Cyber Essentials on a Shoestring: Filling the Microsoft 365 Security Gaps with Free and Low-Cost Tools

“WE’VE TURNED ON MFA — WHY DID WE STILL FAIL CE+?”

The IT manager was staring at a failed Cyber Essentials Plus report.
MFA was live in Microsoft 365, AV was up to date, firewalls looked fine.
Yet the assessor had still found cloud accounts without MFA, unpatched firmware, and a BYOD laptop that nobody realised was in scope.

The reality in mid‑2026 is simple: Microsoft 365 is a powerful platform, but out‑of‑the‑box it does not equal Cyber Essentials compliance. The good news is you don’t need an enterprise budget to close the gaps. With intelligent use of native features plus a handful of free and low‑cost tools, you can harden Microsoft 365, align with Cyber Essentials v3.3, and be genuinely audit‑ready.

What you’ll learn

How Cyber Essentials 2026 changes the risk profile of a “vanilla” Microsoft 365 tenant
Which free or bundled Microsoft 365 features you should enable first to pass MFA and access-control checks
How to use Microsoft Security Baselines and open-source tools to achieve secure configuration without months of GPO tuning
Practical, low-cost ways to meet the 14‑day patching auto‑fail rule across Windows, firmware, and SaaS
How to inventory and secure shadow SaaS and BYOD around Microsoft 365 so they don’t quietly sink your assessment
The counter‑intuitive reason most organisations fail Cyber Essentials — and why more tooling rarely fixes it

Cyber Essentials 2026: Why Microsoft 365 Alone Isn’t Enough

Cyber Essentials still revolves around the same five technical controls, but v3.3 (the latest question set, live from April 2026) has changed the marking rules. Two domains — MFA on cloud services and 14‑day patching — are now hard auto‑fail criteria. A default Microsoft 365 deployment will not, by itself, satisfy these.

Microsoft 365 is explicitly in scope as a cloud service under the updated definition: any SaaS accessed with business credentials that stores or processes organisational data must be included. You can no longer argue that “Microsoft secures that for us” — Cyber Essentials applies the shared responsibility model: Microsoft secures the platform, you are accountable for configuration, identity, and data.

Key implications for Microsoft 365 environments:

Every user (not just admins) accessing M365 must have MFA enforced, not optional. If MFA is technically available, leaving it off is an automatic fail.
Password policy must align with NCSC-aligned rules: length over complexity, brute-force protection, and no forced periodic resets.
High‑risk or critical security updates — OS, browsers, applications, router and firewall firmware — must be applied within 14 days of release, or the assessed environment fails.
All cloud services used alongside M365 (CRM, finance systems, file sharing, marketing platforms) must be listed and controlled; shadow SaaS and unmanaged BYOD endpoints are one of the most common failure points.

Key Takeaway
Treat Microsoft 365 as one major SaaS inside a much wider in‑scope estate. Cyber Essentials 2026 is testing your whole cloud and device perimeter, not just whether Exchange Online has spam filtering turned on.

Identity First: MFA, Passkeys and Access Control on a Budget

Identity is now the decisive control for passing or failing. The scheme makes MFA on all cloud services non‑negotiable, and the biggest single Microsoft 365 win is to enforce strong, centralised identity.

Step 1 – Turn on Entra ID Security Defaults (where viable)
For many SMEs without complex Conditional Access needs, Microsoft Entra ID (formerly Azure AD) Security Defaults give you:

MFA for all users, including admins
Blocking legacy protocols
Basic protections for privileged roles

Security Defaults are included in Entra ID at no extra cost. For small tenants this is often the fastest, cheapest route to closing the MFA gap.

