Skip to main content

Every Essential Eight Control, Mapped to a Microsoft 365 Setting

Nick Ross3 min read

TL;DR

  • The Essential Eight is a prioritized set of mitigation strategies from the Australian Cyber Security Centre, structured in three maturity levels from basic hygiene to high resilience.
  • Microsoft publishes an official mapping between every Essential Eight strategy and the Microsoft 365 tools and licensing that implement it.
  • Microsoft's ACSC Windows Hardening Guidelines repository on GitHub ships preconfigured Intune policies as JSON files you can import directly into a tenant.
  • Each maturity level trades end-user friction, upfront cost, and ongoing maintenance against the risk reduction it buys.
  • As of June 2025, roughly 70 percent of the Essential Eight's technical configuration checks in Microsoft 365 can be automated in a single scan.

Ask three MSPs how their clients line up against the Essential Eight and you will get three spreadsheets, each half-finished. The framework itself is not the problem. The problem is translating eight mitigation strategies into the specific Microsoft 365 policies, license tiers, and Intune profiles that satisfy them, then proving it.

That translation already exists. Microsoft maintains an official mapping from each Essential Eight strategy to the Microsoft 365 controls that implement it. This post walks the whole thing: what each strategy demands, where it lives in Microsoft 365, what it costs in licensing and user friction, and how much of the checking you can hand to automation.

What the Essential Eight asks of you

The Essential Eight is a prioritized set of mitigation strategies developed by the Australian Cyber Security Centre. Adopt the controls at increasing maturity levels and you systematically harden the environment:

  • Maturity Level 1: basic cybersecurity hygiene
  • Maturity Level 2: intermediate resilience with configurable policies
  • Maturity Level 3: high resilience, hard to compromise
Overview of the Essential Eight mitigation strategies and maturity levels

At each level you are balancing three costs, friction for end users, upfront implementation, and ongoing maintenance, against the risk reduction achieved. That trade-off is worth making explicit with clients before you pick a target level, because Level 3 commitments made casually become Level 1 realities within a quarter.

Where Microsoft documents the mapping

Microsoft publishes its own documentation outlining the mapping between the Essential Eight and Microsoft 365, which is the source we follow here: ACSC Essential Eight on Microsoft Learn (opens in new tab).

Inside that documentation you will also find a GitHub repository hosting the Intune ACSC Windows Hardening Guidelines (opens in new tab). It contains preconfigured policies as JSON files you can upload straight into a tenant, which turns a week of policy authoring into an afternoon of review and assignment.

There is also a self-assessment workbook covering all of the mappings between the Essential Eight and Microsoft 365 policies, useful for performing the checks manually inside a tenant.

Essential Eight self-assessment workbook covering Microsoft 365 policy mappings

The eight strategies, one by one

Each strategy below links to Microsoft's detailed implementation page, which covers the tools, the licensing tier required, and the configuration guidance per maturity level.

Strategy 1: Patch applications

Microsoft 365 mapping for the patch applications strategy

Implementation guidance: Essential Eight patch applications on Microsoft Learn (opens in new tab)

Strategy 2: Patch operating systems

Microsoft 365 mapping for the patch operating systems strategy

Implementation guidance: Essential Eight patch operating systems on Microsoft Learn (opens in new tab)

Strategy 3: Multi-factor authentication

Microsoft 365 mapping for the multifactor authentication strategy
MFA implementation details across Essential Eight maturity levels

Implementation guidance: Essential Eight multifactor authentication on Microsoft Learn (opens in new tab)

Strategy 4: Restrict administrative privileges

Microsoft 365 mapping for restricting administrative privileges

Implementation guidance: Essential Eight restrict administrative privileges on Microsoft Learn (opens in new tab)

Strategy 5: Application control

Microsoft 365 mapping for the application control strategy

Implementation guidance: Essential Eight application control on Microsoft Learn (opens in new tab)

Strategy 6: Configure Office macro settings

Microsoft 365 mapping for Office macro settings

Implementation guidance: Essential Eight Microsoft Office macro settings on Microsoft Learn (opens in new tab)

Strategy 7: User application hardening

Microsoft 365 mapping for user application hardening

Implementation guidance: Essential Eight user application hardening on Microsoft Learn (opens in new tab)

Strategy 8: Regular backups

Microsoft 365 mapping for the regular backups strategy

Implementation guidance: Essential Eight backup guidelines on Microsoft Learn (opens in new tab)

How much of this can run on autopilot?

The mapping above tells you what to configure. The harder ongoing question is whether it stays configured, and whether you can prove it without re-running the workbook by hand every quarter.

As of June 2025, around 70 percent of the Essential Eight's technical controls, the ones that resolve to Microsoft 365 configurations and policies, can be assessed automatically.

Automated Essential Eight assessment showing policy checks in CloudCapsule

Each policy carries automated evidence collection behind its pass or fail value, so the result is defensible rather than a checkbox.

Automated evidence collection behind each Essential Eight policy check

Two numbers worth knowing: scans take around 60 seconds on average, and executive, white-labeled PDF reporting is available immediately to share with customers. The remaining 30 percent of controls are process and operational items, backup restoration testing, privilege approval workflows, and the like, which still need a human. That split is healthy. Spend your manual effort where judgment matters and let the configuration checks run themselves.

Frequently asked questions

Does the Essential Eight only matter for Australian organizations?

It originated with the Australian Cyber Security Centre and is mandatory in parts of the Australian public sector, but the eight strategies are a practical hardening baseline anywhere. Cyber insurers and security frameworks worldwide ask for substantially the same controls.

What licensing do you need to implement the Essential Eight in Microsoft 365?

It varies by strategy and maturity level. Microsoft's per-strategy documentation lists the tools and license tiers required for each control, which is why the mapping pages linked in this post are worth reading before you commit a client to a maturity target.

Can the Essential Eight assessment be automated?

Most of it. About 70 percent of the technical checks against Microsoft 365 configurations and policies can be validated automatically with evidence collection, as of June 2025. The remainder involves process and operational controls that need a human.

Stop auditing the Essential Eight by hand

CloudCapsule automates around 70 percent of the Essential Eight's technical checks against Microsoft 365, with pass-fail evidence per policy, 60-second scans, and white-labeled PDF reports your clients can actually read.

Run a free assessment
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading