The 2026 Cyber Essentials Hybrid Audit Checklist: Gathering Unassailable Proof Across M365, AWS, and Azure

“THE CERTIFICATE IS AT RISK,” THE ASSESSOR SAYS CALMLY

You’re halfway through a Cyber Essentials Plus retest. The first device sample has already failed patch checks once.

Now, under the new Danzell v3.3 rules, the assessor is pulling a fresh random sample across your Microsoft 365 estate, Azure VMs, and AWS consoles.

Miss the 14‑day update window again and your verified self‑assessment is revoked on the spot.

This is where most organisations discover the difference between “we think we’re compliant” and unassailable proof.

This article shows how to build that proof—systematically—across M365, AWS, and Azure for 2026 Cyber Essentials and Cyber Essentials Plus.

What you’ll learn

The 2026 Landscape: How the Danzell v3.3 updates change Cyber Essentials and Cyber Essentials Plus expectations for cloud-heavy environments.
Pragmatic Scoping: A scoping model that stands up to CE+ assessors across Microsoft 365, Azure, and AWS.
Entra ID Evidence: Exactly what MFA, passwordless, and legacy-auth evidence auditors expect to see from Microsoft Entra ID.
AWS Compliance: How to use IAM Credential Reports, AWS Config, SCPs, and AWS Artifact to prove AWS-side compliance.
Hybrid Audit Checklist: A practical, reusable hybrid audit checklist to prepare evidence packs before your assessor even logs in.
The Mindset Shift: The counter-intuitive mindset shift that separates “paper compliance” from durable security in a CE+ world.

Understanding the 2026 Cyber Essentials / CE+ Landscape

Cyber Essentials Danzell v3.3, live from 27 April 2026, turns MFA and patching into zero‑tolerance controls and formally drags all cloud services into scope.

For hybrid estates, that means Microsoft 365, Azure, AWS, and any SaaS that holds organisational data must be provably secured—not just verbally described.

CE+ then layers an independent technical test on top. Under the updated Test Specification, auditors validate your self‑assessment, sample devices and cloud resources, and require lifetime‑retained evidence of what they saw. There is no room for last‑minute, sample‑only fixes anymore.

Key Elements to Internalise

Cloud services cannot be excluded
v3.3 defines cloud services as on‑demand, scalable, internet‑accessible services on shared infrastructure that store or process organisational data. That includes Microsoft 365, Azure PaaS, AWS control planes, CRM, ERP, HR SaaS, and RMM / EDR tools managed by MSPs.
MFA on cloud is an auto‑fail control
If a cloud service supports MFA (even as a paid add‑on) and you haven’t implemented it, your Cyber Essentials assessment fails automatically.
Critical updates within 14 days
Questions A6.4 and A6.5 require all high‑risk/critical vulnerability fixes—including OS, router/firewall firmware, and applications (including browser extensions)—to be applied within 14 days. Failure is an auto‑fail, regardless of performance elsewhere.
Randomised re‑sampling in CE+
If your first device sample fails patching, assessors must re‑test both the original sample and a new random sample. A second failure revokes your verified self‑assessment certificate. Selective patching is dead.

🔑 Key Takeaway

Treat Cyber Essentials v3.3 as a continuous control system for all cloud services—backed by hard timelines and technical proof—rather than an annual, negotiable questionnaire.

Designing a Hybrid Scope That Won’t Break Under CE+ Scrutiny

A defensible audit starts with a defensible scope. Under Danzell v3.3, assessors expect clear articulation of what’s in, what’s out, and how boundaries are enforced—especially across multiple clouds.

At a minimum, your scope should be able to withstand four critical questions:

1. Which legal entities are in scope?

You must list all legal entities (names, addresses, company numbers) covered by the certificate. These appear on the public digital certificate and must align with your group structure.

2. Which networks and devices are in scope, and why?

Any internet-connected device that can initiate or accept connections, or control the data flow, is in scope unless you can prove technical segregation. VLANs, boundary firewalls, or SD‑WAN policies must prevent traffic between in‑scope and out‑of‑scope segments.

3. Which cloud services are in scope?

Build a canonical inventory of:

Microsoft 365 tenants (including Entra ID, Exchange Online, SharePoint, Teams)
Azure subscriptions and landing zones
AWS accounts and organisations
Other SaaS (CRM, HR, ticketing, remote access, RMM, EDR, backup, document management)

For each, record: owner, data types, user populations, MFA status, and whether third‑party admins exist.

