Security Playbook for Microsoft 365
On this page
1. Introduction
In this section
1.1 Context
Microsoft 365 (M365) is a suite of productivity software, collaboration tools and cloud-based services provided by Microsoft. It includes online services and applications such as Word, Excel, PowerPoint and Outlook, as well as collaboration tools such as Microsoft Teams, OneDrive and SharePoint. This subscription-based Software-as-a-Service (SaaS) suite is used daily by users throughout the Government of Canada (GC) and is provided under the Microsoft Enterprise Agreement, established by Shared Services Canada (SSC) on behalf of the GC.
The M365 cloud service has successfully met numerous independent certifications, including achieving the Cloud Medium Profile attestation Footnote [1] from the Canadian Centre for Cyber Security (CCCS). This accreditation is part of the CCCS’s Cloud Service Provider (CSP) Information Technology Security (ITS) assessment program Footnote [2].
Under the cloud shared responsibility model, cloud service consumers, such as GC organizations, must ensure that their security configurations are properly configured. To aid in this task, the Security Playbook for M365 (the playbook) has been developed for Microsoft 365 cloud environments. It outlines the security configuration controls GC departments and agencies are expected to implement while setting up and managing their M365 tenants, ensuring compliance and alignment with Treasury Board policy instruments.
The playbook will also help accelerate the requisite cloud security risk management activities for M365 in accordance with the Government of Canada Cloud Security Risk Management Approach and Procedures Footnote [3] and in demonstrating controls for security assessment and authorization (SA&A) activities, to ensure the protection of GC data hosted in M365.
1.2 Purpose
The purpose of this document is to:
- outline standardized configuration requirements for securing M365 that align with the GC Cloud Guardrails Footnote [4] and Treasury Board policy instruments, including the Policy on Government Security Footnote [10] and the Policy on Service and Digital Footnote [6]
- specify implementation tasks, including rationale
- highlight available M365 security and compliance capabilities under the GC’s enterprise licence
- establish a consistent security baseline for M365 deployments across the GC
Note: This document replaces the GC Cloud Guardrails for O365 Footnote [7] and the supporting M365 Security Baseline Configuration (accessible only on the Government of Canada network)Footnote [8].
1.3 Scope
The scope of this playbook is to define the following configuration requirements for M365 cloud environments targeting up to and including Protected B, Medium Integrity, Medium Availability (PBMM).
This playbook does not include the “how” to implement the configurations. Detailed implementation instructions will be made available as part of SSC’s supporting Security Deployment Manual (SDM) (accessible only on the Government of Canada network) Footnote [9].
1.4 Audience
This document is intended for GC program leads, program managers, project managers, system administrators and IT security practitioners responsible for the secure configuration of M365 tenants.
1.5 Application
The Playbook applies to the organizations listed in section 6 of the Policy on Service and Digital Footnote [6].
1.6 Disclaimer notice
The Treasury Board of Canada Secretariat (TBS) does not endorse or promote any specific commercial products, services or companies mentioned in this document. Any references to brands, products, processes or services are provided solely for illustrative purposes and do not imply endorsement by TBS.
This document does not establish any enforceable rights or benefits against the GC, its departments, agencies, officials, employees, agents or any other individuals. It is intended as a standard and should be used alongside sound judgment and in compliance with all applicable laws and regulations.
2. Baseline security controls
In this section
This playbook establishes a preliminary set of baseline security controls for M365 tenants that fall under the PBMM security category. The playbook provides an overview of essential configurations to secure M365 deployments across the GC, aligning them with the following Treasury Board policy instruments:
- Policy on Government Security Footnote [10]
- Policy on Service and Digital Footnote [6]
- Directive on Security Management Footnote [11]
- Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN 2017-01) Footnote [12]
- Appendix G: Standard on Enterprise Information Technology Service Common Configurations Footnote [13] of the Directive on Service and Digital Footnote [14], including the GC Cloud Guardrails Footnote [4]
- GC Cloud Security Risk Management Approach and Procedures Footnote [3]
- Security Control Profile for Cloud-Based GC Services Footnote [15]
Additional guidance is also available from the CCCS:
- Managing the risks to Government of Canada data when using cloud services (ITSM.50.109) Footnote [16]
- Guidance on the security categorization of cloud-based services (ITSP.50.103) Footnote [17], specifically the Annex B CCCS’s MEDIUM Cloud Profile Recommendations Footnote [18]
- Guidance on defence in depth for cloud-based services (ITSP.50.104) Footnote [19]
- Guidance on cloud security assessment and authorization (ITSP.50.105) Footnote [20]
Best practices in alignment with hardening standards are referenced as appropriate:
- Centre for Internet Security Benchmarks Footnote [21]
- CCCS IT Security Risk Management: A lifecycle approach (ITSG-33) security controls Footnote [22]
2.1 Identity and access management
Ensuring the security of user identities and accounts is critical in protecting a departmental M365 environment, because the environment provides access to systems, applications and sensitive information. Implementing phishing-resistant multi-factor authentication (MFA) wherever possible, enforcing robust conditional access policies (CAP) and granting just-in-time access are essential measures. These strategies offer enhanced security for key roles, including global administrators, by adding multiple layers of protection.
2.1.1 Identity and authentication management
Manage identities by establishing and documenting access control policies and procedures for all user, service, solution and device accounts.
Why it matters: Enforcing identity and access management (IAM) is the first line of defence for cloud-based services. It is vital to ensure that standard policies and procedures are followed and that only authorized users can access the GC M365 tenants and services and manage them centrally.