Step 2 – Use Conditional Access intelligently (larger / more complex tenants)
Where Security Defaults are too blunt, Conditional Access (licensed features) lets you:

Require MFA for all cloud apps, not just Microsoft 365
Enforce stronger controls for admin roles and risky sign‑ins
Block logons from unsupported platforms or geographies

When budget is tight, prioritise CA policies that directly support Cyber Essentials:

“All users, all cloud apps: require MFA”
“All admin roles: block access without compliant device + MFA”

Step 3 – Embrace passwordless where you can
Cyber Essentials v3.3 and the NCSC both now strongly promote passkeys and FIDO2 security keys. You don’t need to roll them out everywhere on day one, but consider:

Using Windows Hello for Business on corporate Windows endpoints
Providing low-cost FIDO2 keys for IT admins and finance teams
Allowing platform passkeys on mobile devices for browser-based SaaS

Step 4 – Fix basic access-control hygiene

Separate admin and user accounts (e.g. jsmith vs admin-jsmith)
Remove local admin from standard users on Windows endpoints
Eliminate shared accounts; implement proper joiners/movers/leavers workflows
Enforce account lockout / throttling on sign‑in to mitigate brute-force attacks

Mini‑Checklist – Low/No‑Cost Identity Wins

Enable Entra ID Security Defaults or baseline Conditional Access

Enforce MFA for every account, including break‑glass and service accounts

Implement NCSC “three random words” or passphrase-style passwords

Configure sign‑in risk and lockout policies to block brute-force attacks

Pilot passkeys / FIDO2 keys for admins and high‑risk users

Secure Configuration and Baselines for Microsoft 365 and Windows

Windows and Microsoft 365 both ship with thousands of security‑relevant settings. Manually tuning them to Cyber Essentials expectations is expensive — unless you leverage Microsoft Security Baselines and native tools.

Use Microsoft Security Baselines as your starting point
Microsoft publishes curated baselines for Windows, Microsoft 365 Apps, Edge, and more. They:

Filter thousands of Group Policy / MDM settings down to a security-relevant subset
Provide pre‑tested GPO backups and Intune templates
Are designed by Microsoft security engineering teams with industry input

By importing these baselines via Security Compliance Toolkit or Intune, you instantly address large chunks of Secure Configuration requirements:

Disable auto‑run/auto‑play
Harden SMB, RDP, and legacy protocols
Enforce host firewall policies and Defender AV settings
Standardise logging and audit settings

Lock down Microsoft 365 configuration

Without extra licences you can still:

Enable Security Defaults or basic Conditional Access as above
Harden SharePoint / OneDrive external sharing defaults
Enforce modern authentication only; block legacy IMAP/POP
Turn on standard anti‑malware and anti‑phishing policies in Exchange Online

Where you have access to tools like Secure Score, use them as a prioritised backlog; many high‑impact actions (e.g. disabling legacy auth, admin MFA) are licence‑included.

Don’t forget endpoint firewalls
Cyber Essentials is explicit that home and remote workers need host firewalls enabled (e.g. Windows Defender Firewall). Baselines ensure:

Firewalls are on for all profiles
Standard users can’t disable them
Inbound rules are minimal and documented

Pro Tip
If you don’t have Intune, you can still push Microsoft baselines via on‑prem Group Policy or even local policy templates for very small sites. The cost is time, not licensing.

Low-Cost Patch and Vulnerability Management to Meet the 14‑Day Rule

From April 2026, the security update management questions become auto‑fail: if high‑risk or critical patches aren’t applied within 14 days across OS, applications, and network device firmware, you fail — regardless of how good everything else looks.

In Microsoft 365‑centric estates, the traps are usually:

Edge/Chrome, Office desktop apps, and plugins left to user‑driven updates
VPNs, firewalls, and Wi‑Fi access points with old firmware
Occasional‑use or remote machines that miss monthly patch cycles

Leverage what Windows already gives you

Use Windows Update for Business or local Group Policy to enforce automatic updates with short deferral periods.
On a shoestring, WSUS is still viable for centralised approval and reporting without extra licence cost.
Standardise browsers (Edge or Chrome) and enforce automatic updates; avoid niche, unmanaged browsers.

Cover firmware and network devices

Cyber Essentials explicitly pulls router, firewall, VPN, and switch firmware into the 14‑day rule. You don’t need an expensive NMS to improve here:

Build a simple, maintained inventory of all network appliances with model, OS/firmware, and support status.
Subscribe to vendor security mailing lists for those devices.
For small sites, schedule a monthly “network patch window” and document results.

If a critical patch breaks a business‑critical system and you cannot patch, the only acceptable mitigation under the scheme is full isolation from the internet on a segregated network.

