening user applications, restricting administrative privileges, multi-factor authentication (MFA) for internet-facing and privileged accounts, and regular data backups.

Essential Eight ML1 in Australian Tenants Today

For AU mid-market organisations, achieving Essential Eight ML1 isn’t just a best practice; it’s increasingly becoming a de facto requirement, particularly given OAIC guidance and the potential for data breach reporting obligations under the Notifiable Data Breach scheme. Microsoft 365 tenants can meet most ML1 controls with components they already licence: Intune for application patching and device management, Entra ID for MFA, and Microsoft Defender for Endpoint to automate and enforce many of these controls. While achieving full ML1 requires ongoing effort and validation, the M365 stack provides a solid foundation for AU mid-market tenants.

Want Frontrow to walk this through with your team?

30 minutes. No deck. A senior Frontrow consultant walks through your tenant, your priorities, and the next sensible move.