Related services: Microsoft Entra ID (formerly Azure Active Directory)
Licensing requirements:
- M365 E5 Security: Microsoft Entra ID P2, Microsoft Defender for Identity and Microsoft Defender for Cloud Apps
Tasks to complete:
- Prevent use of legacy authentication methods. The following messaging protocols support legacy authentication:
- Authenticated SMTP – used to send authenticated email messages
- Autodiscover – used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online
- Exchange ActiveSync (EAS) – used to connect to mailboxes in Exchange Online
- Exchange Online PowerShell – used to connect to Exchange Online with remote PowerShell. If basic authentication is blocked for Exchange Online PowerShell, the Exchange Online PowerShell Module must be used. For instructions, see Connect to Exchange Online PowerShell using multifactor authentication
- Exchange Web Services (EWS) – a programming interface used by Outlook, Outlook for Mac and third-party apps
- IMAP4 – used by IMAP email clients
- MAPI over HTTP (MAPI/HTTP) – the primary mailbox access protocol used by Outlook 2010 SP2 and later
- Offline Address Book (OAB) – a copy of address list collections that are downloaded and used by Outlook
- Outlook Anywhere (RPC over HTTP) – a legacy mailbox access protocol supported by all current Outlook versions
- POP3 – used by POP email clients
- Reporting Web Services – used to retrieve report data in Exchange Online
- Universal Outlook – used by the Mail and Calendar app for Windows 10
- Other clients – other protocols identified as using legacy authentication
- If using on-premises Active Directory Federation Services (ADFS), consider the following:
- Set Microsoft Entra MFA as the primary authentication method.
- Block Legacy Authentication for Extranet access.
- Enable Extranet Lockout on the ADFS Web Application Proxy.
- On the ADFS server:
- Install a trusted certificate on the ADFS server
- Apply additional security settings to mitigate man-in-the-middle attacks: Enable TLS 1.3. Allow TLS 1.2 where required for compatibility, internal audit compliance or threat monitoring
- Implement HTTP Strict Transport Security (HSTS)
- Use signed SAML tokens
- Enable Extended Protection for Authentication
- Restrict access to ADFS endpoints
- Monitor and log ADFS activity
- Set a token lifetime based on departmental risk tolerance
- Prevent token replay attacks
- Signing certificates must be securely stored, access must be restricted and their management must follow cryptographic key life cycle best practices
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.1 Footnote [11]
- Account Management Configuration Requirements Footnote [32]
- GC Cloud Guardrail #1 – Protect user accounts and identities Footnote [4]
- GC Guideline on Password Security Footnote [24]
- GC Considerations for the Use of Cryptography in Commercial Cloud Services Footnote [25]
- Guideline on Cloud Authentication Footnote [26]
- Guideline on Multi-Factor Authentication Footnote [27]
Additional references:
- Cryptographic algorithms for Unclassified, Protected A, and Protected B Information (ITSP.40.111) Footnote [28]
- Guidance on securely configuring network protocols (ITSP.40.062) Footnote [29]
- Centre for Internet Security (CIS) Microsoft 365 Foundations Benchmark, v3.0.0, sections 5.1.2.1, 5.2.2.2, 5.2.2.5, 5.2.3.1 Footnote [30]
- CIS Microsoft Azure Foundations Benchmark, sections 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.21 Footnote [31]
Related security controls from ITSG-33:
- AC-03, AC-04, AC-07, AC-12, AU-12, IA-02, IA-02(1), IA-02(8), IA-07, SC-08(1), SC-12, SC-13, SC-17, SC-23, SI-04
2.1.2 Multi-factor authentication
Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one verification method such as:
- something you know (typically a password)
- something you have (a trusted device such as a mobile phone)
- something you are (biometrics)
MFA can be supported using a multi-factor authenticator or a combination of two appropriate single-factor authenticators. Where and when available, use phishing-resistant MFA.
Why it matters: Implementation of MFA is an essential step towards significantly reducing the risk of account takeover and improving the GC’s overall security posture. MFA provides an additional layer of protection to a strong password strategy by providing a way of double-checking that a user really is the person they are claiming to be when using online services. With MFA in place, M365 user accounts are still protected against unauthorized access even if a user’s password is compromised.
Related services: Microsoft Entra ID
Licensing requirements:
- M365 E5 Security, Microsoft Entra ID P2 and Microsoft Defender XDR
Tasks to complete:
- Enable phishing-resistant MFA for all users according to the Account Management Configuration Requirements Footnote [32].
- Ensure that appropriate authenticators are implemented for the credential level of assurance (LoA) 3 for end users according to the Guideline on Multi-factor Authentication Footnote [27].
- Ensure that appropriate authenticators are implemented for the credential level of assurance (LoA) 4 for highly privileged users according to the Guideline on Multi-factor Authentication Footnote [27].
- Enforce MFA for all users through CAP.
- Disable legacy MFA for all users, such as SMS-based, email-based and voice call-based MFA.
- If implementing phishing-resistant MFA is not feasible and Microsoft Authenticator is in use, configure it to guard against MFA fatigue as well as configuring it to show context information about the login attempt and only allowing access from managed GC devices or compliant devices through CAP.
