If your business uses Microsoft 365 and is working towards Cyber Essentials certification, your Microsoft 365 tenant is now firmly within the scope of your assessment. This has been a significant source of confusion for UK businesses, many of whom assumed that because Microsoft runs the underlying infrastructure, their cloud tenant fell outside their Cyber Essentials scope.
Cyber Essentials v3.3 applies to assessment accounts created from 27 April 2026. The updated requirements confirm that cloud services must be in scope where your organisation’s data or services are hosted on them, and cloud services cannot simply be excluded because they are managed by a third-party provider. IASME defines a cloud service as an on-demand, scalable service hosted on shared infrastructure, accessible via the internet, accessed via an account, and used to store or process organisational data.
Microsoft 365 sits squarely within that definition. If your tenant is not configured in line with the Cyber Essentials controls at the time of assessment, your certification is at risk.
For businesses that rely on Microsoft 365 as their primary productivity platform, this is not a peripheral concern. Getting your tenant configuration right before your assessment is one of the most important and most commonly overlooked steps in the entire Cyber Essentials preparation process.
If you work with a managed business it support services provider, they should already be across these scope changes and able to assess your M365 tenant configuration as part of your Cyber Essentials preparation. If this has not formed part of their process, it is worth raising directly before your next assessment window.
What Has Changed About Cloud Services and Cyber Essentials Scope
Cyber Essentials has always required businesses to apply its five technical controls to systems within their defined scope. For many years, that scope was relatively straightforward to define. It covered the devices your staff used, the internet-facing services your business operated, and the on-premises systems your organisation managed.
The widespread adoption of cloud services complicated this picture. Businesses now use platforms like Microsoft 365, Google Workspace, CRM systems, finance platforms and other SaaS tools to store data, communicate, collaborate and run critical processes. The question of whether these platforms counted as in-scope became increasingly important, and v3.3 makes the position much clearer.
Cyber Essentials v3.3 confirms that cloud services are in scope where your organisation’s data or services are hosted on them. The fact that Microsoft manages the underlying infrastructure does not transfer responsibility for your tenant configuration to Microsoft. Under the shared responsibility model, Microsoft secures the cloud platform, but your organisation remains responsible for how users, access, sharing, authentication and security controls are configured in your own tenant.
In practice, this means your Microsoft 365 tenant, including Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, Microsoft Entra ID and any Microsoft Defender services you use, must be configured in line with the relevant Cyber Essentials controls at the point your certificate is issued.
Our post on why your business should become Cyber Essentials accredited gives a comprehensive overview of the scheme and why UK businesses increasingly find that certification is expected by clients, insurers and public sector supply chains. Our post on why IT compliance matters covers the broader regulatory and commercial context that makes certification a business priority rather than just an IT exercise.
The Five Controls Applied to Your Microsoft 365 Tenant
The five Cyber Essentials controls are firewalls, secure configuration, user access control, malware protection and security update management. Each applies to your Microsoft 365 environment, though the practical implementation looks different from a traditional on-premises setup.
Firewalls
In a Microsoft 365 context, the firewall control should be understood alongside the access and network controls that determine who can connect to your cloud services and from where. Microsoft manages the physical network perimeter for the cloud service, but your organisation still controls important access policies at tenant level.
Conditional Access policies in Microsoft Entra ID can help restrict access based on users, devices, locations, risk levels and sign-in conditions. For example, you may require compliant managed devices, block high-risk sign-ins, or restrict access from countries where your organisation does not operate.
Exchange Online Protection also provides email filtering, helping control inbound and outbound email threats. These controls do not replace traditional firewalls on your office network, but they form an important part of how access to your cloud environment is controlled.
Secure Configuration
Secure configuration requires systems to be set up to reduce their attack surface and avoid insecure defaults. For Microsoft 365, this includes disabling or blocking legacy authentication protocols, which are older connection methods that do not properly support modern MFA and are frequently targeted in credential attacks.
It also covers external sharing settings in SharePoint and OneDrive, guest access in Teams, mailbox forwarding rules, tenant-wide security defaults, audit logging, anti-spam settings, anti-phishing policies and anti-malware configuration in Exchange Online.
Our post on what is an Office 365 assessment explains what a structured review of your M365 configuration covers and why a pre-assessment review is a sensible investment before any Cyber Essentials submission.
User Access Control
User access control requires accounts to be assigned only the permissions they need, administrator accounts to be used carefully, and multi-factor authentication to be enabled where required.
Cyber Essentials v3.3 tightened the marking criteria around MFA. Where MFA is available for a cloud service, whether free, included, connected through another service or available as a paid option, failure to implement it results in an automatic failure of the assessment.
In Microsoft 365, this means MFA should be enabled for all user accounts that access the tenant. Accounts with elevated roles, such as Global Administrator, Exchange Administrator, SharePoint Administrator or Security Administrator, should be tightly controlled, protected with MFA, and not used for everyday activity such as email or web browsing.