4. How do third parties fit in?

Devices owned by MSPs, contractors, and students are typically out of scope as endpoints, but connections from them must still enforce CE controls (especially MFA).
Your organisation remains responsible for Cyber Essentials controls, so requirements should be embedded in contracts and SLAs, or you should require the MSP to hold its own CE/CE+ certificate.

📋 Mini-Checklist: Scope Artefacts CE+ Assessors Expect

Written scope statement referencing all in‑scope legal entities

Network diagrams showing segmentation and guest / student / contractor isolation

Cloud service register (M365, Azure, AWS, other SaaS) with data classification and MFA status

Documented exclusions with technical segregation rationale

Contracts / SLAs embedding Cyber Essentials controls for MSPs and remote admins

Unassailable MFA and Passwordless Evidence in Microsoft 365 / Entra ID

For 2026 audits, MFA in Microsoft Entra ID is no longer “good practice”—it is a hard gate.

You must show that MFA (or approved passwordless methods) protects all administrative roles and all cloud‑accessible user accounts.

1. Prove Coverage of High‑Risk Roles

CISA’s SCuBA baseline highlights eight highly privileged Entra roles (Global Administrator, Privileged Role Administrator, User Administrator, Exchange / SharePoint / Application Admins, etc.).

For Cyber Essentials:

Enforce MFA (or phishing‑resistant passwordless) on all of these.
Use dedicated admin accounts without user licences—no personal mailbox on admin identities.
Block legacy protocols that bypass MFA using Conditional Access client-app conditions (Exchange ActiveSync clients and Other clients -> Block access).

2. Show MFA Configuration and Active Use

Registration is not enough; CE+ assessors look for active usage:

A. Configuration Evidence

Entra Portal: Navigating to Authentication methods > User registration details gives a reliable, UI‑based view of methods per user, including Microsoft Authenticator (in Outlook) for Authenticator Lite.
Microsoft Graph PowerShell: For large tenants, script against Graph:
```
Get-MgBetaReportAuthenticationMethodUserRegistrationDetail -All
```
Use this to export DefaultMfaMethod, MethodsRegistered, IsMfaCapable, IsSsprCapable, etc.
Note: Ensure all Graph modules match the Microsoft.Graph.Authentication module version to avoid cmdlet errors.

B. Usage Evidence

Sign-in Logs: Entra interactive sign‑in logs retain MFA usage for 30 days. Filter for successful sign‑ins where Conditional Access enforced MFA or passwordless.
Data Processing: Export the CSV, remove the duplicated incoming token type column, then ingest via PowerShell Import-Csv for aggregation.

3. Highlight Phishing-Resistant Methods

Cyber Essentials v3.3 strongly encourages passwordless. Show coverage of:

FIDO2 security keys (USB/NFC hardware, asymmetric crypto, phishing-resistant)
Windows Hello for Business (device-bound biometrics/PIN)
Certificate-Based Authentication (CBA) with smartcards/PIV/CAC for regulated environments
Passkeys on supported platforms

💡 Pro Tip: Evidence Pack for Entra MFA

Screenshots of Conditional Access policies enforcing MFA/passwordless for:

All users on cloud services

High‑privilege roles with stricter conditions

CSV export from Authentication Methods > User registration details with summary stats

PowerShell report showing MFA-capable users vs total, by department / role

30‑day sign‑in analysis showing actual MFA prompts and passwordless sign‑ins

Evidence of legacy auth blocks and “Report-only” test phase screenshots for new CA policies

Proving MFA and Credential Hygiene in AWS

AWS sits squarely in Cyber Essentials’ definition of a cloud service.

You must show that access to the AWS Management Console and APIs is governed by strong identity controls, especially MFA and key management.

1. Start with the IAM Credential Report

The IAM Credential Report is your primary snapshot of user credentials. It lists all IAM users (including the root account) and details:

Password status and last use
Access key presence, last used, and last rotated dates

For Cyber Essentials mapping, ensure:

Root Account:
- MFA must be enabled
- No active access keys—any keys here are critical findings
Console-Capable Users (password_enabled = true):
- Must have MFA configured
- Passwords unused for >90 days should be disabled or the account removed
Access Keys:
- Keys older than ~90 days represent high risk and should be rotated
- Keys unused for ~90 days (or never used) likely breach least‑privilege and should be removed

⚠️ Crucial Note on Caching
Remember the 4‑hour cache on credential reports—they’re not real-time; don’t promise an auditor “instant” proof of a change based solely on a fresh export.