Applicable Treasury Board policy instruments:
- Directive on Identity Management – section 4.1.3, 4.1.6 Footnote [33]
- Directive on Security Management – section B.2.3.1 Footnote [11]
- Account Management Configuration Requirements Footnote [32]
- GC Cloud Guardrail #1 – Protect user accounts and identities Footnote [4]
- Guideline on Identity Assurance Footnote [34]
- Guideline on Multi-factor Authentication Footnote [27]
- Guideline on Cloud Authentication Footnote [26]
Additional references:
- User authentication guidance for information technology systems (ITSP.30.031 v3) Footnote [35]
- Centre for Internet Security (CIS) Microsoft 365 Foundations Benchmark, sections 5.1.2.1, 5.2.2.2, 5.2.2.5, 5.2.3.1 Footnote [30]
- CIS Microsoft Azure Foundations Benchmark, sections 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.21 Footnote [31]
Related security controls from ITSG-33:
- IA-02(1), IA-02(2), IA-05, IA-07
2.1.3 Dedicated cloud-based accounts for privileged accounts
Malicious cyber threat actors abuse trust in federated authentication environments to access protected data by gaining privileged access in on-premises environments to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources.
To further minimize the attack surface and limit the impact of credential attacks between on-premises and cloud environments, highly privileged cloud administrative accounts, groups and roles should not be included in synchronization from on-premises environments. These accounts should also avoid the use of federated SSO (such as on-premise accounts) and instead rely on cloud-native authentication such as dedicated cloud accounts in Entra ID. Refer to the Guideline on Cloud Authentication Footnote [26] for more information.
Why it matters: Using dedicated accounts for privileged tasks isolates sensitive operations, reducing the risk of security breaches if an account is compromised. Separating on-premises privileged accounts from M365 subscriptions prevents security incidents from spreading across environments and ensures that elevated permissions are granted only when necessary.
Related services: Microsoft Entra ID
Licensing requirements:
- M365 E5 Security: Microsoft Entra ID P2
Tasks to complete:
- Ensure that privileged accounts are separate, exclusively cloud-native and do not have associated Exchange mailboxes, OneDrive or Teams accounts.
- Define two break glass accounts for emergency access, monitor their sign-ins and enable alerting.
- Designate two to five global administrators (GA) for the department or agency.
- Set the option ’Notify all admins when other admins reset their password’ to ’Yes’ to ensure that all GA receive notifications whenever an administrator’s password is reset.
- Establish and annually update a process for managing privileged accounts.
- Do not sync on-premises privileged administrative or service accounts to Entra ID.
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.2.4 Footnote [11]
- GC Cloud Guardrail #1 – Protect user accounts and identities Footnote [4]
- SPIN 2017-01, section 6.2.3 Identity, credential and access management Footnote [12]
- Guideline on Cloud Authentication Footnote [26]
Additional references:
- User authentication guidance for information technology systems (ITSP.30.031 v3) Footnote [35]
- Guidance on defence in depth for cloud-based services (ITSP.50.104)
- CIS Microsoft 365 Foundations Benchmark, sections 1.1.1, 1.1.2, 1.1.3 Footnote [30]
- CIS Microsoft Azure Foundations Benchmark, section 1.9, 1.16, 1.25 Footnote [31]
Related security controls from ITSG-33:
- AC-01, AC-02, AC-02(4), AC-02(7), AC-06, AC-06(2), SI-04, SI-04(5)
2.1.4 Role-based access control and least privileged access
Implement role-based access controls (RBAC) configured with the least privileges necessary, using either built-in or custom roles tailored to the minimal privileges required for specific job functions. Establish robust access management processes to ensure that users are granted only the essential access required for their roles.
Why it matters: To enhance security posture, prevent data breaches and mitigate permission misuse, it is critical to implement and enforce least privilege access policies and ensure that only necessary RBAC permissions are provided to users for their specific roles.
Related services: Microsoft Entra ID
Licensing requirements:
- M365 E5 Security: Microsoft Entra ID P2
Tasks to complete:
- Implement and enforce RBAC based on least privileged access for all M365 services.
- Restrict guest user access and seek authorization from the business owner and departmental designated official for cyber security for creating a guest account.
- Limit external users’ access to M365 services based on business requirements.
- Control the enabling of external data sharing through specific security groups.
- Ensure that only public groups approved or managed by the organization exist.
- Configure ’Access Reviews’ for guest users at least once a month.
- Set up ’Access Reviews’ for privileged accounts at least once a month.
- Enable the Customer Lockbox feature to limit disclosure of sensitive GC information to Microsoft support personnel.
- Establish and document a process for managing access rights.
- Conduct annual audits of access management rights to confirm appropriate access levels and ensure compliance.
- Ensure that user access to environments is managed using security groups in Power Platform.
- Ensure that security roles in Power Platform are configured to grant access to the minimum amount of business data necessary for user functions.
- Require all privileged role assignments to have an expiration date of no more than one year, avoiding permanent or indefinite assignments.
