Essential 8 and Business Premium
Microsoft 365 Business Premium can help organizations meet most of the ACSC Essential Eight cybersecurity controls—but Office macro restrictions require an Enterprise Office license.
The Australian Cyber Security Centre’s (ACSC) Essential Eight is a prioritized set of mitigation strategies designed to strengthen an organization’s cybersecurity posture. For small and medium-sized businesses (SMBs), Microsoft 365 Business Premium offers a powerful suite of tools that align with many of these controls making it a compelling choice for organizations aiming to improve resilience without the complexity of enterprise-grade solutions.
🛡️ What Is the Essential Eight?
The Essential Eight includes the following mitigation strategies:
Application Control
Patch Applications
Configure Microsoft Office Macro Settings
User Application Hardening
Restrict Administrative Privileges
Patch Operating Systems
Multi-Factor Authentication (MFA)
Regular Backups
These controls are grouped into three maturity levels, with Level 2 being the baseline for many government and regulated entities. This also helps organisations achieve DISP (Defence Industry Security Program) compliance
✅ How Microsoft 365 Business Premium Supports Essential Eight
Here’s how Business Premium maps to each control:
Application Control Achievable via Microsoft Defender for Business and App control for Business policies
Patch 3rd Party Applications Supported through application deployment
Patch Operating Systems Managed via Intune and Windows Update policies as well as the newly available Autopatch
Restrict Admin Privileges Entra ID P1 enables Conditional Access and role-based access control. This enables you to setup PIM (Priveliged Identity Management)
Multi-Factor Authentication (MFA) Built-in with Entra ID; enforceable via Conditional Access
User Application Hardening Achievable with Defender for Business ASR rules and Intune security baselines
Regular Backups Microsoft OneDrive and SharePoint offer versioning and backup capabilities
Configure Office Macro Settings ❌ Not achievable with Business Premium requires Microsoft 365 Apps for Enterprise license
⚠️ The Macro Restriction Gap
One critical caveat: Business Premium does not include Microsoft 365 Apps for Enterprise, which is required to configure and enforce Office macro settings via Group Policy or Intune. This means organizations relying solely on Business Premium cannot fully meet the macro control requirement a key component of the Essential Eight.
To close this gap, consider upgrading to Microsoft 365 E3 or purchasing Microsoft 365 Apps for Enterprise as a standalone license.
🧩 Final Thoughts
Microsoft 365 Business Premium provides a robust foundation for SMBs to align with the Essential Eight. With built-in security tools like Defender for Business, Intune, and Azure AD Premium P1, most controls can be implemented and automated. However, Office macro restrictions remain a licensing limitation that must be addressed separately.
If you're aiming for full Essential Eight compliance—especially at Maturity Level 2 or higher review your licensing mix carefully and consider where Enterprise-grade tools may be necessary.
Would you like a checklist or self-assessment template to help track your Essential Eight implementation across Microsoft 365? I can build one for you.