SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: E8 Evidence Packager
description: Compiles SharePoint permission reports, access logs, and governance records into a versioned, indexed evidence folder for an Essential Eight ML2 assessment.
---
# E8 Evidence Packager
> **TL;DR:** This skill compiles SharePoint permission reports, access logs, and governance records into a structured, versioned evidence folder for an ASD Essential Eight ML2 assessment, with an index cross-referencing every artefact to its control.
## How does the E8 Evidence Packager skill collect data-repository control evidence?
For the SharePoint sites in scope, this skill collects the artefacts needed to evidence Essential Eight ML2 controls relating to data repositories and organises them into a versioned evidence folder named for the assessment cycle. It captures site owner and admin lists, external sharing summaries, backup and retention snapshots, connected app inventories, and the Microsoft Entra Conditional Access policies applicable to each site, then indexes every artefact against its control for an IRAP review or internal audit.
## When should you run this skill?
- "Package E8 evidence for this site"
- "Prepare ML2 evidence folder"
- "Collect IRAP audit artefacts for SharePoint"
## Evidence collected (per site)
| Control | Artefact |
|---|---|
| Restrict Administrative Privileges | Site owner / admin list with last-reviewed dates |
| Restrict Administrative Privileges | External sharing summary (link types, recipients) |
| Regular Backups | Last backup / retention policy snapshot |
| Patch Applications | Connected app inventory and last-updated dates |
| Multi-Factor Authentication | Conditional Access policies applicable to the site |
## How this skill works, step by step
1. Confirm the assessment cycle name (e.g. "2026-Q2 IRAP prep")
2. Create the folder `Evidence/<cycle>/<site-name>/` in the destination library
3. For each control above, generate the artefact as a Markdown or CSV file with a timestamp header
4. Generate a top-level `INDEX.md` listing every artefact with file path, generation timestamp, and the control it evidences
5. Produce a summary table for the consultant or assessor
## Output format
- Folder tree on disk (printed at end of run)
- `INDEX.md` cross-references every artefact to an E8 control
## Scope and safety
This skill does NOT:
- Make compliance decisions (assessor / consultant judgment required)
- Modify production permissions or sharing settings
- Generate evidence for non-SharePoint workloads
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| SharePoint Online site administration, sharing and permission reporting | Microsoft 365 Business Basic or SharePoint Online Plan 1 |
| Microsoft Entra Conditional Access policy review | Microsoft Entra ID P1 |
### Least-privilege roles
- SharePoint Administrator (read) or Global Reader for site owner, admin and external sharing reports
- Security Reader for reviewing Conditional Access policies applicable to each site
### Microsoft Graph permissions (read-only)
- `Sites.Read.All` — reads SharePoint site owners, members and sharing configuration
- `Policy.Read.All` — reads the Conditional Access policies applicable to each site
- `Application.Read.All` — reads the connected app inventory for the patch-applications evidence
- `AuditLog.Read.All` — reads access and sharing activity for the evidence artefacts
If you prefer not to use Microsoft Graph, the same evidence can be gathered through the SharePoint admin centre, the Microsoft Entra admin centre and SharePoint Online PowerShell with read-only roles.
## Sources and compliance
- Designed for the 2026 IRAP QA Framework artefact structure
- Evidences Essential Eight ML2 controls: Restrict Administrative Privileges, Regular Backups, Patch Applications, Multi-Factor Authentication
- Run before an IRAP-PICTA assessor walk-through or an internal E8 ML2 self-assessment
- Reference: [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Output in Australian English
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
E8 Evidence Packager
TL;DR: This skill compiles SharePoint permission reports, access logs, and governance records into a structured, versioned evidence folder for an ASD Essential Eight ML2 assessment, with an index cross-referencing every artefact to its control.
How does the E8 Evidence Packager skill collect data-repository control evidence?
For the SharePoint sites in scope, this skill collects the artefacts needed to evidence Essential Eight ML2 controls relating to data repositories and organises them into a versioned evidence folder named for the assessment cycle. It captures site owner and admin lists, external sharing summaries, backup and retention snapshots, connected app inventories, and the Microsoft Entra Conditional Access policies applicable to each site, then indexes every artefact against its control for an IRAP review or internal audit.
When should you run this skill?
- “Package E8 evidence for this site”
- “Prepare ML2 evidence folder”
- “Collect IRAP audit artefacts for SharePoint”
Evidence collected (per site)
| Control | Artefact |
|---|---|
| Restrict Administrative Privileges | Site owner / admin list with last-reviewed dates |
| Restrict Administrative Privileges | External sharing summary (link types, recipients) |
| Regular Backups | Last backup / retention policy snapshot |
| Patch Applications | Connected app inventory and last-updated dates |
| Multi-Factor Authentication | Conditional Access policies applicable to the site |
How this skill works, step by step
- Confirm the assessment cycle name (e.g. “2026-Q2 IRAP prep”)
- Create the folder
Evidence/<cycle>/<site-name>/in the destination library - For each control above, generate the artefact as a Markdown or CSV file with a timestamp header
- Generate a top-level
INDEX.mdlisting every artefact with file path, generation timestamp, and the control it evidences - Produce a summary table for the consultant or assessor
Output format
- Folder tree on disk (printed at end of run)
INDEX.mdcross-references every artefact to an E8 control
Scope and safety
This skill does NOT:
- Make compliance decisions (assessor / consultant judgment required)
- Modify production permissions or sharing settings
- Generate evidence for non-SharePoint workloads
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| SharePoint Online site administration, sharing and permission reporting | Microsoft 365 Business Basic or SharePoint Online Plan 1 |
| Microsoft Entra Conditional Access policy review | Microsoft Entra ID P1 |
Least-privilege roles
- SharePoint Administrator (read) or Global Reader for site owner, admin and external sharing reports
- Security Reader for reviewing Conditional Access policies applicable to each site
Microsoft Graph permissions (read-only)
Sites.Read.All— reads SharePoint site owners, members and sharing configurationPolicy.Read.All— reads the Conditional Access policies applicable to each siteApplication.Read.All— reads the connected app inventory for the patch-applications evidenceAuditLog.Read.All— reads access and sharing activity for the evidence artefacts
If you prefer not to use Microsoft Graph, the same evidence can be gathered through the SharePoint admin centre, the Microsoft Entra admin centre and SharePoint Online PowerShell with read-only roles.
Sources and compliance
- Designed for the 2026 IRAP QA Framework artefact structure
- Evidences Essential Eight ML2 controls: Restrict Administrative Privileges, Regular Backups, Patch Applications, Multi-Factor Authentication
- Run before an IRAP-PICTA assessor walk-through or an internal E8 ML2 self-assessment
- Reference: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
- Output in Australian English
Licensed under CC BY 4.0 by Educ4te . Adapted from the open HybridSP skills catalogue.
Last updated on