ACSC Essential Eight
The Australian Cyber Security Centre's Essential Eight is the baseline mitigation strategy set. Manage365 scores every one against live M365 configuration, per tenant, producing an ACSC Maturity Level (ML0 / ML1 / ML2 / ML3) for each strategy and an overall score.
Mapping
Each strategy maps to a small set of M365 / Entra controls:
| Strategy | What we check |
|---|---|
| Application control | Intune app protection policies + Windows Defender Application Control (WDAC) policies via Graph. |
| Patch applications | Intune Windows Update for Business settings, update rings, Office update channel. |
| MS Office macro settings | Intune configuration profiles enforcing macro signing / blocking. |
| User application hardening | Attack-surface-reduction rules, browser baselines, MS365 Apps for Enterprise policies. |
| Restrict admin privileges | Directory-role membership counts, PIM coverage, admin-specific Conditional Access, JIT grants. |
| Patch operating systems | Update compliance reports, OS version distribution, feature-update deferrals. |
| Multi-factor authentication | Conditional Access policies requiring MFA, per-user MFA state, authentication-method inventory. |
| Regular backups | Retention policies + SaaS backup integration status (Veeam / Datto SaaS Protection / AvePoint). |
Scoring
Each strategy returns a status of compliant,partial, non_compliant,not_assessed, or error. Overall score is the mean of assessed strategies, ignoringnot_assessed to avoid penalising tenants where a GDAP role is missing (fix the role, rescan).
Findings have a remediation block with the specific Graph endpoint, Intune blade, or admin-centre path to fix it. We don't auto-remediate — that's the Standardsengine's job, and you should pick which standards to apply deliberately.
Auto-scan
A weekly auto-scan runs every Sunday 03:00 UTC across all active tenants. Manual scans from the tenant's Compliance tab are also welcome at any time; a scan within the last 5 days is considered “fresh” and the auto-scan will skip it.
History is built from persisted scan rows — every scan is a point-in-time snapshot. The tenant's Compliance tab renders a 90-day sparkline + total percentage-point delta; the portfolio-wide /compliance page shows a trend table sorted by biggest movement.
Evidence
Every scan can be exported as a JSON evidence package or bundled with the other frameworks plus 90-day audit log viathe evidence-bundle ZIP— ready for an auditor.