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.2 Footnote [11]
- Account Management Configuration Requirements Footnote [32]
- GC Cloud Guardrail #2 – Manage access Footnote [4]
- SPIN 2017-01, section 6.2.3 Identity, credential, and access management Footnote [12]
- Guideline on Cloud Authentication Footnote [26]
Additional references:
- CIS Microsoft 365 Foundations Benchmark, sections 1.2.1, 1.3.6, 5.1.3.1, 5.3.2, 5.3.3, 7.2.8, 9.1.1, 9.1.2, 9.18 Footnote [30]
- CIS Microsoft Azure Foundations Benchmark, section 1.22 Footnote [31]
- CIS Microsoft Dynamics 365 Power Platform, sections 1.1, 2.2 Footnote [36]
Related security controls from ITSG-33:
- AC-01, AC-02, AC-02(2), AC-02(7), AC-03, AC-06, AC-06(7)
2.1.5 Dedicated administrative workstations
A dedicated administrative workstation (DAW), also known as privileged access workstation (PAW), is a client endpoint that is configured to:
- execute only authorized administrative activities and software
- disable internet access to prevent access to services such as email and web browsing
- establish a baseline for administrative hosts that align with the Endpoint Management Configuration Requirements
- restrict administrative access to approved and trusted locations, such as departmental IP address space
In addition to using a DAW, at a minimum for privileged M365 roles, authentication mechanisms like phishing-resistant MFA are enforced as an extra layer of protection to protect administrative credentials.
Why it matters: Restricting these workstations to essential functions and disabling non-critical services reduces the exposure of accounts with elevated privileges to cyber threats. This focused approach helps prevent administrator account compromises and blocks potential privilege escalation, critically safeguarding organizational security and information.
Related services: Microsoft Entra ID, Microsoft Defender Firewall
Licensing requirements:
- M365 E5 Security: Microsoft Entra ID P2
Tasks to complete:
- Use DAWs for all administrative tasks.
- Block all incoming network traffic by default, allowing exceptions only for Delivery Optimization (or equivalent services) to facilitate system updates and MFA services.
- Limit outbound traffic to essential protocols such as DNS, DHCP and HTTPS.
- Enforce phishing-resistant MFA when accessing a DAW.
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.2 Footnote [11]
- Endpoint Management Configuration Requirements Footnote [37]
- System Management Configuration Requirements Footnote [23]
Additional references:
- Top 10 IT security actions: No. 3 managing and controlling administrative privileges (ITSM.10.094) Footnote [38]
Related security controls from ITSG-33:
- IA-02(1), AC-06, AC-06(5), CM-07, SC-07, SC-07(5)
2.1.6 Conditional access policies
Conditional access is the tool used by Entra ID to bring signals together, make decisions and enforce organizational policies. A conditional access policy specifies the apps or services to protect, the conditions under which the apps or services can be accessed and the users the policy applies to. Policies are enforced after the first-factor authentication has been completed. For example, policies to prevent any unauthorized devices from accessing sensitive business or personal information should be considered.
Why it matters: CAP secures all user identities, actively preventing the exploitation of compromised accounts. These policies effectively deny unauthorized access and the use of unmanaged devices, protecting sensitive government assets from potential threats.
Related services: Microsoft Entra ID, Microsoft Intune, Microsoft Defender
Licensing requirements:
- M365 E5 Security: Microsoft Entra ID P2
Tasks to complete:
User Settings:
- Require Azure MFA registration from trusted locations or through alternative identity verification methods.
- Block access for risky user sign-in behaviours.
- Configure token protection for sign-ins.
- Restrict privileged access from on-premise accounts to Microsoft Admin Portals and the Windows Azure Service Management API Footnote [39].
Device Settings:
- Block unauthorized network traffic and permit network traffic exclusively from GC-approved Internet Protocol (IP) ranges or from a pre-approved list of countries as determined by the department’s chief security officer (CSO).
- Enforce authentication using GC-issued and managed devices that adhere to Endpoint Management Configuration Requirements Footnote [37] through CAP.
- Block unauthorized access to sensitive data and restrict access to sensitive information to only devices issued and managed by the GC.
- Prevent persistent browser sessions and configure browser settings to ensure that sessions do not persist after closing.
- Block device code authentication flows.
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.2 Footnote [11]
- GC Cloud Guardrail #2 – Manage access Footnote [4]
- SPIN 2017-01, section 6.2.3 Identity, credential, and access management Footnote [12]
Additional references:
- CIS Microsoft 365 Foundations Benchmark, v3.0.0, sections 5.2.2.3, 5.2.2.4, 5.2.2.6, 5.2.2.7, 5.2.2.8 Footnote [30]
- CIS Microsoft Azure Foundations Benchmark, v2.1.0, sections 1.2.1, 1.2.2, 1.2.3 Footnote [31]
- Block authentication flows with Conditional Access policy – Microsoft Entra ID
Related security controls from ITSG-33:
- AC-03, AC-06, AC-12, AC-20(3), IA-05, IA-07, IA-10, SC-07, SC-07(5), SC-23
2.1.7 Privileged identity management
Privileged identity management (PIM) enables just-in-time access for privileged tasks within a defined time limit, tailored to the user’s identity and role(s). In the GC, a privileged M365 role includes any default or custom role that meets one or more of the following criteria:
- built-in administrator roles labelled as PRIVILEGED in Microsoft Entra ID
- SharePoint Administrator and Exchange Administrator
- any custom role permissions adhering to the guidelines in Privileged Account Management within the Account Management Configuration Requirements Footnote [32]
Why it matters: Applying the principle of Zero Standing Access ensures that any privileged access must be approved by an authorized approver. Access is then time-bound for a limited duration.
Persistent or permanent administrative privileges allow administrators to perform tasks with unrestricted access to organizational data. If a privileged account with standing administrative privileges is compromised, it can cause significantly greater damage to affected systems.
Related services: Microsoft Entra ID
Licensing requirements:
- M365 E5 Security: Microsoft Entra ID P2
Tasks to complete:
- Manage privileged accounts using PIM to ensure that the least privilege principle is enforced with the default of no standing access and avoiding permanent role assignments.