Use free / community vulnerability scanners wisely

There are mature, free or community tools (for example, OpenVAS/Greenbone Community or limited free editions from commercial scanners) that can:

Identify missing patches and unsafe configurations on Windows servers/workstations
Highlight outdated TLS configurations on internet-facing services

Use them as internal pre‑flight checks before a CE+ audit, not as a one‑off annual fire drill.

Key Takeaway
The cheapest way to pass the 14‑day rule is ruthless standardisation and automation: one OS baseline, one browser, one patching process, and a visible register of all devices — including network kit.

The Counter-Intuitive Lesson Most People Miss

Most organisations trying to “fix Cyber Essentials for Microsoft 365” start by shopping for more tools. Yet the 2026 failure patterns tell a different story: incomplete inventories, weak processes, and mis‑scoped environments are what kill assessments, not a lack of technology.

Common CE/CE+ failures around Microsoft 365 include:

Shadow SaaS that nobody added to scope (marketing email tools, HR portals, finance systems) where MFA is off
Contractors accessing M365 via personal devices that are never patched or managed
Admins using their privileged accounts for everyday work, despite having MFA
BYOD mobiles accessing email where there is no MDM or work profile separation

All of these can exist in a tenant running expensive E5 licences with every advanced feature turned on — and will still fail under v3.3 because the scope and governance are wrong.

The counter‑intuitive reality is that the biggest uplift comes from boring disciplines:

A single, trusted asset and SaaS register
A documented process that ensures any new cloud service is assessed, configured with MFA, and added to that register
A clear BYOD standard that either brings devices into scope via MDM/work profiles or prohibits their use for corporate data
Quarterly user access reviews for Microsoft 365 and key SaaS, removing stale and shared accounts

None of this requires new security products. It does require time, ownership, and board‑level backing — which Cyber Essentials now reinforces via a stronger director declaration about continuous year‑round compliance.

Pro Tip
Before you buy anything, ask: “Can we, today, produce an accurate list of all users, devices, and cloud services that touch corporate data — and show that MFA and patching meet the 14‑day rule for all of them?” If the answer is no, that’s your first project.

Operationalising Cyber Essentials Plus Readiness Without Enterprise Spend

Cyber Essentials Plus adds hands‑on technical testing: vulnerability scans, device sampling, live MFA checks, safe malware downloads, and more. Under the tightened 2026 rules, failing CE+ can even lead to your basic Cyber Essentials certificate being revoked.

You can get CE+‑ready around Microsoft 365 without a large consulting budget by structuring your effort.

1. Use the free NCSC / IASME preparation assets

Download the latest Requirements for IT Infrastructure v3.3 and the current Question Set.
Run through the free Readiness Tool to create a gap‑analysis plan.
For SMEs, book a 30‑minute consultation with an NCSC‑assured Cyber Advisor; this is often highly targeted.

2. Run an internal “mock CE+”

With your infrastructure team:

Select a random sample of Windows devices from different locations and user types (not just the best‑managed ones).
Check: OS and browser patch level, Defender status, firewall, local admin rights, disk encryption.
Attempt to log into Microsoft 365 and other major SaaS as a standard user and as an admin — confirm MFA actually challenges every scenario.
Use a free or community vulnerability scanner to simulate the external and internal scans an assessor will perform.

Document findings and remediation actions. CE+ assessors in 2026 are explicitly instructed to avoid “selective patching”, and may retest different random samples; you must fix systemic issues, not individual machines.

3. Address human risk with free training content

The 2025/2026 Breaches Survey still shows phishing as the dominant entry vector, amplified by convincing AI‑generated content. Tooling helps, but Cyber Essentials expects you to:

Run regular awareness sessions on phishing, password safety, and MFA
Reinforce NCSC-aligned password guidance (“three random words” or long passphrases)
Promote the use of corporate password managers where available

Free content from the NCSC, industry bodies, and some vendors is usually sufficient for SMEs; the cost is coordination and repetition, not licences.