Where possible, dedicated admin accounts should be used for administrative tasks, with standard accounts used for normal day-to-day work. Privileged roles should also be reviewed regularly and removed when no longer needed.
Our post on password best practices covers authentication security in broader terms, and our post on why businesses should consider Microsoft Intune explains how Intune device compliance policies integrate with Entra ID Conditional Access to enforce access control requirements across your device fleet.
Malware Protection
Microsoft 365 includes built-in malware protection through Exchange Online Protection, and additional protection can be added through Microsoft Defender for Microsoft 365, depending on your licensing.
For Cyber Essentials purposes, the question is not simply whether your subscription includes security tools. The question is whether appropriate protections are enabled, configured and applied to users.
Anti-malware policies should be active. Anti-phishing and anti-spam settings should be reviewed. Safe Links and Safe Attachments should be configured where your licence includes them. Quarantine handling, alerting and user reporting should also be set up deliberately rather than left to default settings without review.
Our posts on EDR vs antivirus vs XDR and why EDR matters more than ever explain how cloud-based protection tools in M365 work alongside endpoint protection on your devices as part of a layered defence.
Security Update Management
In Microsoft 365, Microsoft patches the underlying cloud infrastructure and updates the service. Your organisation’s responsibility sits mainly with the devices, operating systems, browsers, Office applications and third-party apps that connect to your tenant.
Any device accessing Microsoft 365 from an unsupported operating system, unsupported browser or unpatched application can create a Cyber Essentials scope issue, regardless of how well the tenant itself is configured.
Cyber Essentials v3.3 also introduced stricter marking around security updates. High-risk or critical updates and vulnerability fixes for operating systems, router and firewall firmware, and applications must be installed within 14 days of release, and failure to meet the standard can result in automatic failure.
Common Microsoft 365 Gaps That Cause Cyber Essentials Assessment Failures
| Configuration Area | Typical Gap Found | Cyber Essentials Control Affected |
|---|---|---|
| Legacy authentication | Still enabled for some users, devices or applications | Secure configuration, user access control |
| MFA enforcement | Not applied to all cloud service users | User access control |
| Admin account usage | Global admin accounts used for routine email or browsing | User access control |
| Admin account sharing | Shared admin credentials or unclear ownership | User access control |
| External sharing in SharePoint and OneDrive | “Anyone with the link” enabled without expiry or review | Secure configuration |
| Guest access in Teams | Unrestricted guest access with no approval or review process | Secure configuration |
| Safe Attachments and Safe Links | Not enabled where the licence supports them, or not applied broadly | Malware protection |
| Anti-phishing policies | Default settings only, not reviewed or tuned | Malware protection, secure configuration |
| Conditional Access policies | Absent, inconsistent or not enforcing strong sign-in requirements | Firewalls, user access control |
| Device operating systems | End-of-life Windows, macOS, mobile OS or unsupported browsers in use | Security update management |
| Mail forwarding rules | Unreviewed auto-forwarding to external addresses | Secure configuration |
| Inactive users | Old accounts left enabled after staff leave | User access control |
Each of these gaps is addressable with the right knowledge of the Microsoft 365 admin centre, Microsoft Entra ID and Microsoft Defender. The challenge for most businesses is that they lack a structured process for reviewing their tenant configuration and may not know which settings to look for or how to interpret the Cyber Essentials requirements in a cloud context.
What to Review Before Your Cyber Essentials Assessment
Working through the gaps above before your assessment is the most practical preparation step. Several broader points are also worth addressing as part of your readiness review.
Define Your Scope Clearly And Document It
Before your assessment, produce a written record of which cloud services fall within your Cyber Essentials scope. If your business uses Microsoft 365 as its primary platform, the relevant tenant is in scope. If you also use Google Workspace, Dropbox, Salesforce, Xero or other cloud platforms for business functions, those may also need to be included.
Cyber Essentials v3.3 also requires clearer scope descriptions. Organisations must explain any areas excluded from scope and justify how excluded networks or systems are separated from in-scope infrastructure.
Our post on Google Workspace backup provides relevant context for businesses running both platforms and needing to account for both in their scope documentation.
Audit Every Account With Elevated Privileges
Work through every account holding a Global Administrator, Exchange Administrator, SharePoint Administrator, Security Administrator or other elevated role assignment in Microsoft Entra ID.
Confirm that each admin role is still needed. Remove old assignments. Check that privileged accounts are protected with MFA. Avoid shared admin accounts wherever possible. Make sure admin accounts are not being used casually for daily email, web browsing or routine user activity.
This is one of the areas where small configuration habits can create major risk. A single compromised global admin account can expose the entire Microsoft 365 tenant.
