Essential Eight Compliance
🔐 Optional Feature — This feature is available for organizations with governance and compliance requirements. Essential Eight is not enabled by default; your organization must grant the necessary Azure permissions to activate it.
Overview
Cloud Ctrl's Essential Eight Compliance feature automatically audits your Azure environment against the Australian Essential Eight Mitigations — the security controls mandated for Australian Government agencies and increasingly required for government suppliers.
The Essential Eight are 8 security controls defined by the Australian Cyber Security Centre (ACSC):
- Application Control — Restrict which applications can execute
- Application Patching — Keep applications up to date
- Macro Hardening — Harden Microsoft Office macro security
- User Application Hardening — Harden browsers and application settings
- Restrict Administrative Privileges — Limit admin access to what's necessary
- Patch Operating Systems — Keep operating systems up to date
- Multi-Factor Authentication — Enforce MFA for all users
- Daily Backups — Maintain regular, protected backups
How Cloud Ctrl Scores Your Compliance
Cloud Ctrl collects signals directly from your Azure environment and scores each control against the ACSC Maturity Model:
| Level | Meaning |
|---|---|
| ML0 | Not Implemented |
| ML1 | Partially Implemented |
| ML2 | Largely Implemented |
| ML3 | Fully Implemented |
Each control also shows a Confidence Score (0–100%) indicating how much of the assessment is based on automatically observable signals vs. manual attestation.
Automatically Audited Controls
Cloud Ctrl automatically collects and scores the following controls from your Azure environment:
| Control | What Cloud Ctrl Checks |
|---|---|
| Restrict Admin Privileges | Standing Global Admins, PIM-eligible assignments |
| Patch Operating Systems | OS patch compliance rate, end-of-life system detection |
| Multi-Factor Authentication | Conditional Access policy coverage, MFA registration rate, legacy auth blocking |
| Daily Backups | Recovery Services vault coverage, backup immutability |
Controls Requiring Attestation
The remaining controls (Application Control, Application Patching, Macro Hardening, User Application Hardening) cannot be fully observed from the cloud API and require a manual attestation from your team. See Attestations below.
Getting Started
Prerequisites
You must be an Azure Tenant Administrator with permission to grant API permissions.
Step 1: Grant Azure Permissions
Cloud Ctrl needs read-only access to compliance signals in your Azure environment. Follow Step 7 of the Azure App Registration guide for step-by-step instructions.
Permissions required:
- Microsoft Graph:
Policy.Read.All,UserAuthenticationMethod.Read.All,AuditLog.Read.All,RoleManagement.Read.Directory,Directory.Read.All - Azure Subscriptions: Reader role on each subscription you want to assess
Step 2: Trigger Your First Assessment
- In Cloud Ctrl, go to Compliance → Standards
- Select Essential Eight
- Click Recalculate to run an immediate assessment
- Results appear within 1–2 minutes
Viewing Your Results
The Essential Eight dashboard shows:
- Maturity Level (ML0–ML3) for each control — colour-coded for quick status
- Confidence Score — how much of the assessment is based on observable signals
- Signals — individual compliance checks with remediation guidance
- Audit Trail — full history of assessments with timestamps
Example
Control: Multi-Factor Authentication
├─ Maturity Level: ML2 (Largely Implemented)
├─ Confidence Score: 92%
└─ Signals:
✅ MFA enforced for all users (CA policy covers 100%)
✅ 87% of users registered for MFA
✅ Legacy authentication blocked
⚠️ Phish-resistant MFA not detected — manual attestation needed
Recommendation: Enable Windows Hello or FIDO2 devices
Generating Compliance Statements for RFPs
Cloud Ctrl produces auditable compliance statements for government tenders and RFPs:
- Go to Compliance → Essential Eight
- Click Export Statement
- The statement includes:
- Compliance maturity per control
- Evidence snapshot (signals at the time of assessment)
- Audit trail (assessor, timestamp, prior versions)
- Disclaimer noting manual attestations and assessment date
Use this when responding to government RFPs, tenders, compliance audits, or regulatory submissions.
Attestations
For controls that cannot be automatically assessed, you can record a manual attestation:
- Go to Compliance → Essential Eight → select the control
- Click Attest
- Enter:
- Statement — e.g. "Our organisation enforces macro security via GPO and Microsoft 365 threat policies"
- Authorised by — your name and role
- Effective date — when this attestation came into effect
- Click Save
Attestations are:
- Immutable — preserved in the audit trail once saved
- Time-bound — can be set to expire so your team reviews them periodically
- Named — authorised by a specific individual for audit accountability
Scheduled Assessments
Cloud Ctrl automatically re-runs Essential Eight assessments on a regular schedule, keeping your compliance posture current without manual effort. Click Recalculate at any time to trigger an immediate assessment.
Troubleshooting
Dashboard shows "Unknown" for all signals
Cause: Cloud Ctrl doesn't have permission to read your Azure environment.
Fix:
- Verify Azure permissions were granted — see Azure Setup Guide
- Wait 5–10 minutes for permissions to propagate in Azure
- Click Recalculate
401 Unauthorized errors
See the Azure Setup Troubleshooting section.
Maturity level shows ML0 for all controls
If signals are being collected but scores are still ML0, check whether the relevant Azure resources are actually configured in your environment (e.g. Conditional Access policies for MFA, Recovery Services vaults for backups). Cloud Ctrl scores based on what is observable — if a control has not been implemented, ML0 is the correct result.
What Cloud Ctrl Cannot Access
All access is read-only. Cloud Ctrl has no access to:
- User data or workload contents
- Application code or databases
- Passwords, secrets, or credentials
- Any write or delete operations
All read access is logged in your Azure Activity Log and auditable at any time.
Resources
- Azure App Registration Guide — Step-by-step permission configuration
- ACSC Essential Eight Maturity Model — Official ACSC documentation
Support
If you encounter issues:
- Check the Troubleshooting section above
- Review the Azure Setup Guide
- Contact support with your Tenant ID, Subscription IDs, and a screenshot of the compliance dashboard