2. Move from Ad-Hoc Checks to Continuous Monitoring

To avoid scrambling before CE+:

Use AWS Config managed rule iam-user-mfa-enabled to continuously evaluate whether IAM users have MFA.
Configure:
- A Configuration Recorder to track changes
- A Delivery Channel to push snapshots and notifications into S3 / SNS
When Config marks a user non‑compliant, trigger a Lambda function to notify security (e.g., via SNS or Slack) or even auto‑remediate.

For large accounts, avoid Lambda timeouts by:

Using an “orchestrator” Lambda to dump user lists to S3
Splitting into smaller chunks and processing via multiple consumer Lambdas in parallel.

3. Proactive Enforcement with SCPs

Within AWS Organizations:

Apply Service Control Policies (SCPs) that deny sensitive actions unless aws:MultiFactorAuthPresent is true.
Note limitation: SCPs do not apply to the organisation management (root) account, so you still need strong direct controls there.

4. Third-Party Assurance via AWS Artifact

If your auditor asks, “How do you know AWS themselves are secure?”:

Use AWS Artifact in the console to download AWS’s Cyber Essentials Plus certificate and other ISO/CSA attestations.
This supports your shared-responsibility story: AWS secures the infrastructure; you secure identity, configuration, and data.

🔑 Key Takeaway: AWS Proof Stack

For AWS, your unassailable proof stack is:
IAM Credential Report + AWS Config iam-user-mfa-enabled + SCP policies + AWS Artifact documentation.

Azure & Infrastructure: Conditional Access, Legacy Auth, and Patch Discipline

Microsoft 365 and Azure share Entra ID, so many controls overlap—but Cyber Essentials expects those controls to be applied consistently across all Azure workloads and endpoints.

1. Conditional Access Done Safely

Key expectations:

Modern conditions over Trusted IPs:
Legacy Trusted IPs are limited and IPv4‑centric. Use Conditional Access location conditions instead; they support IPv6 and behave correctly behind NPS extensions.
Block legacy authentication:
Implement a tenant‑wide CA policy targeting legacy client apps (Exchange ActiveSync clients and other clients) with Block access.
Roll out safely:
Start CA policies in Report-only mode. Use the “What If” tool and CA insights reports to validate impact before switching to “On”.

2. Patch Management Aligned to 14-Day SLA

CE v3.3’s 14‑day requirement applies equally to:

Azure VMs (Windows and Linux)
On‑prem Windows clients and servers
Network devices (firewalls, routers, VPNs)
Applications and browser extensions

Practically:

Use Microsoft’s update tools (Intune, Azure Update Management, Configuration Manager) to enforce deadlines within 14 days for critical / high‑risk fixes.
Produce:
- Compliance reports per update ring
- Evidence that unsupported OS versions are either decommissioned or isolated
For BYOD devices that access work data, enforce:
- Supported OS
- Security updates within 14 days
- Local firewall enabled
- Screen lock with ≥6‑digit PIN or biometric
- No jailbreak/root

🛡️ Mini-Checklist: Azure & Endpoint Hardening

CA policy blocking legacy authentication globally

Location-based CA using named locations, not legacy Trusted IPs

Patch compliance dashboard showing critical updates within 14 days across Azure and on‑prem

BYOD policy + MDM profiles enforcing CE controls on devices accessing work data

Documentation of any legacy/unsupported systems and their technical isolation

Building a Reusable Hybrid Audit Checklist and Evidence Pack

With v3.3, last‑minute “screenshot everything” marathons are risky and inefficient.

Instead, treat your Cyber Essentials evidence as a living artefact.

1. Build a Control-to-Evidence Matrix

Create a matrix with columns:

Control / Question ID (e.g., A6.4, A6.5, user access controls)
Platform (M365/Entra, Azure, AWS, other SaaS)
Owner
Control implementation summary
Evidence source (report path, script, screenshot, log location)
Update cadence

Populate it as follows:

MFA on cloud services:
- M365/Entra: CA policies, registration reports, sign‑in logs
- AWS: Credential Report, Config rule, SCPs
- Other SaaS: vendor config screenshots showing MFA requirement for all users
Patch management:
- Endpoint and server compliance reports
- Change records for firmware updates on firewalls/routers
Network boundary:
- Firewall rulesets
- Network diagrams with guest / student / contractor segmentation

