View on GitHub


Recommended configuration guidance for Microsoft O365 / Conseils de configuration recommandés pour Microsoft O365

Perform Service Hardening


Minimize available services and control connectivity by disabling services as well as removing unnecessary accounts from systems. Configure the Office 365 service and the devices from which it is accessed to attempt to filter out and reduce the impact of attempted attacks.

Key Considerations


Exchange Online

Additional Considerations



  1. Directive on Security Management - Appendix B: Mandatory Procedures for Information Technology Security Control, subsections B.2.3.3, B.2.3.7
  2. SPIN 2017-01, subsection 6.2.3
  3. CSE Top 10 #3
  4. Refer to CCCS ITSP.30.031 V2 User Authentication Guidance for Information Technology Systems
  5. Refer to the Guidance on Cloud Authentication for the Government of Canada
  6. Refer to the Recommendations for Two-Factor User Authentication Within the Government of Canada Enterprise Domain
  7. Related security controls: AC‑2, AC‑2(1), AC‑3, AC‑5, AC‑6, AC‑6(5), AC‑6(10), AC‑7, AC‑9, AC‑19, AC‑20(3), IA‑2, IA‑2(1), IA‑2(2), IA‑2(11), IA‑4, IA‑5, IA‑5(1), IA‑5(6), IA‑5(7), IA‑5(13), IA‑6, IA‑8