- Configure and grant access based on a temporary, time-limited access to resources or privileges based on specific requirements and only, when necessary, through a documented privileged access workflow.
- Require documented business justification for privileged role access for a fixed activation period that requires reauthentication to re-enable role access.
- Notify reviewers designated by the business owner upon role assignment and activation.
- Review privileges when an employee transfers to a different business unit or internal section.
- Revoke privileges when an employee leaves the organization.
- Ensure that all actions are logged and audited with periodic review by an authorized approver.Footnote 1
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.2 Footnote [11]
- GC Cloud Guardrail #2 – Manage access Footnote [4]
Additional references:
- Top 10 IT security actions to protect Internet connected networks and information (ITSM.10.089) – Action #3 Footnote [40]
- CIS Microsoft 365 Foundations Benchmark, section 5.3.1 Footnote [30]
Related security controls from ITSG-33:
- AC-02, AC-02(2), AC-06, AC-06(5), AU-06, AU-12, IA-11, PS-04, PS-05
2.1.8 Password policies
Passwords remain the most prevalent authentication mechanism. By controlling access, they help ensure that networks are secure and information is protected. Weak and compromised passwords are a leading cause of breaches. Use Entra ID password policy settings to configure password complexity, password lockout and default password policies.
Why it matters: Aligning password policies with GC Guideline on Password Security Footnote [24] increases resilience against password attacks, such as brute force attacks and encourages users to maintain sound password hygiene.
Related services: Microsoft Entra ID
Licensing requirements:
- M365 E5 Security: Microsoft Entra ID P2
Tasks to complete:
- Configure password policies in accordance with GC Guideline on Password Security Footnote [24].
- Disable self-service password reset feature for all users (including privileged accounts).
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.1 Footnote [11]
- GC Cloud Guardrail #2 – Manage access Footnote [4]
- Guideline on Cloud Authentication Footnote [26]
- GC Guideline on Password Security Footnote [24]
Additional references:
Related security controls from ITSG-33:
- IA-05, IA-05(1)
2.2 Data protection
In accordance with Appendix B of the Directive on Departmental Security Management Footnote [11], departments must safeguard their information and assets, including those hosted in cloud environments, from unauthorized access, use, disclosure, modification, disposal, transmission or destruction throughout their life cycle. These safeguards must:
- protect GC data while in transit, in use and at rest
- be commensurate with the security category of the information and assets
- include an assurance of their appropriate implementation
When departments are considering using cloud services for storing personal information, they must seek guidance from privacy and access to information officials in their institution.
2.2.1 Data categorization
The Directive on Security Management – Appendix J: Standard on Security Categorization Footnote [42] provides details on the types of security categories that must be applied to different types of assets, information or services. This includes ensuring that documents are treated according to their markings.
Why it matters: Categorizing and security labelling documents, emails and other data according to the level of injury that could occur if compromised are essential for managing sensitive and protected information. By establishing best practices for data sharing and collaboration, departments and agencies can implement appropriate digital policies to enhance the protection and monitoring of the GC’s digital information.
Related services: Microsoft Purview
Licensing requirements:
- M365 E5 Security: Microsoft Defender for XDR.
- M365 Compliance: Purview Information Protection, Microsoft Defender for Cloud Apps
Tasks to complete:
- Seek guidance from the organization’s Access to Information and Privacy (ATIP) officials before storing personal information in cloud-based environments.
- Configure data classification policies to protect documents and emails.
- Enable the setting ’Allow users to apply sensitivity labels for content’.
- Require a justification to lower classification.
- Apply visual marking on documents or emails, using headers, footers or watermarks as appropriate.
Applicable Treasury Board policy instruments:
- Directive on Security Management – Appendix E: Mandatory Procedures for Information Management Security Control – section E.2.2.2.1 Footnote [43]
- Directive on Security Management – Appendix J: Standard on Security Categorization Footnote [42]
Additional references:
- Policy on the security of Cabinet Confidences Footnote [44]
- CIS Microsoft 365 Foundations Benchmark, section 9.1.6 Footnote [30]
Related security controls from ITSG-33:
- AC-03, AC-16, MP-03
2.2.2 Data location
The departmental chief information officer (CIO) is responsible for verifying the location of cloud services, in accordance with section 4.3.2.4 of the Directive on Service and Digital Footnote [14] for data at rest. Data in transit is not restricted by the residency requirement.
Why it matters: According to the Guideline on Service and Digital Footnote [45], data residency is important because it can impact Canadians’ confidence in government decisions. The public may perceive the storing of their sensitive data outside of Canada’s borders as risky. There is a growing need to ensure that data is protected and complies with data residency, privacy and security requirements.
Related services: M365 Admin Center allows administrators to set the data location of their tenant.
Licensing requirements:
- M365 Compliance: Audit
Tasks to complete:
- Ensure the physical location of data storage is verified for both existing and new M365 services before any activations, in accordance with section 4.3.2.4 of the Directive on Service and Digital Footnote [14].
- Conduct a risk assessment for any data processed by non-Canadian M365 services, including an evaluation of data sensitivity, legal, privacy and security risks and seek approval from the appropriate departmental authorities before proceeding with the service. Leverage the CCCS Cloud Service Provider (CSP) IT Security Assessment Report for M365 to inform the security posture and residual risks of the cloud service.
