Microsoft Security · Essential Eight

Essential Eight Microsoft Mapping

ASD Essential Eight strategies mapped to Microsoft Defender, Sentinel, Entra, Intune and Purview. Maturity Level 1, 2 and 3 configurations with evidence documented for audit. RapidLogic™ delivery.

Microsoft Solutions PartnerISM alignedGovernment supplier
Request an Essential Eight assessmentThe eight strategies

Why it matters

The gap is rarely the technology, it is the mapping and the evidence

Essential Eight maturity is the most-asked-about security baseline in Government procurement and increasingly in critical-infrastructure enterprise contexts. The Microsoft stack carries the configurations that satisfy each strategy at each maturity level — when they are configured deliberately and the evidence is captured. The gap most engagements walk into is not Microsoft licensing or technology coverage. It is the mapping per strategy and the documentation that proves it for accreditation review.

A Microsoft Defender deployment is not Essential Eight maturity. Essential Eight maturity is Microsoft Defender configured, mapped per strategy, and evidenced for ASD review. The work is the mapping and the evidence.

Strategies × Microsoft

The eight strategies, mapped to Microsoft

Each strategy carries a short ASD definition, the primary Microsoft product surface, the configuration delta at each maturity level and the evidence artefact that satisfies an audit. Where ASD updates the model, the mapping refreshes with it.

1. Application control

Only approved applications are allowed to execute on workstations and servers.

Microsoft: Microsoft Defender for Endpoint (WDAC), Microsoft Intune App Control, Microsoft Defender Application Control policies.

  • ML1: enforced on workstations, allowlist by publisher or path
  • ML2: enforced on workstations and servers, allowlist by publisher with managed exceptions
  • ML3: enforced everywhere, ASD-published driver block list applied, allowlist by signed publisher

Evidence: Intune policy export, WDAC policy XML, exclusion register.

2. Patch applications

Vulnerabilities in applications are remediated within ASD-defined timeframes.

Microsoft: Microsoft Intune, Microsoft Defender Vulnerability Management, Microsoft Configuration Manager, Windows Autopatch.

  • ML1: extreme-risk vulnerabilities patched within one month
  • ML2: extreme-risk patched within two weeks; vulnerability scan cadence tightened
  • ML3: extreme-risk patched within 48 hours; continuous scanning surface required

Evidence: Defender Vulnerability Management report, patch compliance dashboard export, SLA register.

3. Microsoft Office macro settings

Macros from the internet are blocked; only signed macros from trusted publishers execute.

Microsoft: Microsoft Intune (ADMX templates), Microsoft 365 Apps admin centre, Microsoft Defender for Office 365.

  • ML1: macros disabled for users without a demonstrated business need
  • ML2: only signed macros from trusted publishers; macros blocked from internet sources
  • ML3: macros restricted to trusted locations; sandboxed execution for permitted macros

Evidence: Intune policy export, macro exception register, signed publisher list.

4. User application hardening

Web browsers, PDF readers and other user applications are hardened against exploitation.

Microsoft: Microsoft Edge security baseline, Microsoft Defender for Endpoint Attack Surface Reduction (ASR) rules, Intune browser policies.

  • ML1: Flash, ads and Java in web browsers blocked; PDF reader hardening applied
  • ML2: ASR rules enforced in block mode across endpoints; PowerShell logging enabled
  • ML3: PowerShell execution policy restricted; Office hardening combined with ASR in audit-and-block coverage

Evidence: Edge security baseline policy, Defender ASR rule report, PowerShell logging configuration export.

5. Restrict administrative privileges

Privileged access is request-validated, time-bound, and isolated from standard user activity.

Microsoft: Microsoft Entra Privileged Identity Management (PIM), Microsoft Defender for Identity, just-in-time access, privileged access workstations.

  • ML1: separate privileged and standard accounts; access validated on request
  • ML2: time-bound PIM activation with approval workflow; privileged accounts blocked from internet and email
  • ML3: hardware-bound credentials, privileged access workstations, continuous activity audit

Evidence: PIM activation logs, access review reports, privileged account inventory.

