Skip to main content
Modern 42 Logo
Essential Eight · Microsoft 365

Map the Essential Eight to Microsoft 365 licences.

A control-by-control mapping of the ASD Essential Eight mitigations to Microsoft 365 capabilities and licence tiers. Accurate, honest, and designed to be cited.

Book a licence and security review Compare plan pricing

Last reviewed May 2026

ASD Essential Eight

Eight mitigations. Four maturity levels.

The ASD Essential Eight Maturity Model (November 2023) is a baseline cyber security framework published by the Australian Signals Directorate. It defines eight prioritised mitigation strategies that, when implemented together, make it significantly harder for adversaries to compromise systems.

The model defines four maturity levels: ML0 (not implemented or incomplete), ML1 (partly aligned with intent), ML2 (aligned with intent, controls hardened), and ML3 (fully hardened, advanced detection and response). Commonwealth entities have been required to reach ML2 since 1 July 2022. Phishing-resistant MFA is mandatory from ML2.

Microsoft 365 provides tooling relevant to every one of the eight mitigations. But the licence tier determines which tools are available, and configuration determines whether those tools are actually doing anything. The table below maps each control to the Microsoft capability and the minimum licence tier, with honest notes on what the tool does not cover.

Reference: Microsoft Learn: Essential Eight overview for ANZ and the ASD Protected Utility Blueprint.

Maturity levels

  • ML0Not implemented. Controls missing or ineffective
  • ML1Partly aligned. Basic intent met; easy bypasses remain
  • ML2Aligned. Controls hardened; phishing-resistant MFA required. Commonwealth minimum since 1 Jul 2022.
  • ML3Fully hardened. Advanced detection, logging, and response
Source: ASD Essential Eight Maturity Model, November 2023
Control mapping

Essential Eight to Microsoft 365 capability and licence.

Each mitigation mapped to its Microsoft capability and the minimum licence tier required. Gap notes are honest: where Microsoft only partially addresses a control, this table says so.

Business PremiumE3E5Add-on required
  1. 1

    Application control

    Microsoft capability
    App Control for Business (WDAC) / AppLocker via Intune; centralised monitoring via Defender for Endpoint (MDE)
    Licence tier
    Intune Plan 1 (Business Premium / E3 / E5); MDE P2 monitoring requires E5
    Honest gap note
    WDAC policy design and ongoing maintenance is engineering work, not a licence purchase. Policy errors can break systems.
  2. 2

    Patch applications

    Microsoft capability
    Intune + Windows Autopatch; Defender Vulnerability Management (DVM) for patch gap visibility
    Licence tier
    Business Premium / E3 / E5; full DVM with MDE P2 (E5)
    Honest gap note
    Autopatch covers Microsoft first-party software only. Third-party application patching requires additional tooling. The 48-hour critical patch SLA is a process commitment, not a product feature.
  3. 3

    Configure Microsoft Office macro settings

    Microsoft capability
    Intune policy + Attack Surface Reduction (ASR) rules + Defender for Office 365 Safe Attachments
    Licence tier
    Business Premium / E3 / E5; user-locked enforcement benefits from Microsoft 365 Apps for Enterprise (E3 / E5, not Business Premium)
    Honest gap note
    Business Premium uses Microsoft 365 Apps for Business, which has a reduced policy surface compared to Apps for Enterprise. Validate enforcement scope before claiming ML2+.
  4. 4

    User application hardening

    Microsoft capability
    Intune Edge hardening policies + ASR rules + Defender for Office 365 Safe Links + Microsoft Defender SmartScreen
    Licence tier
    Business Premium / E3 / E5; advanced hunting and custom detections require MDE P2 (E5)
    Honest gap note
    Non-Microsoft application hardening (Chrome, Firefox, third-party PDF readers) requires additional configuration. The control is not satisfied by Microsoft tooling alone.
  5. 5

    Restrict administrative privileges

    Microsoft capability
    Entra ID RBAC + Privileged Identity Management (PIM) just-in-time access + Entra Access Reviews
    Licence tier
    PIM and Access Reviews require Entra ID P2 (included in E5; add-on for E3 and Business Premium). E3 and Business Premium do not include Entra ID P2.
    Honest gap note
    PIM must be configured, activated on every privileged role, and tested. Licensing PIM without configuring it provides no protection. Dedicated cloud-based privileged admin accounts and a separate admin workstation strategy are also required.
  6. 6

    Patch operating systems

    Microsoft capability
    Intune update rings + Windows Autopatch + Defender Vulnerability Management for OS CVE tracking
    Licence tier
    Business Premium / E3 / E5; OS CVE tracking with MDE P2 (E5)
    Honest gap note
    Autopatch targets Windows 10/11 only. Non-Windows endpoints and network devices require separate patch management tooling. The 48-hour critical SLA is a process and operational discipline.
  7. 7