Applicable Treasury Board policy instruments:
- Directive on Service and Digital – section 4.3.2.4 Footnote [14]
- GC Cloud Guardrail #5 – Data location Footnote [4]
- Guideline on Service and Digital, section 4.4 Footnote [45]
Additional references:
Related security controls from ITSG-33:
- CA-06, RA-03
2.2.3 Encrypt data at rest and data in transit
Follow the CCCS’s recommendations for cryptographic algorithms and the configuration of cryptographic protocols to protect the confidentiality and integrity of data in transit and at rest. Leverage centralized key management systems to ensure integrity and availability of cryptographic keys.
Why it matters: Encryption is a critical control to maintain the confidentiality and integrity of protected data. Protected data that is transmitted or stored without approved encryption mechanisms may be vulnerable to tampering or disclosure to unauthorized parties.
Related services: Microsoft Purview, Microsoft Intune
Licensing requirements:
- M365 E5 Compliance: Purview Information Protection, Purview Message Encryption, Purview Customer Key and Microsoft Defender for Cloud Apps
Tasks to complete:
- Encrypt emails labelled Protected B using Entrust PKI (myKEY) or if unavailable another GC-approved solution.
- Encrypt data on devices storing sensitive information.
- Ensure that all data in transit is encrypted by default using a minimum of TLS 1.3. Allow TLS 1.2 where required for compatibility, internal audit compliance or threat monitoring.
- Follow CCCS recommendations for cryptographic algorithms (ITSP.40.111) and the configuration of cryptographic protocols (ITSP.40.062).
- If Microsoft Purview is configured for eDiscovery, accounts with the RMS Decrypt role may be able to view encrypted files only if the files are encrypted using Microsoft Purview Information Protection. Before enabling this capability, departments should complete a security assessment. Any residual risk must be documented and approved by the appropriate authority.Footnote 2
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.6.3 Footnote [11]
- GC Cloud Guardrail #6 – Protection of data-at-rest Footnote [4]
- GC Cloud Guardrail #7 – Protection of data-in-transit Footnote [4]
Additional references:
- Cryptographic algorithms for Unclassified, Protected A, and Protected B Information (ITSP.40.111) Footnote [28]
- Guidance on securely configuring network protocols (ITSP.40.062) Footnote [29]
- Guidance on defence in depth for cloud-based services (ITSP.50.104), subsection 4.5 Footnote [19]
- Guidance on cloud service cryptography (ITSP.50.106) Footnote [46]
Related security controls from ITSG-33:
- CA-06, IA-07, SC-08, SC-08(1), SC-13, SC-28, SC-28(1), RA-03
2.2.4 Data loss prevention
Implement data loss prevention (DLP) policies to ensure that emails and files are categorized, scanned and monitored. Block suspicious activity and information flow through unauthorized channels.
Why it matters: Effective DLP solutions provide an additional line of defence against intentional and unintentional data breaches. DLP services can help detect, block and respond to data breaches and leaks.
Related services: Microsoft Purview
Licensing requirements:
- M365 E5 Security: Microsoft Defender for XDR
- M365 E5 Compliance: Microsoft Data Loss Prevention and Microsoft Defender for Cloud Apps
Tasks to complete:
- Enable DLP policies for M365 services such as Teams, Exchange, SharePoint and OneDrive.
- Use DLP to monitor and block unapproved information flows.
- Enable DLP policies at the service level to scan Exchange Online and SharePoint Online content for specific sensitive information types (SIT), such as social insurance numbers (SIN), credit card numbers or passwords.
- Control document sharing by domain using an allow list.
- Prohibit external users from sharing files they do not own.
- Set expiration times for external sharing links.
- Maximize the use of automated DLP with M365 security capabilities available under the GC E5 standard licence.
- Ensure that DLP policies are activated and configured to restrict the use of connectors in the Power Platform.
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.7.1 Footnote [11]
- Directive on Security Management – Appendix E: Mandatory Procedures for Information Management Security Control Footnote [43]
- GC Cloud Guardrail #9 – Network security services Footnote [4]
Additional references:
- CIS Microsoft 365 Foundations Benchmark, section 3.2.1, 3.2.2 Footnote [30]
- CIS Microsoft Dynamics 365 Power Platform, v1.0.0, section 2.4, 3.4 Footnote [36]
Related security controls from ITSG-33:
- AC-03, AC-04
2.2.5 Data retention
Implement data retention policies to ensure that information is stored for as long as required by law, policy or operational needs. Automatically delete or archive data once it is no longer needed to reduce risk and support compliance with GC security and privacy requirements.
Why it matters: Effective data retention reduces the risk of unauthorized access to outdated or unnecessary information. It supports legal and policy compliance, limits exposure in the event of a breach and ensures that sensitive data is kept only for as long as needed.
Related services: Microsoft Purview, Microsoft Teams, Microsoft SharePoint and OneDrive
Licensing requirements:
- M365 E5 Compliance
Tasks to complete:
- Apply data retention policies to prevent the deletion of logs, in accordance with section 1.5.2 of the Event Logging Guidance Footnote [47] and the departmental risk profile and operational needs.
- Configure Microsoft Purview retention policies to retain or delete emails, files and chat messages based on departmental information management and security requirements.
- Review retention policies regularly to confirm they remain aligned with operational needs, compliance obligations and security risks.
- Ensure disposition actions are recorded and auditable and restrict execution to authorized roles.
- Ensure that data retention periods are formally established, documented and approved based on legal, policy and operational requirements.
