Cyber Essentials v3.3: Cloud Services Scope for Microsoft 365 Teams

Cyber Essentials v3.3 is useful because it shuts down a very common dodge.

IASME now says cloud services have a clear definition, and if your organisation's data or services are hosted on cloud services, those services must be in scope. For Microsoft 365 teams, that should end the old habit of treating the tenant like a side note while the "real" environment is supposedly just laptops and a firewall.

That is not how most businesses actually work anymore. Identity is in Entra ID. Mail is in Exchange Online. Files live in SharePoint and OneDrive. Collaboration is in Teams. Devices are managed through Intune. If those services are where staff work, they are not peripheral. They are core infrastructure.

What this changes in practice

The hard part is not understanding the rule. The hard part is being honest about what your tenant actually does.

For a fairly standard Microsoft 365 setup, this is the kind of scope map I would expect to see:

Service area	Why it belongs in the conversation
Entra ID	Authentication, MFA, admin roles, Conditional Access
Exchange Online	Mail flow, forwarding, phishing controls, mailbox access
SharePoint and OneDrive	File storage, sharing, guest exposure, retention of sensitive content
Teams	Collaboration, external access, file exposure through channels
Intune	Device compliance, update posture, control over managed endpoints
Defender	Endpoint, mail, and identity signals that support detection and evidence

You do not need a dramatic architecture diagram for this. A plain list of services, owners, and the controls that matter is usually more useful.

Three scope mistakes that still show up

The first is treating Microsoft 365 as "just SaaS", as if SaaS means low responsibility. Cyber Essentials does not let you outsource accountability. NCSC's v3.3 requirements are clear that some controls can be implemented by the provider, but the applicant organisation is still responsible for ensuring the controls are in place.

The second is scoping the happy path only. Teams might be managed well for staff, but what about guest access, shared mailboxes, broad SharePoint links, or stale admin roles? Assessments get awkward when the answer is "that bit lives somewhere else".

The third is keeping the scope statement too vague. If someone says "Microsoft 365 is in scope" but cannot explain which services, which identities, which devices, and which exceptions exist, the statement is not really doing any work.

A better way to prepare

Start with the services that create the most operational risk:

1. Admin access into Entra, Exchange, SharePoint, Teams, and Intune.
2. External sharing and guest access.
3. Device access paths for unmanaged or non-compliant endpoints.
4. Mail forwarding, transport rules, and mailbox delegation.
5. Evidence for updates, malware protection, and user access control.

Then do one simple exercise. Pick a normal user, a privileged admin, and a guest account. For each one, answer:

• What can this identity reach?
• What controls should apply?
• What evidence proves those controls are active?

That small exercise usually exposes weak scope much faster than a long workshop does.

Evidence worth keeping

You do not need a mountain of screenshots. You do need records that show the tenant is being actively run.

Useful examples:

• Current admin role membership.
• Conditional Access policies and exclusions.
• Intune compliance coverage.
• External sharing settings for SharePoint and OneDrive.
• Guest account review notes or exports.
• Exception records for any systems not yet at the target state.

The point is not to make the evidence pack pretty. The point is to make the environment explainable without a guided tour.

References

• IASME: Important Update - Changes to Cyber Essentials for April 2026
• NCSC: Cyber Essentials overview