Five Common Essentials Drifts in Microsoft 365 Tenants
Typical configuration changes that can drop Essentials maturity between assessments — new Global Admins, MFA regressions, device compliance gaps, backup policy drift, and standing privilege.
You passed the Essentials assessment in March. By June, your insurer asks for updated ML2 evidence and the numbers do not match — not because you were breached, but because someone changed a setting during normal IT work.
Configuration drift is silent. Conditional Access does not email you when a policy is disabled. Intune does not page anyone when devices stop patching. A new Global Administrator can be created in under a minute and remain invisible until the next manual review.
These five scenarios are common in Microsoft 365 tenants assessed against ASD Essentials — patterns that change-detection tooling and manual reviews regularly surface. Each shows what happened, which strategy drops, why auditors and insurers care, and how to catch it early.
How drift interacts with the weakest-link rule
Overall Essentials maturity is the lowest level across all eight strategies. One control slipping from ML2 to ML1 drops your entire claimed level to ML1 — even if everything else still looks fine.
Drift is the most common reason organisations "had ML2 last quarter" but cannot prove it today.
1. New Global Administrator without MFA (or with a CA exclusion)
What happened: A vendor onboarding, emergency break-glass, or new hire required admin access. Someone assigned the Global Administrator role to a user account that does not have phishing-resistant MFA enforced — or added that account to a Conditional Access exclusion group "temporarily."
Strategies affected: Restrict administrative privileges · Multi-factor authentication
Why it matters: Global Admins can change every control in the tenant, including CA policies and MFA settings. A single unprotected admin account is the highest-value target in M365. Under the November 2023 maturity model, privileged accounts without proper MFA and separation fail ML2 on both strategies.
Detect early: Alert on any new Global Administrator role assignment. Re-scan MFA enforcement for all privileged roles daily — not just at audit time.
2. Conditional Access policy disabled or scoped narrower
What happened: A CA policy blocked a executive's legacy app during a board meeting. IT disabled the policy "for now" — or narrowed the user scope to exclude the IT team — and never restored full enforcement.
Strategy affected: Multi-factor authentication
Why it matters: Insurers and assessors ask whether MFA is enforced, not whether users have registered for MFA. Registration without enforcement is a common ML1/ML2 gap. A disabled policy can drop hundreds of users out of MFA coverage overnight while the admin portal still shows "MFA enabled" at the tenant level.
Detect early: Compare CA policy state and assignment scope on each scan. Flag any policy that moved from enabled to disabled, or any reduction in included users/groups.
3. Intune device falls out of compliance or misses patch window
What happened: A laptop skipped updates during travel. A compliance policy was tightened but 25% of enrolled devices now show non-compliant. A pilot group was removed from the patch ring and never added back.
Strategies affected: Patch operating systems · Application control (where compliance gates app deployment)
Why it matters: ML2 expects consistent patch cadence on managed endpoints — not just that a policy document exists. One non-compliant CEO laptop with local admin rights can be the entry point assessors focus on. Device-level drift is invisible in tenant-wide policy reviews.
Detect early: Track device compliance rate and OS version distribution scan-over-scan. Alert when compliance percentage drops or when high-privilege users appear on non-compliant devices.
4. Backup retention shortened or M365 backup coverage reduced
What happened: Finance reviewed Microsoft licensing costs and downgraded backup retention from 365 days to 30. A SharePoint site collection was excluded from backup scope during a migration. A third-party backup trial ended and nothing replaced it.
Strategy affected: Regular backups
Why it matters: Regular backups is often the weakest strategy in cloud-first SMEs — not because backups never existed, but because retention and scope erode quietly. Ransomware recovery and IRAP-style business continuity questions assume you can prove restorable copies exist at the required retention window.
Detect early: Re-check backup policy configuration and licensed backup SKUs on each scan. Compare retention settings against your documented RPO/RTO commitments.
5. Standing admin restored after a PIM trial ends
What happened: The organisation piloted Privileged Identity Management (PIM) for Global Administrator — eligible roles, activation approvals, time-bound access. The pilot ended, licensing was not renewed, or someone converted eligible assignments back to active (standing) privilege "because PIM was too slow."
Strategy affected: Restrict administrative privileges
Why it matters: ML2 expects privileged access to be limited, monitored, and not permanently assigned without justification. Standing Global Admins who have held active roles for months fail the intent of restrict administrative privileges even if the count of admins looks acceptable.
Detect early: Distinguish active vs eligible admin role assignments on each scan. Alert when a role moves from eligible (PIM) to active, or when PIM activation logging disappears.
Google Workspace: same drift classes, different visibility
The drift patterns above apply equally to Google Workspace tenants — new Super Admin assignments, 2SV enforcement gaps, Chrome policy slippage, Vault retention changes. API visibility differs: some desktop and hybrid signals return no visibility rather than a guessed score.
See Google Workspace permissions for an honest breakdown of what Aegis Eight can observe via Admin SDK versus what still requires manual evidence.
Why point-in-time PDFs expire
Each scenario above is a normal IT change, not a security incident. Spreadsheet assessments and annual consultant PDFs capture posture on one day. Drift happens on every other day.
Continuous monitoring — daily re-scans with email alerts only when something material changes — closes the gap between "we were ML2 in March" and "we can prove ML2 today."
For IRAP prep and insurer renewals, assessors and questionnaires increasingly ask for recent evidence — which is incompatible with annual review cadences unless something re-scores the tenant automatically.
Related reading
- Essential Eight Maturity Levels Explained — ML0–ML3 and the weakest-link rule
- November 2023 ASD Maturity Model: What Still Catches SMEs — why the scoring bar moved
- IRAP-Style Evidence for Microsoft 365 Essentials — timestamped proof assessors expect
- ASD Opens Consultation on the Essentials Series — framework evolution through 2027
Next steps
- Start a free Essentials scan — see current ML0–ML3 levels and drift risk areas in minutes
- Download a sample report — redacted PDF example
- Compare plans — daily drift scans and change-triggered alerts from A$59/month or A$590/year
Questions? Email [email protected].