6. Patch operating systems

Operating system vulnerabilities are remediated within ASD-defined timeframes.

Microsoft: Microsoft Intune, Windows Autopatch, Update Compliance, Microsoft Defender Vulnerability Management.

  • ML1: extreme-risk vulnerabilities patched within one month
  • ML2: extreme-risk within two weeks; unsupported OS versions retired
  • ML3: extreme-risk within 48 hours; continuous OS-level vulnerability surface monitored

Evidence: Autopatch compliance report, Update Compliance export, retirement register for unsupported OS.

7. Multi-factor authentication

MFA enforced for privileged users, then all users, with phishing-resistant methods at higher maturity.

Microsoft: Microsoft Entra MFA, Conditional Access, FIDO2 security keys, Windows Hello for Business.

  • ML1: MFA enforced for privileged users and for users accessing important data repositories
  • ML2: MFA enforced for all users; legacy authentication blocked through Conditional Access
  • ML3: phishing-resistant MFA (FIDO2, Windows Hello, certificate-based) for all users

Evidence: Conditional Access policy export, MFA registration report, legacy auth deprecation log.

8. Regular backups

Backups are taken regularly, retained per policy, and restoration is tested.

Microsoft: Microsoft 365 Backup, Azure Backup, retention and immutability policies, Microsoft Purview information protection for sensitive data tiers.

  • ML1: backups taken to a defined schedule; restoration tested annually
  • ML2: monthly restoration testing; backups isolated from production identity scope (ransomware-resilient)
  • ML3: quarterly restoration testing; offline copies retained; immutability enforced on critical workloads

Evidence: Backup policy export, restoration test report, immutability configuration audit.

Maturity levels

ML1, ML2, ML3 — what each level targets

Maturity Level 1 targets basic mitigation against opportunistic threat actors. Suitable for small organisations and lower-criticality systems where the threat model is commodity malware and unsophisticated targeting.

Maturity Level 2 targets mitigation against moderately capable threat actors prepared to invest time and effort in a specific target. ML2 is the planning baseline most Government agencies aim for, and the default for regulated enterprise.

Maturity Level 3 targets mitigation against highly capable, well-resourced threat actors executing sophisticated targeted attacks. ML3 is typical for critical infrastructure, Defence-aligned entities and systems carrying the highest classification.

Methodology

RapidLogic™ Essential Eight delivery

Three phases. Assess gates uplift. Uplift gates verify. Each phase produces evidence the next phase relies on.

01

Assess

Current-state maturity assessment per strategy against your target ML. Microsoft tenant posture walked against the strategy mapping. Gaps identified per strategy, per ML target. Outputs a prioritised uplift roadmap.

02

Uplift

Microsoft control implementation per gap: Intune, Defender, Entra, Sentinel, Purview configurations applied and verified. Each implementation produces the evidence artefact required for audit.

03

Verify

Evidence pack assembled per strategy. Posture statements provided for accreditation review. Documentation refreshed each cycle so accreditation evidence stays current rather than going stale between assessments.

RapidLogic™ is the implementation methodology of UHS Logic. It is applied across all Essential Eight engagements.

Why UHS Logic

Proof, not posture

Microsoft Solutions Partner — Security

Microsoft Solutions Partner designation for Security. Defender, Sentinel, Entra, Intune and Purview delivered as one integrated practice, not as separate point products bolted together.

Microsoft-specialist practice

We do not deliver third-party EDR or non-Microsoft identity. Every consultant carries Microsoft as the core competency. Essential Eight uplift is grounded in current Microsoft delivery, not retrofitted onto a generalist consulting motion.

Government-fluent delivery

Documentation, framing and engagement language structured for procurement, audit and risk officers. We speak ISM, Essential Eight, PSPF and IRAP because the buyer does. Evidence packs are written for ASD review, not just internal delivery.

RapidLogic™ aligned to ASD guidance

RapidLogic™ delivery aligned to current ASD Essential Eight Maturity Model guidance. Where ASD updates the model, we incorporate the change into the next assessment cycle rather than waiting on the next major engagement.

