Cyber Essentials · Microsoft 365

Compliance overview

Posture grade

Weighted across applicable checks

Compliance score

72%

12 checks assessed

Controls compliant

1/ 5

Cyber Essentials technical controls

Issues to address

4 items need manual review

Across all checks

Check distribution

Microsoft Secure Score: 75% (212/283)

pass6warn1review4fail1error1

What to fix first

Priority actions

Fail

Legacy authentication is blockedhighSecure configuration

Add a Conditional Access policy that blocks legacy authentication (clientAppTypes: other / exchangeActiveSync).

Warning

Managed devices report complianthighSecurity update management

Investigate non-compliant devices; ensure update rings/compliance policies enforce timely security updates (within 14 days).

The five technical controls

Controls

Firewalls

Review50%

Boundary and host firewalls protect every device and network edge.

ReviewHost firewall is centrally managed

Confirm an Intune policy enables and requires the host firewall on every in-scope device.

1 compliance policies77% devices compliant

FixConfigure an Intune endpoint-security firewall policy (or compliance rule) that enables the host firewall on all devices.

via /deviceManagement/deviceCompliancePolicies · /deviceManagement/managedDevices

ReviewBoundary firewall is configured

Boundary firewalls (office routers/firewalls and home-worker firewalls) sit outside Microsoft 365's visibility and must be confirmed manually.

FixDocument each boundary firewall: default-deny inbound, no unauthenticated remote admin, changed default passwords, and only approved inbound rules.

Secure configuration

Fail67%

Devices and services are hardened from their default state.

PassDevice compliance policies are defined1

Device compliance policies are configured in Intune.

1 compliance policiesDefault compliance policy for Android

via /deviceManagement/deviceCompliancePolicies

FailLegacy authentication is blockedhigh

No Conditional Access policy blocks legacy authentication.

0 policies block legacy clientssecurity defaults: off

FixAdd a Conditional Access policy that blocks legacy authentication (clientAppTypes: other / exchangeActiveSync).

via /identity/conditionalAccess/policies

PassDevices are enrolled in management97

Devices are enrolled in Intune management.

97 managed devicesWindows: 97

via /deviceManagement/managedDevices

Security update management

Warning55%

Supported software is patched promptly — within 14 days for critical updates.

WarningManaged devices report compliant77%high

A material share of managed devices are not compliant and may be missing updates.

75/97 devices compliant

FixInvestigate non-compliant devices; ensure update rings/compliance policies enforce timely security updates (within 14 days).

via /deviceManagement/managedDevices

ReviewDevices run supported operating systems

Confirm every operating system below is still in vendor support and receiving security updates.

Windows: 97

FixRetire or upgrade any devices on out-of-support OS versions; enforce a minimum OS in compliance policy.

via /deviceManagement/managedDevices

User access control

Pass100%

Accounts use MFA and least privilege; admin access is tightly held.

ErrorMulti-factor authentication is registered

Could not evaluate: The principal does not have required Microsoft Graph permission(s): AuditLog.Read.All to call this API. For more information about Microsoft Graph permissions, please visit https://learn.microsoft.com/graph/permissions-overview.

FixConfirm the app registration has the required Graph application permission with admin consent granted.

via /reports/authenticationMethods/userRegistrationDetails

PassConditional Access enforces MFA

At least one enabled Conditional Access policy requires multi-factor authentication.

6 CA policies total3 enforcing MFA1 report-only

via /identity/conditionalAccess/policies

PassGlobal Administrator accounts are limited4

The number of Global Administrators is within the recommended range.

4 active Global Administrators

via /directoryRoles?$expand=members

PassBaseline access protection is enabled

Conditional Access policies are enabled and protecting sign-ins.

security defaults: off5 enabled CA policies

via /policies/identitySecurityDefaultsEnforcementPolicy · /identity/conditionalAccess/policies

Malware protection

Review75%

Anti-malware is deployed and enforced across in-scope devices.

PassAnti-malware protection is licensed

A Microsoft Defender for Endpoint/Business licence is present.

Defender component: present

via /subscribedSkus

ReviewEndpoint protection is enforced on devices

Confirm directly that real-time and cloud-delivered protection are required by compliance policy and healthy on all devices.

Defender licensed: yes1 compliance policies77% devices compliant

FixEnsure compliance policies require Microsoft Defender real-time protection and that the antimalware service is healthy across devices.

via /deviceManagement/deviceCompliancePolicies · /deviceManagement/managedDevices

Microsoft 365 licensing

Licences and security components

The components below determine which Cyber Essentials checks can be assessed automatically. Conditional Access needs Entra ID P1; device checks need Intune; native malware protection comes from Defender.

Microsoft Entra ID P1

Included via Entra ID P1

Microsoft Intune

Included via Intune Plan 1, Intune (SMB)

Microsoft Defender for Endpoint / Business

Included via Defender for Business, Defender for Office 365 Plan 2

Subscribed licences (394 assigned)

Microsoft 365 Business PremiumSPB

103 / 108

McoevMCOEV

85 / 93

Microsoft Power Automate FreeFLOW_FREE

68 / 10000

Power BI (free)POWER_BI_STANDARD

37 / 1000000

Power BI PROPOWER_BI_PRO

22 / 24

Microsoft 365 CopilotMicrosoft_365_Copilot

22 / 25

Phonesystem VirtualuserPHONESYSTEM_VIRTUALUSER

16 / 17

Exchange Online (Plan 1)EXCHANGESTANDARD

10 / 10

Powerapps PER UserPOWERAPPS_PER_USER

10 / 13

Power Virtual Agents Viral TrialCCIBOTS_PRIVPREV_VIRAL

5 / 10000

Power Pages Vtrial FOR MakersPower_Pages_vTrial_for_Makers

4 / 10000

Powerapps DEVPOWERAPPS_DEV

4 / 10000

Powerapps ViralPOWERAPPS_VIRAL

3 / 10000

Project Madeira Preview IW SKUPROJECT_MADEIRA_PREVIEW_IW_SKU

2 / 10000

Flow PER UserFLOW_PER_USER

1 / 1

RightsmanagementRIGHTSMANAGEMENT

1 / 1

Exchange Online (Plan 2)EXCHANGEENTERPRISE

1 / 1

Windows StoreWINDOWS_STORE

0 / 1000000

Power Virtual AgentsPower_Virtual_Agents

0 / 1

CDS DB CapacityCDS_DB_CAPACITY

0 / 13

Powerapps PER APP NEWPOWERAPPS_PER_APP_NEW

0 / 77

Assessed Fri, 19 Jun 2026 17:49:23 GMT · completed in 1.0s · Acumon Sentry