Review Your Anti-Phishing And Malware Policy Configuration
In the Microsoft 365 Defender portal, check that your anti-phishing, anti-spam, anti-malware, Safe Attachments and Safe Links policies are active, appropriate and applied to the right users.
Default policies are better than no policies, but they are not always enough. You should review impersonation protection, domain spoofing controls, quarantine behaviour, user submission settings and alerting.
Our post on anti-phishing controls covers what effective policy configuration looks like, and our post on how to create an anti-phishing policy addresses the procedural elements that complement your technical settings. Working with an anti phishing testing london provider can validate that your configured controls are actually functioning as intended before your assessment date.
Confirm Your Backup Posture Is In Place
Cyber Essentials does not list backup as one of the five technical controls, but v3.3 places stronger guidance emphasis on backups because of their role in recovering from incidents. IASME’s April 2026 update confirms that backup guidance was repositioned earlier in the requirements document to emphasise its importance.
A reliable cloud backup company providing Microsoft 365 backup should be a standard part of your environment regardless of Cyber Essentials requirements. Microsoft 365 availability is not the same thing as a full independent backup strategy.
Our posts on Microsoft 365 backup and cloud-to-cloud backup explained explain what a complete backup strategy for cloud environments covers and what gaps most businesses have.
Account For Every Device Accessing Your Tenant
Every device used to access Microsoft 365 needs to be assessed against Cyber Essentials device requirements. Devices running unsupported operating systems, devices using browsers that no longer receive security updates, or devices with no malware protection configured can all affect your assessment outcome.
Windows 10 reached end of support on 14 October 2025 for most editions, unless a device is covered by an eligible extended security update arrangement. That means unsupported Windows 10 devices accessing your Microsoft 365 tenant can create a serious Cyber Essentials issue in 2026.
Our post on endpoint hardening steps that reduce real-world attacks covers device-level controls in detail, and our post on endpoint security for remote teams addresses the particular challenge of maintaining compliance across a dispersed or hybrid workforce.
Maintaining Compliance After Certification
Cyber Essentials certification is valid for 12 months, but your Microsoft 365 configuration is not static. New user accounts are created. External sharing permissions change. Admin roles are assigned for projects and not always removed. New features are enabled. Staff leave. Devices age out of support.
Cyber Essentials is assessed at a point in time, now clarified as the date the certificate is issued. However, v3.3 also strengthens the declaration that organisations are responsible for maintaining compliance throughout the certification period.
Building a regular cadence of configuration reviews into your IT management process is essential for maintaining the security posture your Cyber Essentials certification represents. Our post on IT service management explained covers how structured IT management processes support ongoing compliance, and our post on the hidden costs of reactive IT makes the case for why proactive configuration management is consistently more cost-effective than addressing drift reactively.
Adding a dark web monitoring company london service alongside your Cyber Essentials controls provides early warning if credentials from your Microsoft 365 environment surface on underground forums between annual assessments. Our post on dark web monitoring explained explains how this monitoring layer complements your technical controls and what action to take when alerts are received.
Penetration testing is not required for basic Cyber Essentials. Cyber Essentials Plus adds a technical audit that verifies controls rather than relying only on self-assessment. The April 2026 updates also changed parts of the CE Plus process, including how update management retesting is handled where initial sampled devices fail.
Our post on the importance of penetration testing in cybersecurity explains how testing validates your controls beyond self-assessment, and our comparison of penetration testing vs vulnerability scanning helps you understand which type of assessment fits your situation. Our network penetration testing service can assess your Microsoft 365-connected environment as part of a broader test of your network security posture, and our post on common network vulnerabilities and how to fix them covers the network-level issues that can affect devices and systems accessing your tenant.
Multiple Tenants And International Operations
Some businesses operate more than one Microsoft 365 tenant as a result of acquisitions, historical IT decisions, regional offices or different business units being managed independently over time. Each tenant that falls within your Cyber Essentials scope must meet the requirements. There is no automatic exemption for secondary or inherited tenants.
A provider offering global it support services can assess and remediate multiple tenants as a coordinated exercise, ensuring your Cyber Essentials scope documentation accurately reflects the full picture of your cloud environment and that no tenant is assessed in isolation when they share users, domains, devices or data flows.
For businesses with European offices, a provider experienced in european support services can ensure your Microsoft 365 configuration aligns with local data protection requirements, which in some cases set expectations beyond the Cyber Essentials controls themselves.
If your business is currently migrating from one platform to another or consolidating tenants, a platform migration company should factor Cyber Essentials compliance into the project plan from the beginning. Building the new environment to Cyber Essentials standard during the migration is considerably less disruptive than addressing compliance gaps after the migration is complete.
Our post on top Microsoft 365 productivity tips is worth reading alongside your security review, since some Cyber Essentials-required configuration changes, such as blocking legacy authentication, can affect how staff access certain features and may need to be communicated ahead of the change being applied.