Visual Reference: Control-to-Evidence Matrix

Control / Question ID	Platform	Owner	Control Implementation Summary	Evidence Source	Update Cadence
MFA on Cloud Services	M365/Entra	Identity Team	Enforce MFA for all cloud-accessible accounts	CA policies, registration reports, sign‑in logs	Monthly
MFA on Cloud Services	AWS	Cloud Security	Enforce console & API MFA, secure root	Credential Report, Config rule, SCPs	Monthly
MFA on Cloud Services	Other SaaS	App Owners	Enforce MFA for all SaaS users	Vendor config screenshots	Quarterly
Patch Management	Azure / Endpoints	IT Ops	Apply critical updates within 14 days	Endpoint & server compliance reports	Continuous (14-day SLA)
Patch Management	Network Devices	Network Team	Apply firmware updates within 14 days	Change records for firewalls/routers	Continuous (14-day SLA)
Network Boundary	Network	Network Team	Segregate guest, student, contractor traffic	Firewall rulesets, network diagrams	Annual / On Change

2. Standardise Report Generation

For each platform, define scripts or UI paths:

Microsoft 365 / Entra
- PowerShell scripts for authentication methods and privileged roles
- Screenshots from Entra portal (CA policies, MFA registration dashboard)
AWS
- CLI commands to generate and retrieve IAM Credential Reports
- AWS Config compliance summaries, particularly for iam-user-mfa-enabled and other relevant managed rules
- AWS Artifact downloads of CE+ and ISO certificates
Azure / endpoints
- Update compliance and Intune reports
- Policy definitions for BitLocker, firewalls, and endpoint protection

Store all outputs in a versioned evidence repository (e.g., SharePoint library or S3 bucket with lifecycle policies), tagged by date and control.

3. Automate Where It Genuinely Pays Off

Automation is valuable when:

The underlying service offers stable APIs (Microsoft Graph, AWS SDKs, Azure Resource Graph)
You need trend data (e.g., monthly drift analysis of IAM key age or MFA coverage)
Manual generation is error‑prone or time‑consuming

Examples:

Lambda scheduled monthly to:
- Generate IAM Credential Report
- Parse it for key age, root MFA, console MFA
- Notify deviations via SNS / Slack
PowerShell runbooks to:
- Export Entra authentication method registration
- Compare against previous month to detect regression
Azure Automation to:
- Generate patch compliance reports and push them to a central evidence share.

🔑 Key Takeaway: Evidence Strategy

Build a single, cross‑cloud evidence pack that maps directly to CE/CE+ controls and is refreshed on a defined cadence. Your CE+ audit should feel like replaying a rehearsed runbook, not improvising under pressure.

The Counter-Intuitive Lesson Most People Miss

The most dangerous misconception in 2026 is treating Cyber Essentials as a risk management framework rather than a hard-edged technical baseline.

Cyber Essentials:

Does not replace ISO 27001, NIST CSF, or broader governance frameworks.
Focuses on five families of controls—firewalls, secure configuration, user access control, malware protection, and patch management—at a technical level.
Has evolved into a regime of automatic failures (MFA absence, 14‑day patch breaches) rather than broad, interpretive questions.

Two major consequences flow from this:

Consequence 1: Supply chain and MSPs remain your problem

Because CE is a technical scheme, it does not magically extend itself into your contracts. If your MSP manages your M365 or firewall, you are still accountable for MFA, patching, and configuration. Unless your contracts make Cyber Essentials compliance mandatory, you carry the risk.

Consequence 2: Directors now sign for continuous compliance

The v3.3 declaration explicitly states that board‑level signatories accept responsibility to maintain controls throughout the certification period—not just on the audit day. From a governance standpoint, CE is now a board‑level promise of continuous operation, not an IT department trophy.

Organisations that internalise this shift stop viewing CE as a “badge” and start using it as a forcing function to close stubborn gaps:

That one legacy VPN without MFA
That forgotten SaaS billing portal
Those rarely‑used admin accounts still exempt from strong auth

