November 2023 ASD Maturity Model: What Still Catches SMEs
The eight controls did not change — but ML2 got harder. What the November 2023 update tightened for Microsoft 365 and Google Workspace, and why old self-assessments go stale.
Your cyber insurer asks for Essentials ML2 evidence that reflects your current configuration. You dig out the self-assessment spreadsheet your IT lead completed in 2022 — or the consultant PDF from before the pandemic-era remote-work rush — and discover the numbers no longer match what Conditional Access and Intune actually show today.
That gap is common, and it is not always because your security got worse. In November 2023, ASD tightened the Essential Eight Maturity Model without changing the eight mitigation strategies themselves. Organisations that have not re-scored against the current criteria often overstate their maturity.
This guide explains what shifted, how it shows up in Microsoft 365 and Google Workspace tenants, and why a one-off checklist from the pre-2023 era is a risky answer to a 2026 insurer or tender question.
What did not change
The eight strategies are the same names Australian boards and procurement panels already recognise:
- Application control
- Patch applications
- Configure Office macros
- User application hardening
- Restrict administrative privileges
- Patch operating systems
- Multi-factor authentication
- Regular backups
If you implemented MFA for all users, limited Global Admin count, and enrolled devices in Intune, that work still counts. ASD has been clear through the ongoing Essentials series consultation that existing Essential Eight investment should not be made redundant.
What changed is how strictly each maturity level is interpreted — especially ML2, which is increasingly treated as the practical baseline for insurers, government suppliers, and organisations aligning with Australia's 2023–2030 Cyber Security Strategy as it enters Horizon 2 (2026–2028).
What tightened in November 2023
Four areas moved the goalposts for organisations targeting ML2:
1. Privileged accounts and internet access
Administrative accounts should not browse the web or read email from the same identity used to manage the tenant. In Microsoft 365, that means separate admin accounts, no CA exclusions that let Global Admins skip MFA "for convenience," and sign-in patterns that show admin identities used only for admin tasks.
Many SMEs still run day-to-day IT from a Global Administrator account. That was always poor practice; under the November 2023 model it is an explicit ML2 gap.
2. Phishing-resistant MFA pushed into ML2
SMS and voice OTP alone are increasingly insufficient at ML2. Conditional Access policies that require Microsoft Authenticator app approval, FIDO2 keys, or certificate-based auth score higher than "MFA enabled but only via SMS."
Google Workspace tenants face the same intent via enforced 2-Step Verification and security key policies — though API visibility into enforcement versus registration varies by control.
3. Hardening of administrative infrastructure
It is not enough to "have fewer admins." ML2 expects evidence that privileged access is structured: PIM or equivalent just-in-time elevation, separate admin workstations or jump paths where feasible, and audit trails for role assignments.
A standing Global Administrator who has held the role for three years without review is a common finding — even in otherwise well-run tenants.
4. Incident response planning
The November 2023 model strengthened incident-response planning expectations alongside technical controls — not just configuration checks. Spreadsheet self-assessments often skip this entirely because it feels "non-technical," then insurers or assessors ask for it anyway.
Cloud-specific examples that trip up SMEs
| Scenario | Why pre-2023 checklists miss it |
|---|---|
| Conditional Access policy exists but excludes the IT admin group | MFA strategy looks green on paper; enforcement has a hole |
| Intune compliance policy exists but 30% of devices are non-compliant | Patch OS / application control scored at policy level, not device level |
| One new Global Admin added during a vendor onboarding | Restrict admin privileges drifts without anyone updating the spreadsheet |
| M365 backup licensed but retention shortened after a cost review | Regular backups strategy drops when configuration changes |
Each of these is a configuration change, not a failed project. That is why point-in-time assessments expire — and why configuration drift between audits is the silent killer of ML2 claims.
The weakest-link rule still applies
Overall Essentials maturity is the lowest level across all eight strategies. ML2 on seven controls and ML1 on one is overall ML1.
The November 2023 tightening did not add a ninth control — it made it easier for a single weak area (usually MFA enforcement or privileged access) to pull the entire organisation down a level. Assessors and automated scoring both apply the same cumulative rule documented in the ASD assessment process guide.
Why your old self-assessment is probably stale
Three reasons organisations discover a gap only when the insurer calls:
-
The maturity model revision was not re-run. Honest assessments should state which ASD maturity model version they were measured against. A 2021 self-assessment cannot honestly claim ML2 under November 2023 criteria without re-scoring.
-
Cloud configuration drifted since the last review. New admins, relaxed CA policies, and device compliance slippage happen in normal IT operations — not during attacks.
-
ML2 became the commercial baseline. What was "good enough" for a board update in 2020 is now the minimum insurers and government panels expect — with current evidence, not historical intent.
If you are unsure which revision your last assessment used, assume it is stale until you re-scan against the current model.
What to do next
- Re-score against the November 2023 maturity model using read-only API evidence from your tenant — not a copy-paste from an old spreadsheet.
- Identify the weakest control and prioritise remediation there first (weakest-link rule).
- Plan for continuous re-assessment if insurers or customers require recent evidence — one PDF per year is not enough.
Aegis Eight scores all eight strategies against ML0–ML3 via read-only Microsoft Graph or Google Admin SDK access. The free assessment produces one PDF per tenant with no credit card. Subscription adds daily re-scans and change-triggered alerts when something material shifts.
Related reading
- Essential Eight Maturity Levels Explained — what ML0–ML3 mean for cloud tenants
- ASD Opens Consultation on the Essentials Series — what is coming after Essential Eight
- Five Common Essentials Drifts in Microsoft 365 Tenants — configuration changes that drop maturity overnight
- IRAP-Style Evidence for Microsoft 365 Essentials — what assessors expect from timestamped proof
Next steps
- Start a free Essentials scan — see your ML0–ML3 levels against the current model in minutes
- Download a sample report — redacted PDF example
- Compare plans — continuous monitoring from A$59/month or A$590/year
Questions? Email [email protected].