Why Working With A Managed IT Provider Simplifies Cyber Essentials Preparation
Cyber Essentials self-assessment requires a thorough, honest review of your entire environment. For businesses without deep Microsoft 365 expertise, knowing which settings to check, where to find them in the admin centre, and how to interpret the requirements in a cloud context is genuinely difficult.
Working with a provider that has direct experience of preparing businesses for Cyber Essentials assessments and manages your Microsoft 365 tenant on an ongoing basis removes much of the uncertainty. They know which configuration gaps are most commonly found, how to address them efficiently, and how to document remediation in a way that supports your assessment submission.
Our posts on the benefits of outsourcing your IT to an MSP and why businesses should consider an MSP for their IT needs explain what a managed service relationship delivers beyond day-to-day support, including the ongoing configuration management that keeps your Microsoft 365 tenant aligned throughout the year rather than only at assessment time.
Our security services page gives an overview of what Cyber Essentials preparation support and ongoing security management looks like in practice, and our IT consulting team can carry out a pre-assessment review of your M365 configuration and produce a clear, prioritised remediation plan.
Our post on not repeating the mistakes of high-profile breaches is a useful reminder of what cloud security failures cost businesses in practice, and our small business ransomware guide covers the ransomware risk that properly applied Cyber Essentials controls can help reduce.
Frequently Asked Questions
Does Cyber Essentials require us to include all Microsoft 365 services in our scope?
Yes, if your business uses Microsoft 365 to store or process organisational data, the relevant tenant and services fall within your Cyber Essentials scope. This can include Exchange Online, SharePoint, OneDrive, Teams and Microsoft Entra ID. You cannot exclude cloud-hosted services simply because they are managed by Microsoft. You may define a partial organisational scope in some cases, but if Microsoft 365 is used within that scope, it must be assessed and configured correctly.
Is Microsoft responsible for Cyber Essentials compliance in our Microsoft 365 tenant?
No. Microsoft is responsible for the security of the underlying cloud infrastructure. Your organisation is responsible for how your tenant is configured, including user access, MFA, sharing, admin roles, mail security, device access and data protection settings. Microsoft provides tools such as Microsoft Secure Score, Microsoft Defender and Entra ID controls, but responsibility for configuring and maintaining them sits with your business.
What is the main practical difference between Cyber Essentials and Cyber Essentials Plus for Microsoft 365?
Cyber Essentials is a verified self-assessment where you confirm your controls are in place and a certification body reviews your answers. Cyber Essentials Plus includes technical testing that verifies controls. In a Microsoft 365-connected environment, this may include testing user devices, patching, malware protection and whether the technical controls described in the self-assessment are actually operating as expected.
Can we achieve Cyber Essentials if we are partway through a Microsoft 365 migration?
This depends on the state of your environment at the point your certificate is issued. Your Cyber Essentials scope must reflect your actual systems at that time, including any legacy systems still in operation during the transition. If devices are still connecting to on-premises Exchange alongside Microsoft 365, both environments may need to meet the relevant controls. Planning your assessment date around your migration timeline, with support from a platform migration company, is the most practical approach.
Does achieving Cyber Essentials mean our Microsoft 365 environment is fully GDPR compliant?
No. Cyber Essentials and GDPR are separate frameworks. Cyber Essentials demonstrates that key technical controls are in place, which can support your GDPR obligations around appropriate security of personal data. However, GDPR compliance also involves lawful basis, transparency, contracts, retention, data subject rights, breach processes, records of processing and wider organisational measures. Cyber Essentials is helpful evidence of security posture, but it is not full GDPR compliance by itself.
Does Cyber Essentials require Microsoft 365 backup?
Backup is not one of the five Cyber Essentials technical controls, so it is not assessed in the same way as MFA, patching or malware protection. However, v3.3 places stronger emphasis on the importance of backup guidance, and a Microsoft 365 backup strategy is still highly recommended for resilience, ransomware recovery, accidental deletion, insider risk and retention gaps.
Get Your Microsoft 365 Tenant Cyber Essentials-Ready Today
If your business is approaching a Cyber Essentials assessment and your Microsoft 365 tenant has not been reviewed against the v3.3 scope requirements, there is a genuine risk of failing on configuration gaps that could have been resolved in advance.
Northern Star provides managed business it support services that include pre-assessment Microsoft 365 configuration reviews, Cyber Essentials remediation support, and ongoing tenant management that keeps your environment aligned with certification requirements throughout the year, not just at renewal time.
Get in touch with our team today or call us on 0800 319 6032 to arrange a Microsoft 365 configuration review ahead of your next Cyber Essentials assessment. Visit our Why Us page to learn more about how we work with London businesses to achieve and maintain Cyber Essentials certification with confidence.
