I’ve developed a new publication called – “Implementing ACSC Essential Eight Maturity Level 3 with Microsoft 365 Business Premium”. Here is the summary:

This guide is designed for small and medium business managed service providers (MSPs) aiming to achieve ACSC Essential Eight Maturity Level 3 (ML3) using Microsoft 365 Business Premium. ML3 is the highest standard of cyber resilience recommended by the Australian Cyber Security Centre (ACSC), focusing on proactive defense against sophisticated cyber threats and regulatory compliance.

• The Essential Eight are eight interlocking security controls: Application Control, Patch Applications, Configure Office Macro Settings, User Application Hardening, Restrict Administrative Privileges, Patch Operating Systems, Multi-Factor Authentication (MFA), and Regular Backups.
• ML3 requires proactive, defense-in-depth measures, rapid patching, advanced identity management, and centralized logging.

2. Microsoft 365 Business Premium as the Foundation

• Integrates productivity tools with enterprise-grade security (Intune, Entra ID, Defender for Business, Purview).
• The new Microsoft Defender Suite for Business Premium (formerly E5 Security add-on) provides advanced features like privileged identity management, threat hunting, and extended data retention.

3. Implementation Guidance for Each Control

• Application Control: Use Windows Defender Application Control (WDAC) to prevent unauthorized code/drivers. Requires hardware support (TPM 2.0, VBS).
• Patch Management: Enforce rapid patching for applications and OS, automate updates via Intune, and use Defender Vulnerability Management for monitoring.
• Restrict Admin Privileges: Separate admin accounts, enforce least privilege, use Entra Privileged Identity Management (PIM), and centralize logging.
• MFA: Only phishing-resistant, cryptographically bound factors (FIDO2, smartcards, Windows Hello for Business) are permitted at ML3.
• Macro & Application Hardening: Block macros from the Internet, enforce signed macros, remove legacy components (IE11, old .NET), and apply Attack Surface Reduction rules.
• Regular Backups: Use Microsoft Purview for retention, Azure Backup for non-M365 workloads, and test restores regularly.
• Governance: Continuous compliance monitoring with Purview Compliance Manager, Sentinel, and regular audits.

4. Business & Operational Benefits

• Enhanced security, regulatory compliance, operational efficiency, business continuity, and competitive advantage.

5. Licensing & Cost Considerations

• ML3 can be achieved with Business Premium plus the Defender Suite add-on.
• The guide provides a staged implementation plan (gap assessment, MFA rollout, patching, advanced controls, continuous improvement).

Conclusion

Achieving ML3 with Microsoft 365 Business Premium and the Defender Suite delivers measurable improvements in security, compliance, and resilience. The guide provides step-by-step instructions, best practices, and references to Microsoft documentation for each control area. Continuous improvement, regular training, and staying current with ACSC/Microsoft updates are emphasized for ongoing compliance and protection.

There is lots that I could keep adding to this publication but I’m going to throw it out there and see whether people find value before I invest more time in it. Currently the report is 31 pages in total.

I have also decided on a different distribution method this time as well. If you want a copy head over to my Ko-Fi at:

https://ko-fi.com/ciaops

and leave me a one time tip for whatever you feel it is worth I’ll email you a copy. Also ensure you include a message letting me know you want the publication.

If you then provide me feedback on the publication, such as how it can be improved or any errors you find, I’ll then send you the next version for free when it becomes available.

This seems to me to be the easiest way to determine whether it is worth my time investing more effort to improve the document.

Let’s see.