Applicable Treasury Board policy instruments:
- Directive on Service and Digital, Appendix J: Standard on Systems that Manage Information and Data – section J.2.2.2 Footnote [63]
Additional references:
- Event Logging Guidance – section 1.5.2 Log Retention and Preservation Footnote [47]
- Guidance for Employees of the Government of Canada: Information Management Basics Footnote [48]
Related security controls from ITSG-33:
- AC-03, AU-09, AU-11, AU-12, SI-12
2.3 Communication and collaboration
2.3.1 Microsoft Exchange Online
Use Exchange Online Protection (EOP) to protect organizational endpoints and users from phishing and other email-related malware attacks.
Why it matters: A considerable number of data breaches and cyber events begin with phishing attacks, which are a primary method for infecting GC devices with malware. Hardening Exchange Online configurations to detect and prevent phishing can reduce the incidence of malware-related attacks.
Related services: Exchange Online Protection (EOP), Microsoft 365 Defender
Licensing requirements:
- M365 E5 Security: Microsoft Defender for Office 365 Plan 2
Tasks to complete:
- Authorize sending IP addresses in the Sender Policy Framework (SPF), enable Domain Keys Identified Mail (DKIM) for all outbound mail and ensure all outbound messages are signed.
- Set up a minimum Domain-based Message Authentication, Reporting & Conformance (DMARC) policy of “p=none” and publish DMARC records for all domains, adding the CCCS as a recipient for aggregate reports at dmarc@cyber.gc.ca, according to the Email Management Services Configuration Requirements Footnote [49].
- Restrict ’External Sharing’ of calendars to prevent access by individuals outside the GC, allowing exceptions only for domains on the GC-approved departmental list (accessible only on the Government of Canada network) and for documented, department-approved use cases.
- Configure connection filtering to manage email traffic. Do not add allowed IP addresses in the connection filter policy.
- Set EOP policies to detect spam, flag suspicious sending activities and configure alerts for administrators.
- Enable the Common Attachment Types Filter for malware defence.
- Create and enforce an anti-phishing policy.
- Create zero-hour auto purge policies for spam and phishing messages.
- Ensure that no sender domains are allowed for anti-spam policies.
- Set action to take on bulk spam detection.
- Set action to take on spam detection.
- Create Safe Links policies for email messages.
- Turn on Safe Attachments in block mode.
- Set the phishing email level threshold at 2 or higher.
- Enable impersonated user protection.
- Ensure that Mailbox Intelligence is enabled, including intelligence-based impersonation protection.
- Move messages that are detected as impersonated users by mailbox intelligence to quarantine.
- Quarantine messages that are detected from impersonated domains.
- Do not set Spam Confidence Level (SCL) to -1 in any transport rules.
- Ensure that mail transport rules block automatic email forwarding to external domains.Footnote 3
- Enable notifications for internal users who send malware.
- Apply a disclaimer to alert users of emails from external senders.Footnote 4
- Enable MailTips to inform end users about potential email issues.
- Enable the user impersonation safety tip.
- Enable the domain impersonation safety tip.
- Disable any unused services for individual mailboxes.
- Restrict installation of Outlook add-ins and limit access to additional storage providers in Outlook on the web.
- Establish a process to manage archived or inactive mailboxes.
- Set maximum number of internal recipients that a user can send to within an hour.
- Block users who have reached the message limit.
- Set maximum number of external recipients that a user can email per hour.
- Retain spam in quarantine for 30 days.
- Ensure Exchange Online Spam Policies are set to notify administrators responsible for email monitoring and threat response.
- Restrict use of direct send.
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.3.3 Footnote [11]
- Email Management Services Configuration Requirements Footnote [49]
Additional references:
- GC EARB approved list of GC Departmental Domains (accessible only on the Government of Canada network)Footnote [50]
- CIS Microsoft 365 Foundations Benchmark, sections 2.1.1 to 2.10, 6.5.1 Footnote [30]
Related security controls from ITSG-33:
- AC-03, AC-04, CA-03a, CA-03b, CM-07, SC-13, SI-03, SI-04, SI-08
2.3.2 Microsoft Teams
Microsoft Teams must be configured to enable secure collaboration and to prevent unauthorized access to sensitive GC data and information.
Why it matters: Collaboration tools can easily be used to transfer files and protected information to third parties. These tools must be configured to ensure that unapproved data flows are blocked and that sharing takes place only with approved individuals.
Related services: Microsoft Teams
Licensing requirements:
- M365 E5 Compliance: Purview Information Protection, Purview Communication Compliance
Tasks to complete:
- Ensure that users understand the categorization of the Teams site (for example one Team site may be approved only for unclassified information, while another may be approved for Protected B information).
- Ensure that users understand their responsibilities for managing information including saving decisions made in the departmental IM repository.
- Owners of Teams sites are responsible for the management of their M365 groups, including security access controls that provide access to them.
- Review the Microsoft Apps, third party apps and tenant apps that your organization will allow for use in Teams.
- Disable external access unless collaboration with external users is necessary. If required, configure access only to domains approved by the GC Enterprise Architecture Review Board (EARB) such as the GC-approved departmental list (accessible only on the Government of Canada network) or based on approved departmental business requirements.
- Allow Teams messages only to domains approved by the GC EARB or those that meet departmental business requirements.
- Disable guest access unless it is required by your organization. Limit the number of guest users to the environment ensuring conformance to the guest user access policy and procedures as defined in GC Cloud Guardrail #2 Footnote [4].
