Free Demo

Trending

Report: Global Cybersecurity Report 2025          Report: Europe Threat Landscape Report 2025          Report: APAC Cyber Threat Landscape Report 2025          Report: North America Cyber Threat Landscape Report 2025          Report: META Threat Landscape Report 2025          Recognition: Cyble Recognized in the Gartner® Hype Cycle™ for Cyber-Risk Management, 2025          Recognition: Cyble Named a Sample Vendor in Gartner® Hype Cycle™ for Managed IT Services 2025         
Report: Global Cybersecurity Report 2025          Report: Europe Threat Landscape Report 2025          Report: APAC Cyber Threat Landscape Report 2025          Report: North America Cyber Threat Landscape Report 2025          Report: META Threat Landscape Report 2025          Recognition: Cyble Recognized in the Gartner® Hype Cycle™ for Cyber-Risk Management, 2025          Recognition: Cyble Named a Sample Vendor in Gartner® Hype Cycle™ for Managed IT Services 2025         
HomeBlog
CISA Orders Federal Agencies to Secure Microsoft 365 Environments
Cyble Microsoft 365

CISA Orders Federal Agencies to Secure Microsoft 365 Environments

CISA has ordered more than 100 U.S. agencies to comply with Microsoft 365 security policies by June 2025.

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has directed the Federal Civilian Executive Branch to implement more than 50 policies to secure Microsoft 365 environments.

The new policies, Binding Operational Directive (BOD) 25-01: Implementing Secure Practices for Cloud Services, apply to Azure Active Directory/Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online and OneDrive, and Microsoft Teams.

CISA has the authority to secure the more than 100 agencies that make up the FCEB, which doesn’t include Defense, National Security, and Intelligence agencies. However, CISA said it “strongly recommends all stakeholders implement these policies … Doing so will reduce significant risk and enhance collective resilience across the cybersecurity community.”

CISA plans guidance for other cloud environments next year, including Google Workspace. The new cloud security directive comes amid a flurry of activity from CISA, including a draft National Cyber Incident Response Plan, as the agency’s leadership prepares to depart next month when the new Administration takes office.

Microsoft 365 Security Issues

The Microsoft guidance comes after a year in which Microsoft 365 security came under heavy scrutiny. A U.S. Cyber Safety Review Board (CSRB) report earlier this year detailed “a cascade of security failures at Microsoft” that allowed China-linked threat actors in July 2023 to access “the official email accounts of many of the most senior U.S. government officials managing our country’s relationship with the People’s Republic of China.” A Congressional hearing followed, along with pledges by Microsoft to make security a top priority.

Amazon recently paused a Microsoft 365 rollout after discovering security issues, according to a Bloomberg report, bringing fresh attention to the issue.

report-ad-banner

CISA’s Microsoft 365 Directive

CISA’s timeline gives federal civilian agencies until June 20, 2025, to “comply with a defined set of these Secure Cloud Baselines, deploy automated configuration assessment tools to check compliance, and to remediate deviations from these policies under BOD 25-01.”

The first policy in the directive requires Azure AD and Entra ID implementations to block legacy protocols that don’t allow multi-factor authentication (MFA).

Other Azure AD and Entra ID policies require that high-risk users and sign-ins be blocked, enforcing phishing-resistant MFA or an alternative, and setting the Authentication Methods Manage Migration feature to Migration Complete. Roughly two-thirds of the 21 policies in the Azure AD and Entra ID section involve securing privileged accounts.

Defender policies call for enabling standard and strict preset security policies, protecting sensitive accounts and information, and enabling logging and alerts.

Exchange policies include disabling SMTP AUTH and automatic forwarding to external domains, implementing SPF and DMARC policies, and enabling external sender warnings and mailbox auditing.

Power Platform policies call for limiting trial, production, and sandbox creation to admins, creating a DLP policy to restrict connector access in the default Power Platform environment, and enabling tenant isolation.

SharePoint Online and OneDrive policies include limiting external sharing and file and folder sharing, and preventing custom scripts on self-service created sites.

Teams controls include limiting access for external, unmanaged, and anonymous users, blocking contact with Skype, and disabling email integration.

CISA also provides assessment tools and guidance through the Secure Cloud Business Applications (SCuBA) project.

Conclusion

CISA has provided federal agencies with strong best practices for securing Microsoft 365 environments. These policies, based on principles of least privilege and strict authentication and access control, could also apply to other cloud environments.

Cyble’s Cloud Security Posture Management (CSPM) and threat intelligence tools offer organizations automated, cost-effective cloud compliance and monitoring, with the ability to detect misconfigurations and leaks before they turn into major incidents.

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.
why cyble

Get Threat Assessment Report

Identify External Threats Targeting Your Business​
Get My Report
Free
Cyble Vision

Threat Landscape Reports 2025

Global cybersecurity report
Europe cyber landscape
APAC Cyber Threat Landscape
North America Cyber Threat Landscape Report
META Threat Landscape
Australia New Zealand threat report

Upcoming Webinars

global-webinar-banner
Stay-Ahead-of-Cyber-Threats
CISO's Guide to Threat Intelligence 2024

CISO’s Guide to Threat Intelligence 2024: Best Practices

Stay Ahead of Cyber Threats with Expert Insights and Strategies. Download Free E-Book Now

Cyble | Amazon Music
Azure-MP-logo
google-ad-cyble
Share the Post:

Related Posts

Scroll to Top

Discover more from Cyble

Subscribe now to keep reading and get access to the full archive.

Continue reading