    Multi-factor authentication

    Microsoft capability
    Entra MFA + Conditional Access + Authentication Strengths (phishing-resistant: Windows Hello for Business, FIDO2 passkeys, certificate-based auth)
    Licence tier
    Security Defaults (free) for basic MFA; Conditional Access + Authentication Strengths require Entra ID P1 (Business Premium / E3 / E5); risk-based adaptive MFA requires Entra ID P2 (E5)
    Honest gap note
    ML2 phishing-resistant MFA is achievable on Entra ID P1. Risk-based Conditional Access (sign-in risk, user risk) needs P2. Enrolling every user and covering every access path is the real delivery challenge, not the licence.
  8. 8

    Regular backups

    Microsoft capability
    Microsoft 365 Backup for Exchange Online, SharePoint Online, and OneDrive with immutable storage. Purview retention policies (note: retention is NOT backup).
    Licence tier
    Any plan + Microsoft 365 Backup consumption pricing (pay-as-you-go per GB restored)
    Honest gap note
    Significant gaps. Microsoft 365 Backup does not cover Teams configuration, Entra ID tenant configuration, Intune policies, on-premises systems, or non-Microsoft SaaS. A separate backup-administrator role (not your global admin) must be maintained. Most organisations require a third-party backup solution alongside Microsoft 365 Backup.

Sources: ASD Essential Eight Maturity Model, November 2023 · Microsoft Learn: Essential Eight ANZ · Microsoft Learn: Essential Eight MFA ML2

Under-used security

The capability you are already paying for.

Most organisations with E3 or E5 licences are running at a fraction of their security capability. The licence is active. The tools are deployed. The controls are off.

Common examples we see in assessments:

Conditional Access in report-only mode

Policies are created and tested but never switched to enforcement. Users are not blocked. Phishing-resistant MFA is not required. The tenant is vulnerable despite the policy existing.

PIM licensed but not activated

Entra ID P2 is included in E5. Privileged Identity Management is never configured. Every administrator has permanent standing access. The Essential Eight Restrict Administrative Privileges control is not met at any maturity level.

Defender for Endpoint deployed with default settings

MDE P2 is active. Attack Surface Reduction rules are in audit mode. Application control is not configured. Vulnerability management dashboards are available but no remediation SLA is defined.

ASR rules never moved past audit

Attack Surface Reduction rules are critical for macro control, user application hardening, and ransomware protection. Running in audit indefinitely is a planning failure, not a security posture.

Autopatch enabled but not monitored

Windows Autopatch is active. Patch compliance reporting is ignored. Devices that have been offline for weeks are not followed up. The 48-hour critical patch SLA is missed silently.

Licence vs configuration

A licence buys access. Configuration buys protection.

This is the most important thing to understand about Microsoft 365 and the Essential Eight.

What the licence gives you

  • Access to Intune for endpoint management and policy deployment
  • Entra ID Conditional Access and Authentication Strengths
  • Privileged Identity Management (Entra ID P2 / E5)
  • Defender for Endpoint P1 or P2 for endpoint detection
  • Defender for Office 365 Safe Attachments and Safe Links
  • Microsoft 365 Backup for Exchange, SharePoint, and OneDrive
  • Windows Autopatch for managed update rings
  • Attack Surface Reduction rules (available, defaulting to audit)

What still needs engineering

  • WDAC policy design, testing, and phased deployment without breaking LOB applications
  • Conditional Access framework design: who, what, where, and every exception documented
  • PIM activation on every privileged role with approval workflows and access reviews
  • Phishing-resistant MFA rollout: enrolment, exception handling, and legacy protocol blocking
  • ASR rules moved from audit to enforcement with proper regression testing
  • Autopatch ring design and compliance monitoring with clear remediation ownership
  • Backup coverage gap analysis and supplementary backup strategy for uncovered workloads
  • Ongoing policy maintenance as the environment, users, and applications change

Honest summary

An untouched E5 tenant is not Essential Eight compliant at any maturity level. Business Premium can reach ML1 and, with dedicated engineering effort, substantial coverage of ML2. The E3-to-E5 forcing functions for Essential Eight are Entra ID P2 (PIM for the Restrict Administrative Privileges control), MDE P2 and Defender Vulnerability Management (for advanced patching visibility and detection), and Defender for Office 365 P2 for ML3-level detection. Reaching and maintaining ML2 requires configuration, testing, process, and ongoing operational discipline, regardless of the licence tier.

Modern 42 is a Microsoft Solutions Partner for Security with an Identity and Access Management specialisation. We help organisations understand which licence they actually need, configure the controls properly, and assess the gap between their current posture and their target maturity level. See our Secure Entra ID and Privileged Access Management engineering services.

Licence decision guide

Which plan for your target maturity level?

A simplified decision guide. Actual requirements depend on your environment, existing tools, and organisational constraints.

