You Probably Already Own Everything Cyber Essentials Requires
TL;DR
- Organizations on Microsoft 365 Business Premium typically own everything required to pass Cyber Essentials v3.3 without purchasing new tools.
- Cyber Essentials v3.3 tests five technical controls: firewalls, secure configuration, security update management, user access control, and malware protection.
- Intune covers three of the five controls through firewall policies, configuration profiles, and update rings or Windows Autopatch.
- Entra ID satisfies user access control with Conditional Access, MFA, phishing-resistant authentication strengths, and role-based admin access.
- Defender for Business, bundled with Business Premium, delivers the antivirus, EDR, attack surface reduction, and ransomware controls the malware requirement expects.
The most expensive part of Cyber Essentials, for most small businesses, is the panic. A partner or contract demands certification, the Googling starts, and within an hour there is a stack of vendor quotes, a list of tools nobody has heard of, technical controls that feel impossible to map, and a creeping fear of failing the audit.
Here is what that panic buys: usually nothing you did not already own. If the organization runs Microsoft 365 Business Premium, the licensing for every Cyber Essentials v3.3 technical control is most likely already in place. The work is configuration, not procurement.
This guide maps all five controls to three tools in the Business Premium stack: Microsoft Entra, Microsoft Intune, and Defender for Business, with configuration documentation for each step so you can implement the policies in your own tenant.
What Cyber Essentials v3.3 actually tests
Cyber Essentials focuses on five core technical areas:
- Firewalls
- Secure configuration
- Security update management
- User access control
- Malware protection
Everything below maps directly to these requirements.
The two-week certification: a real example
A small financial services company in the UK got the ultimatum from a partner: stay Cyber Essentials certified or stop doing business together. The immediate questions were the predictable ones. Do we need a new firewall? Should we buy MDR? Will we fail the audit? They braced for a major security spend.
A review of their environment found something simpler: they were already paying for Microsoft 365 Business Premium. They owned everything they needed; none of it was configured correctly. Two weeks of turning on and tuning the tools they had been paying for all along produced three outcomes:
- They passed Cyber Essentials
- They bought no unnecessary tools
- They ended up with an environment far more secure than before
That pattern repeats across most SMB environments we see. Now, the control-by-control mapping.
Control 1: Firewalls, enforced from Intune

Cyber Essentials requires that all devices accessing business data are protected by an approved, centrally managed firewall. With Business Premium, this runs through Intune's Endpoint Security > Firewall policies. Once devices are enrolled in Intune, via Entra join or Hybrid join, you can enforce standardized Windows Defender Firewall rules across the entire fleet regardless of where the user works. Combined with Conditional Access, you can also block unmanaged or personal devices from reaching corporate resources, which keeps incoming and outgoing traffic both protected and auditable.
Control 2: Secure configuration, baked into provisioning

The secure configuration requirement is about hardening devices against misuse and exploitation. Intune centrally enforces the settings auditors look for: disabling AutoRun and AutoPlay, screen lock timers, restricted local admin privileges, BitLocker, and secure baseline settings. Add Autopilot and every new device provisions with the hardened baseline from day one, with users created as standard users rather than local admins. Configuration profiles keep every endpoint on a consistent, secure standard aligned with what Cyber Essentials expects.
Control 3: Security update management, on a cadence

Timely patching of operating systems and applications is a hard requirement, because unpatched known vulnerabilities are the cheapest way in. In a Microsoft 365 environment, Intune update rings or Windows Autopatch put Windows updates on a reliable cadence. On top of OS patching, Defender for Business adds built-in vulnerability management: visibility into outdated applications, exposed devices, and critical CVEs. Together they cover both OS updates and third-party application risk.
Control 4: User access control, anchored in Entra ID

User access control means the right people, the right access, the right time. Entra ID enforces strong authentication through Conditional Access policies, including MFA, passwordless authentication, and phishing-resistant authentication strengths such as FIDO2 or passkeys. It also carries the identity hygiene requirements the assessment checks: individual user accounts (never shared accounts), onboarding and offboarding procedures, custom banned password lists, account lockout thresholds, and role-based access control for administrators.
Control 5: Malware protection, via Defender for Business

Cyber Essentials requires strong protection against viruses, ransomware, and malware. Defender for Business, bundled with Business Premium, brings enterprise-grade antivirus, endpoint detection and response, attack surface reduction rules, and Controlled Folder Access to blunt ransomware activity. Policies deploy through Intune for consistent protection across all endpoints, and Defender's vulnerability management dashboard flags the outdated or risky applications that tend to become malware entry points.
The checklist version
If you have Microsoft 365 Business Premium, you have:
- Entra for access control
- Intune for secure configuration, firewalls, and patching
- Defender for Business for malware protection
Configured correctly, those cover every requirement in Cyber Essentials v3.3. The full technical guide (PDF) (opens in new tab) collects the configuration documentation for every step; use it as your implementation checklist.
The harder problem for MSPs is doing this at scale: scanning each tenant against the standard, collecting pass and fail evidence, and keeping clients certified as settings drift between audits. That is the part worth automating.

Frequently asked questions
Do you need to buy new security tools to pass Cyber Essentials?
Usually not, if the organization runs Microsoft 365 Business Premium. The five technical controls in Cyber Essentials v3.3 map onto Entra ID, Intune, and Defender for Business, which are all included in that license. The gap is almost always configuration, not tooling.
Does Cyber Essentials require a hardware firewall?
It requires that all devices accessing business data sit behind an approved, centrally managed firewall. Intune's Endpoint Security firewall policies enforcing Windows Defender Firewall across enrolled devices satisfy this for the endpoint fleet, wherever users work.
How long does it take to get an existing tenant ready?
In the client engagement described in this guide, a small UK financial services firm went from unconfigured Business Premium to passing Cyber Essentials in two weeks of enabling and tuning tools they already paid for.
Scan a tenant against Cyber Essentials before the auditor does
Everything in this guide works manually, across one tenant. CloudCapsule scans tenants against Cyber Essentials v3.3 automatically, with pass and fail evidence, remediation steps for every control, and client-facing reports across your whole client base.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