Key Terms Mini-Glossary

Cyber Essentials
A UK government-backed technical control scheme defining baseline safeguards against common internet-borne threats across five control areas.
Cyber Essentials Plus (CE+)
The higher tier of Cyber Essentials that adds independent hands-on technical testing and sampling to verify that controls are actually implemented.
Danzell v3.3
The 2026 “Requirements for IT Infrastructure” release that tightens scope, mandates MFA on all cloud services, and enforces 14‑day patching of critical vulnerabilities.
Microsoft Entra ID
Microsoft’s cloud identity platform (formerly Azure AD) used to authenticate users to Microsoft 365, Azure, and SaaS applications.
Conditional Access
Entra ID’s policy engine that enforces controls like MFA, device compliance, and location restrictions before granting access to apps.
Multi-Factor Authentication (MFA)
Authentication requiring at least two factors from categories “something you know,” “something you have,” or “something you are.”
Passwordless Authentication
Identity verification that does not use shared secrets like passwords, instead leveraging biometrics, FIDO2 keys, or device‑bound cryptographic credentials.
AWS Artifact
A self-service portal in the AWS Management Console providing on-demand access to AWS compliance reports and certifications, including Cyber Essentials Plus.
AWS Config
A native AWS service that records and evaluates configuration states of AWS resources against managed or custom compliance rules.
IAM Credential Report
A CSV snapshot from AWS IAM listing all users, their password status, MFA, and access key states for audit and remediation.
Service Control Policy (SCP)
An AWS Organizations policy type that defines maximum permissions, often used to enforce conditions such as “deny actions if MFA is not present.”

FAQ

Q1: Does Cyber Essentials really require MFA on every cloud service?

Answer:
Yes. Under Danzell v3.3, if a cloud service offers MFA—whether free or as a paid upgrade—and you have not enabled it for relevant users, the assessment is marked as an automatic failure. This explicitly includes Microsoft 365, Azure, AWS, and line-of-business SaaS platforms.

Q2: How much Cyber Essentials evidence needs to come from screenshots vs reports?

Answer:
Assessors generally prefer system-generated reports for scalable proofs (e.g., MFA coverage, patch compliance) and screenshots for configuration items that are difficult to export (e.g., specific Conditional Access settings).

A strong evidence pack usually combines both: structured exports for breadth, and targeted screenshots for depth.

Q3: Is blocking legacy authentication in Microsoft 365 mandatory for Cyber Essentials?

Answer:
While the scheme does not name individual protocols, the intent is clear: accounts accessible from the internet must be strongly authenticated and protected from brute-force attacks.

CISA and Microsoft both recommend blocking legacy authentication via Conditional Access because these protocols cannot enforce MFA and are a major attack vector.

Q4: Do contractor or MSP devices need to be in scope for CE+?

Answer:
Typically no, as physical endpoints owned by third parties are considered out of scope. However, connections from those devices must comply with Cyber Essentials controls (for example, admin logins must still use MFA).

You remain responsible for ensuring this via contracts, SLAs, or by requiring the provider to hold their own Cyber Essentials certification.

Q5: How do CE+ device re-sampling rules affect cloud-heavy organisations?

Answer:
The new CE+ approach—retesting both the original failed sample and a new random sample—applies conceptually to cloud as well as endpoints.

If your first sample of, say, Entra admin accounts shows gaps in MFA or patching on admin workstations, you should expect deeper probing. Organisations must demonstrate that fixes are estate-wide, not just on a handful of audited devices.

Q6: Is passwordless authentication enough on its own to satisfy MFA requirements?

Answer:
Yes, if it is implemented using recognised multi‑factor, phishing‑resistant mechanisms such as FIDO2 keys, Windows Hello for Business, or device‑bound passkeys.

Cyber Essentials and NCSC explicitly acknowledge that these methods provide multi-factor protection without a password, and they are actively encouraged in v3.3.

Q7: How often should we regenerate our AWS IAM Credential Report for CE readiness?

Answer:
Credential reports are cached for four hours, so they’re not real-time. In practice, running them monthly for drift analysis, plus on demand before major audits or change windows, strikes a good balance.

For continuous posture management, pair periodic reports with AWS Config rules and SCPs.

Conclusion

Back in the assessment room, the second device sample completes.

This time, the patch levels are clean, MFA is enforced across Entra ID and AWS, legacy auth is blocked, and your evidence pack aligns perfectly with each Cyber Essentials control.

The assessor’s questions turn from probing to procedural. The certificate is safe—not because you were lucky with the sample, but because your controls are real and your proof is ready.

That is the heart of Cyber Essentials and Cyber Essentials Plus in 2026:

Scope honestly across Microsoft 365, Azure, AWS, and every SaaS that matters.
Enforce MFA and passwordless everywhere the scheme demands it—and be able to prove both configuration and usage.
Meet the 14‑day vulnerability fix window with automated patching and credible reports.
Industrialise your evidence, turning ad‑hoc screenshots into a reusable, cross‑cloud audit pack.

Do that, and your next hybrid audit becomes less about surviving the day and more about demonstrating that your organisation’s security posture is exactly what your board and your customers believe it to be.