By Andy Pickett · Managing Director

Published 22 April 2026 · About the author

Last updated: April 2026  |  Reviewed by: Connection Technologies team

Cyber Essentials Microsoft 365 & Azure Configuration Guide UK 2026

For most UK SMEs, Microsoft 365 and Azure are the largest single in-scope estate for Cyber Essentials. Get the M365 configuration right and you’ll close roughly 60% of the questionnaire in one shot. Get it wrong and the assessor will come back with queries on MFA enforcement, legacy authentication, Conditional Access, admin separation and Defender deployment.

This guide is the practical M365 + Azure configuration recipe IASME assessors are looking for in 2026 — what to enable, what to switch off, where to look for the evidence and how to avoid the common assessor pushback. For the wider scheme see our requirements guide and the questionnaire walkthrough.

What’s in scope in your M365 / Azure tenant?

By default, everything that holds organisational data is in scope:

• Every M365 user account (Business Basic, Business Standard, Business Premium, E3, E5)
• Every admin role assignment (global admin, security admin, exchange admin, etc.)
• Exchange Online, SharePoint, OneDrive, Teams
• Every Azure subscription that holds organisational workloads
• Every Azure VM (treated as a server — full OS-level controls apply)
• Every Conditional Access policy (or the lack of them)

The 10 M365 settings IASME assessors look for

Conditional Access policies that satisfy Cyber Essentials

The recommended baseline is four Conditional Access policies. Configure these and you’ll satisfy the user access control requirements cleanly:

1. Require MFA for all users — assignment: all users (with break-glass admin excluded), all cloud apps, controls: require MFA
2. Require MFA for all admins — assignment: directory roles (global admin, security admin, exchange admin, etc.), all cloud apps, controls: require MFA + sign-in frequency 4 hours
3. Block legacy authentication — assignment: all users, all cloud apps, conditions: client apps = Exchange ActiveSync + Other clients, controls: block
4. Require compliant device for org data — assignment: all users, target apps: Office 365, controls: require device marked as compliant

Add a fifth, optional policy for risky sign-ins if you have Entra ID P2 (E5 or P2 add-on): block high-risk sign-ins using Identity Protection.

Security Defaults vs Conditional Access — which to use?

Security Defaults is a one-click “MFA on for everyone, legacy auth blocked, admin protection on” toggle. It satisfies Cyber Essentials cleanly and is free with every M365 tenant. Use it if you don’t need fine-grained policies.

Conditional Access (Entra ID P1 — included with Business Premium and E3) gives you per-app, per-user, per-location, per-device control. Use it if you need to:

• Allow trusted office IPs to skip MFA prompts
• Require compliant devices for org data access
• Apply session controls (time-bound MFA, sign-in frequency)
• Block sign-ins from outside specific countries

You can’t run both at once — enabling Conditional Access policies disables Security Defaults. Either approach satisfies the questionnaire.

Microsoft Defender configuration for Cyber Essentials

Defender’s three components map cleanly to CE controls:

• Defender for Office 365 (Plan 1 included with Business Premium) — anti-phishing, anti-malware, Safe Links, Safe Attachments. Configure these in the Defender portal.
• Defender for Endpoint / Defender for Business — endpoint detection and response. Onboard every in-scope device. The Business edition (included with Business Premium) is sufficient for Cyber Essentials.
• Defender for Cloud Apps (E5 / add-on) — useful but not required for CE.

Evidence the assessor wants: a screenshot of the Defender portal showing all in-scope devices onboarded, with the security score, AV state and any active alerts.

Intune compliance policies that pass Cyber Essentials

Intune lets you express the CE controls as compliance policies and then Conditional Access blocks non-compliant devices from accessing org data. Recommended baseline:

Windows 10/11 compliance policy:

• Require BitLocker
• Require Secure Boot
• Require code integrity
• Require Defender (real-time on, signatures up to date)
• Minimum OS version (current N-1 servicing)
• Maximum OS version not configured (don’t block updates)
• Password: required, min 8 chars, lock after 15 min

iOS compliance policy:

• Maximum OS version not configured
• Minimum OS version: latest N-1
• Jailbreak detection: block
• Passcode: required, min length 6, lock after 5 min, max 10 failed attempts
• Encryption: enforced (default on iOS)

Android compliance policy:

• Minimum OS version: latest N-1
• Block rooted devices
• Require Play Protect
• Passcode: required, min length 6
• Encryption: enforced

Azure-specific Cyber Essentials configuration

If you have Azure subscriptions in scope:

• Enable Microsoft Defender for Cloud on every subscription. Free tier is sufficient for CE.
• Enable Just-In-Time VM access (or close inbound RDP/SSH at the NSG and use Bastion / VPN)
• Apply security baselines — Azure Policy “Microsoft cloud security benchmark” is the IASME-aligned baseline
• Enable diagnostic logging on key resources (Key Vault, Storage, NSGs)
• Use Privileged Identity Management for any production-impacting role (E5 / P2 add-on)
• Treat Azure VMs as servers — full patching, AV, host firewall, no default credentials

Common assessor queries on M365 and how to pre-empt them

1. “Provide screenshot evidence MFA is enforced for all users.” Take a screenshot of the Sign-in logs page filtered to last 7 days, showing successful MFA for every user, plus the Conditional Access policy itself.
2. “Confirm legacy authentication is blocked.” Screenshot of the Conditional Access policy + the Sign-in logs filtered to “Client app: legacy” showing zero successes in the last 30 days.
3. “Provide screenshot evidence of admin role separation.” Screenshot of Entra ID > Roles > Global Administrator showing the admin-only accounts (with no licence assigned, no email, suffix like “.admin”).
4. “Confirm Defender is deployed on all in-scope devices.” Screenshot of the Defender portal device list, with onboarding status and AV state for every device.
5. “Confirm patch compliance.” Screenshot of Intune patch compliance dashboard.

If you build these screenshots upfront and attach them to the questionnaire, you’ll typically certify in one round with no follow-up queries.

Cyber Essentials Plus and M365

For the Plus audit, the assessor will:

• Try to sign in with disabled / legacy auth from outside the trusted network — must fail
• Try to sign in to an admin account without MFA — must fail
• Run a vulnerability scan against any internet-facing M365 / Azure assets you’ve declared
• Sample 10% of devices for live malware testing and patch verification

Get the 10 baseline settings above right and you’ll pass the M365 portion of the Plus audit cleanly. The Plus audit guide walks through the testing methodology.

Get Cyber Essentials & Cyber Essentials Plus — fully managed

Connection Technologies runs Cyber Essentials and Cyber Essentials Plus for UK businesses end-to-end. Our compliance agent automates the five technical controls across every Windows, macOS, iOS and Android device — we submit, audit and renew so you stay certified without the paperwork. RRP from £103/month with free £25,000 cyber-liability insurance for eligible UK businesses.

Frequently asked questions