Mini‑Checklist – CE+ Preparation Around Microsoft 365

Run internal vulnerability scans and remediate high/critical issues within 14 days

Perform a device sampling exercise mirroring CE+ tests

Prove MFA enforcement for all cloud services in scope, not just Microsoft 365

Review and tighten admin practices (separate accounts, no shared creds)

Evidence user awareness activities over the last 12 months

Key Terms: Mini‑Glossary

Cyber Essentials (CE) – A UK government‑backed baseline certification validating five core technical controls against common cyber threats.
Cyber Essentials Plus (CE+) – The higher tier of Cyber Essentials that adds independent technical testing, vulnerability scanning, and device sampling.
Microsoft 365 – Microsoft’s SaaS productivity suite (including Exchange Online, SharePoint, OneDrive, Teams) assessed as an in‑scope cloud service under CE.
Entra ID (Azure AD) – Microsoft’s cloud identity platform used to authenticate users into Microsoft 365 and other SaaS applications.
Multi‑Factor Authentication (MFA) – Authentication requiring at least two different factors (knowledge, possession, inherence) to verify a user.
Passkey / FIDO2 authenticator – A phishing‑resistant, device‑bound cryptographic credential used for passwordless sign‑in, endorsed by the NCSC.
Microsoft Security Baselines – Pre‑defined collections of Microsoft‑recommended security settings for Windows and Microsoft 365 components.
Security Defaults – A free Entra ID configuration that enforces basic security protections, including tenant‑wide MFA and blocking legacy auth.
Shared Responsibility Model – Cloud security concept defining which controls are managed by the provider and which remain the customer’s duty.
Shadow IT / Shadow SaaS – Unauthorised or unmanaged cloud services adopted by users or departments outside central IT governance.

FAQ

Q1. Can a small organisation pass Cyber Essentials using only the free features in Microsoft 365?
Generally yes, for identity and basic configuration — especially using Entra ID Security Defaults — but you still need processes for patching, asset management, SaaS discovery, and BYOD. Most failures are process and scope issues, not lack of paid features.

Q2. Is SMS‑based MFA still acceptable under Cyber Essentials 2026?
Yes, SMS one‑time codes are technically allowed, but they are recognised as the weakest method due to SIM‑swap and SS7 risks. Where possible, Cyber Essentials and the NCSC recommend app‑based TOTP, push approvals, or FIDO2/passkeys instead.

Q3. How strict is the 14‑day patching rule in practice?
Very strict. High‑risk or critical updates for operating systems, applications, and network device firmware must be applied within 14 days of release. Assessors are instructed to treat non‑compliance as an automatic failure, regardless of mitigating arguments.

Q4. Do contractor and BYOD devices that only use browser access to Microsoft 365 still count as in scope?
Yes. The 2026 guidance is explicit: any device accessing corporate data — even via VDI or browser‑only access — is in scope, unless that data is contained within a managed work profile or fully isolated environment.

Q5. Does enabling MFA just on Microsoft 365 satisfy the new MFA requirement?
No. Cyber Essentials now requires MFA on all cloud services where it is available — CRM, accounting, HR, marketing platforms, remote access portals, and so on. Leaving MFA off any supported service is an auto‑fail.

Q6. How far do I need to go with passwordless to keep auditors happy?
Passwordless is strongly encouraged but not mandatory. What is mandatory is strong password policy (length, no forced rotations, brute-force protection) and enforced MFA. Introducing passkeys for admins and high‑risk groups, however, is a high‑impact, future‑proof step.

Conclusion: Turn Microsoft 365 into an Asset, Not a Liability

Back to that failed CE+ report. The organisation didn’t lack tools — it lacked clarity, consistency, and coverage. After building a real asset register, enforcing MFA across all SaaS, standardising Windows baselines, and tightening patching around a 14‑day cadence, the second assessment passed with no drama. The only new spend was a handful of FIDO2 keys and a few days of focused engineering time.

Microsoft 365 gives you a strong starting point, but Cyber Essentials 2026 demands more than a secure email tenant. It demands joined‑up identity, configuration, patching, and governance across your whole cloud and device estate.

On a shoestring, the winning strategy is:

Maximise what you already pay for in Microsoft 365 and Windows
Add carefully chosen free or low‑cost tools where there are real gaps
Invest disproportionately in inventory, processes, and training

Do that, and Cyber Essentials becomes less a compliance hurdle and more a pragmatic blueprint for resilient, affordable security in the Microsoft 365 era.