9 Ways Microsoft 365 Helps You Achieve Cyber Essentials Compliance
Introduction
Cyber Essentials is a must-have certification for UK businesses looking to strengthen security, reduce cyber risks, and meet client or regulatory requirements. However, configuring the required security controls manually can be complex.
With Microsoft 365 Business Premium, you get built-in tools that help you meet the 5 Cyber Essentials technical controls:
Firewalls - Protecting your network from cyber threats
Secure Configuration - Ensuring devices are set up securely
User Access Control - Limiting user access based on need
Malware Protection - Preventing and detecting cyber threats
Security Update Management - Keeping software and systems up to date
Here’s how Microsoft 365 helps you meet each requirement efficiently.
1. Entra ID – Securely Add & Manage Devices
Cyber Essentials Control: User Access Control
A key requirement in Cyber Essentials is ensuring only authorised devices and users can access company data. Microsoft Entra ID (formerly Azure AD) helps businesses enforce:
Conditional Access - Restrict logins from unknown or non-compliant devices
Device Compliance Policies - Ensure only secure, company-managed devices can connect
Role-Based Access Control (RBAC) - Grant users only the permissions they need
This prevents unauthorised access and ensures only approved devices connect to business systems.
2. Windows Hello for Business – Passwordless Authentication
Cyber Essentials Control: User Access Control
Passwords are one of the biggest attack vectors. Cyber Essentials requires secure login mechanisms, and Windows Hello for Business eliminates traditional passwords by using:
Facial recognition, fingerprint scans, or PINs instead of passwords
Phish-resistant authentication
Multi-factor authentication (MFA) enforcement
This significantly reduces the risk of stolen credentials and meets Cyber Essentials’ strong authentication requirements.
3. Local Administrator Password Solution (LAPS) – Protect Admin Credentials
Cyber Essentials Control: User Access Control
Cyber Essentials requires secure management of admin accounts. LAPS automatically secures local administrator passwords by:
Randomly generating unique passwords for each machine
Ensuring passwords are never reused
Automatically rotating passwords to prevent privilege escalation
This prevents attackers from moving laterally if they compromise a single machine.
4. Autopilot – Standardised & Secure Device Setup
Cyber Essentials Control: Secure Configuration
Cyber Essentials requires all company devices to be securely configured before use. Autopilot ensures every device is set up securely from day one by:
Deploying a standardised, security-hardened image
Removing bloatware & disabling unnecessary features
Enforcing company-wide security settings automatically
This prevents security risks from poorly configured endpoints.
5. Patch Management – Automated Updates via Update Rings
Cyber Essentials Control: Security Update Management
Keeping software updated and patched is a core Cyber Essentials requirement. Microsoft Update Rings in Intune allow businesses to:
Automate Windows security updates
Control update rollouts to avoid downtime
Ensure compliance by keeping all devices up to date
This ensures critical security patches are installed without relying on users to do it manually.
6. Vulnerability Management – Identify & Fix Security Gaps
Cyber Essentials Control: Secure Configuration & Security Update Management
Microsoft Defender for Endpoint includes a built-in vulnerability management tool that helps businesses:
Detect outdated or misconfigured software
Identify security gaps before attackers exploit them
Prioritise critical updates and fixes
This allows businesses to proactively close security gaps and strengthen defence against cyber threats.
7. Anti-Malware & Firewall Policies – Prevent Cyber Attacks
Cyber Essentials Controls: Malware Protection & Firewalls
Cyber Essentials mandates firewall and malware protection for all devices. Microsoft Defender provides:
Real-time antivirus scanning to detect and block malware
Firewall policies to control inbound & outbound network traffic
Tamper protection to prevent malware from disabling security settings
This ensures devices remain protected from cyber threats.
8. Secure Device Settings via Intune – Lock Down Endpoints
Cyber Essentials Control: Secure Configuration
Cyber Essentials requires all devices to be securely configured to reduce risk. Microsoft Intune allows businesses to enforce security settings such as:
Disabling Autorun (to prevent USB-based malware attacks)
Enforcing screen lock policies (to protect unattended devices)
Restricting software installations to prevent unauthorised apps
This reduces the attack surface and ensures devices remain secure at all times.
9. Phish-Resistant MFA – Secure User Access
Cyber Essentials Control: User Access Control
Multi-Factor Authentication (MFA) is mandatory for Cyber Essentials - but not all MFA is equal. Microsoft 365 provides strong, phish-resistant MFA, including:
FIDO2 security keys
Passkeys & passwordless authentication
Windows Hello for Business MFA
This eliminates phishing risks and ensures only verified users can access business data.
Final Thoughts
Achieving Cyber Essentials compliance is easier with Microsoft 365 - but you need the right setup. At a minimum, businesses should use Microsoft 365 Business Premium, which includes:
Microsoft Intune for device security
Defender for Endpoint for malware protection
Conditional Access & MFA for user security
Patch & vulnerability management
Ready to certify but not sure where to start?
We help ambitious businesses prepare for and pass Cyber Essentials with confidence.
📅 Book a discovery call, and we’ll walk you through the best approach for your business.
Get audit-ready, reduce cyber risk, and win new contracts - Schedule your call today!