Business Premium

Target: ML1, most of ML2

Includes

  • Intune Plan 1
  • Entra ID P1 (Conditional Access, phishing-resistant MFA)
  • Defender for Business (MDE P1 equivalent)
  • Defender for Office 365 P1
  • Microsoft 365 Apps for Business

Gaps / watch points

  • No Entra ID P2 (PIM requires add-on for ML2 Restrict Admin)
  • Apps for Business, not Apps for Enterprise (macro policy surface)
  • No MDE P2 (advanced vulnerability management)

Microsoft 365 E3

Target: ML1, ML2 with P2 add-ons

Includes

  • Intune Plan 1
  • Entra ID P1 (Conditional Access)
  • Defender for Endpoint P1
  • Microsoft 365 Apps for Enterprise (full macro policy surface)
  • Windows Autopatch

Gaps / watch points

  • No Entra ID P2 (PIM for Restrict Admin requires add-on)
  • No MDE P2 (vulnerability management limited without add-on)
  • No Defender for Office 365 P2

Microsoft 365 E5

Target: ML2 and ML3 (with configuration)

Includes

  • Entra ID P2 (PIM, Access Reviews, risk-based CA)
  • MDE P2 (advanced vulnerability management, advanced hunting)
  • Defender for Office 365 P2
  • Defender for Identity
  • Microsoft Sentinel (add-on, consumption pricing)

Gaps / watch points

  • PIM must still be configured and activated
  • ASR rules still need to move from audit to enforcement
  • Backup gaps remain (Teams config, Entra config, non-Microsoft 365)

Compare plans at your seat count, including the 1 July 2026 price changes, in our Microsoft 365 pricing calculator. Modern 42 is a Microsoft 365 CSP.

FAQ

Essential Eight and Microsoft 365

Common questions from technical buyers and security leads evaluating Microsoft 365 licence options for Essential Eight.

Further reading: Microsoft Learn: Essential Eight MFA ML2

ASD Protected Utility Blueprint

Microsoft 365 CSP in Canberra

There is no single licence that covers all eight controls. Business Premium can address most controls at ML1 and, with engineering effort, much of ML2. The key forcing functions for ML2 and ML3 are: Entra ID P2 (for Privileged Identity Management, required for the Restrict Administrative Privileges control), MDE P2 (for advanced vulnerability management and detection), and Defender for Office 365 P2 (for ML3-level detection). E5 bundles all three. E3 with Entra ID P2 and MDE P2 add-ons is an alternative.
No. An untouched E5 tenant is not Essential Eight compliant at any maturity level. E5 licences unlock the capabilities needed; a team of engineers still needs to configure application control policies, harden endpoints, implement PIM on every privileged role, enforce phishing-resistant MFA across all users, and establish backup and recovery processes. The licence is necessary but not sufficient. Expect significant engineering time to reach ML2, and ongoing operational commitment to maintain it.
Business Premium can reach ML1 and, with careful engineering, substantial coverage of ML2. The main gap is the Restrict Administrative Privileges control: Privileged Identity Management (PIM) requires Entra ID P2, which is not included in Business Premium. You can add Entra ID P2 as a standalone add-on. A second gap is the Office macro settings control: Business Premium includes Microsoft 365 Apps for Business rather than Apps for Enterprise, which has a smaller policy surface. Validate enforcement capability in your specific configuration before claiming ML2 compliance.
Conditional Access with Authentication Strengths is the correct mechanism for enforcing phishing-resistant MFA under the ASD Essential Eight. Conditional Access and Authentication Strengths require Entra ID P1 (included in Business Premium, E3, and E5). ML2 phishing-resistant MFA (Windows Hello for Business, FIDO2, certificate-based authentication) is achievable on P1. Risk-based Conditional Access, which adjusts requirements based on real-time sign-in and user risk signals, requires Entra ID P2 and is relevant for ML3. The technical controls are necessary but not sufficient: every user must be enrolled, every access path must be covered, and exceptions must be documented and reviewed regularly.
Partially. Microsoft 365 Backup covers Exchange Online, SharePoint Online, and OneDrive with immutable storage and rapid restore. However, it does not cover Teams configuration, Entra ID tenant configuration, Intune policy configuration, on-premises systems, or non-Microsoft SaaS applications. Purview retention policies are not a backup substitute; retention prevents deletion but does not provide point-in-time restore. Most organisations meeting the Essential Eight backups control at any maturity level will require a third-party backup solution to supplement Microsoft 365 Backup, plus a separate backup-administrator account that is not the same account used for other administration.

Let’s talk about your Microsoft 365 licensing

No pressure, no lock-in. A straight conversation about your licences, the 1 July 2026 price changes, and whether you are paying for security you are not using.

  • Review your current Microsoft 365 plans and renewal dates
  • Check the 1 July 2026 price changes against your mix
  • Get a clear CSP quote, with no obligation

Free licence review

No commitment required

Tell us your plan mix and seat count. We confirm exact CSP pricing on quote, and show you where you could get more from what you already pay for.

Get a quote Email us

We use cookies

We use cookies and similar technologies to help personalise content, measure the performance of our site, and provide a better experience. By clicking Accept, you consent to the use of all cookies.
Learn more.