FAQs

Frequently asked questions: Essential Eight on Microsoft

What is the Essential Eight, and which maturity level should we target?

The Essential Eight is the eight prioritised mitigation strategies published by ASD to protect against cyber threats. Three maturity levels apply: ML1 for basic protection against opportunistic threats, ML2 for protection against targeted attacks from moderately capable actors, and ML3 for protection against highly sophisticated targeted attacks. Most Government agencies target ML2 as the planning baseline. Critical infrastructure and Defence-aligned entities typically target ML3 for the systems carrying the highest classification or sensitivity.

Which Microsoft products satisfy the Essential Eight strategies?

Application control: Defender for Endpoint WDAC and Intune App Control. Patch applications and operating systems: Intune, Windows Autopatch, Microsoft Configuration Manager, Defender Vulnerability Management. Office macro settings and user application hardening: Intune policy and Defender ASR rules. Restrict administrative privileges: Entra PIM, Defender for Identity. Multi-factor authentication: Entra MFA, Conditional Access, FIDO2, Windows Hello. Regular backups: Microsoft 365 Backup and Azure Backup. The strategies-by-Microsoft section on this page walks each in detail.

Do we need to be on Microsoft 365 E5 to reach Essential Eight ML2?

Not always, but several controls are materially easier with E5 or with E3 plus specific add-ons. Defender for Endpoint Plan 2 is required for ASR enforcement and managed threat hunting. Entra ID Plan 2 carries PIM, Conditional Access reports and risk-based policies. Where lower licence tiers are in place, we map the achievable maturity per strategy and document the licence-driven gaps at the assessment stage rather than discovering them mid-uplift.

How long does a typical Essential Eight uplift to ML2 take?

Assessment runs four to six weeks. Uplift typically runs three to six months depending on tenant size, current posture and the number of strategies needing material work. Restrict administrative privileges and application control usually drive the timeline because they touch operational workflows. We sequence the uplift so the highest-risk gaps close first, not so the easiest ones produce the earliest visible wins.

How do we evidence Essential Eight maturity for accreditation review?

Each strategy produces a defined evidence artefact: policy exports, configuration reports, exception registers, restoration test reports and posture statements. The evidence pack is assembled per strategy and refreshed each cycle. Where IRAP-assessed status is required, the evidence pack is structured for the IRAP assessor's review rather than translated at assessment time.

Does Essential Eight uplift cover Microsoft Sentinel?

Sentinel is not a direct Essential Eight control, but it is the surface where the Essential Eight signal is operationalised. Application-control alerts, MFA failures, privileged-access activations, ASR rule firings, patch-compliance drift — Sentinel aggregates these signals into the SOC workflow. Where Sentinel is in scope, we incorporate the strategy-specific analytic content into the implementation.

Can UHS Logic deliver Essential Eight uplift alongside a Copilot rollout?

Yes, and we sequence them deliberately. Several Essential Eight strategies (MFA, restrict administrative privileges, application control) are gates on a Copilot rollout. Others (regular backups, OS patching) uplift in parallel. The combined engagement is structured so the Copilot accreditation evidence carries the Essential Eight uplift evidence as a dependency, not as a separate stream.

How does this engagement differ from a third-party penetration test or ISO 27001 audit?

Essential Eight is a prescriptive control set published by ASD. Penetration testing assesses real-world exploitability against the defended posture. ISO 27001 certifies the information security management system that governs controls. The three answer different questions. UHS Logic delivers Essential Eight implementation; we coordinate with your existing penetration test vendor and ISMS auditor rather than replacing either.

Request an Essential Eight assessment

Tell us where you are with Microsoft 365 and the maturity level you are planning against. We respond within one business day with a recommended assessment scope, the strategies likely to drive the timeline, and the evidence approach for your accreditation review.

Request an assessmentBack to Microsoft SecurityCopilot for GovernmentGovernment practiceMicrosoft 365AzureMicrosoft Solutions hubCase studies

UHS Logic · Microsoft Solutions Partner