- Restrict guest user permissions by limiting file sharing and preventing guests from inviting others.
- Disable file sharing services if they have not been approved for use in the organization.
- Activate Defender for Office 365 and Safe Documents for Teams.
- Ensure anonymous users are not allowed direct access to meetings; they must wait in the lobby.
- Customize and display the privacy statement in the meeting join experience.
- Prevent anonymous users and dial-in callers from starting meetings.
- Ensure dial-in users must pass through the virtual lobby.
- Restrict meeting chats to exclude anonymous participants.
- Enable end-to-end encryption as an available feature in Teams, allowing users to activate it as needed.
- Provide mechanisms for users to report security concerns in Teams.
- Set ’DisallowInfectedFileDownload’ to true to prevent the download of infected files.
- Disable the option for people in my organization to communicate with Teams users whose accounts are not managed by an organization.
- Enable Safe Links protection for Uniform Resource Locators (URLs) shared in Microsoft Teams.
- Provide user training on best practices for video conferencing, such as:
- ensuring only unclassified conversations occur when a user has dialed in to a Teams call or meeting
- ensuring compliance with information sensitivity and privacy regulations during audio and video calls
- using secure methods for recording meetings and storing recordings in a secure, access-controlled location
- using unique meeting IDs for each session to prevent unauthorized access
- Conduct reviews of the explicitly allowed domain list for external sharing at least quarterly.
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.3.3 Footnote [11]
Additional references:
- Considerations for Enabling Collaboration in Microsoft Teams (accessible only on the Government of Canada network)Footnote [51]
- GC EARB approved list of GC Departmental Domains (accessible only on the Government of Canada network)Footnote [50]
- SSC Cross Tenant Collaboration – Considerations for GoC Partners Adopting M365 (accessible only on the Government of Canada network)Footnote [52]
- CIS Microsoft 365 Foundations Benchmark, sections 7.2.1, 7.2.3, 7.2.5, 7.2.7, 7.2.9, 7.3.3, 8.5.1, 8.5.3, 8.5.5, 8.6.1 Footnote [30]
Related security controls from ITSG-33:
- AC-02, AC-03, AC-04, AC-06, AT-02, CA-03a, CM-07, SC-13, SI-03, SI-04
2.3.3 Microsoft Teams Rooms
Microsoft Teams Rooms (MTR) is a set of video conferencing solutions that are provided by various vendors and certified by Microsoft. MTR enables meeting spaces to be transformed into a rich, collaborative Teams experience where meetings can be started with one-touch join and instantly projected to the display in the room and shared to remote participants. MTR devices have a different security profile from a typical client endpoint and are therefore treated as appliances, with hardening and security measures applied accordingly.
Why it matters: Modern conferencing tools that are securely integrated with digital workspaces and tools help to facilitate and enable collaboration for users within a department and with other departmental users across the GC. Securing MTR will prevent unauthorized access and eavesdropping, maintaining the integrity and privacy of government communications.
Related services: Microsoft Teams
Licensing requirements:
- Teams Rooms Pro license
Tasks to complete:
- Limit end-user data storage on MTR to only data stored in log files for troubleshooting and support.
- Ensure that no end-user data is transferred to or accessible by the MTR device.
- Change default passwords for the MTR devices to a unique password aligned with GC Guideline on Password Security Footnote [24] or configure Local Administrator Password Solution (LAPS) where available.
- Ensure that MTR devices are placed in a secure network zone to reduce attack vector opportunities.
- Restrict access to the MTR to only approved IPs and URLs (for example, Windows Update, Microsoft Intune) to support the management of the appliance, while blocking all other network traffic.
- Use Teams Rooms Pro licenses and enroll the Teams Rooms into Defender for Endpoint.
- Assess physical security risks, including theft or tampering with MTR devices in unsecured locations before deployment.
- Update the firmware of MTR devices using the vendor’s specified update format to keep devices up to date.
- Put in place operational procedures with clear roles and responsibilities for the operations and maintenance of MTR, including security patching and monitoring.
- Perform a security assessment, including assessing physical security risks such as theft or tampering with MTR devices in unsecured locations and obtaining an authority to operate before deployment.
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.3, B.2.3.7.3, B.2.3.7.1, B.2.6, B.2.7.4, C.2.3.3.2 Footnote [11]
- GC Guideline on Password Security Footnote [24]
Additional references:
- Baseline security requirements for network security zones (ITSP.80.022) Footnote [53]
- Network security zoning – Design considerations for placement of services within zones (ITSG-38) Footnote [54]
Related security controls from ITSG-33:
- AC-03, AC-04, CA-02, CA-06, RA-03, SC-07, SC-07(5), SI-02, SI-04, SI-12, IA-05, IA-05(1)
2.3.4 OneDrive and SharePoint
Microsoft OneDrive and SharePoint are to be configured to prevent unauthorized access to protected GC data, data loss and unauthorized file sharing with third parties.
Why it matters: Data repositories and collaboration tools can easily be used to transfer files and protected information to unauthorized parties. These tools must be configured to ensure that unapproved data flows are blocked and that sharing takes place only with approved parties.
Related services: SharePoint and OneDrive
Licensing requirements:
- M365 E5 Security: Microsoft Defender for Office 365 Plan 2, Safe Documents and Application Guard for Office 365
- M365 E5 Compliance: Purview Information Protection
Tasks to complete:
- Activate Defender for Office 365 for SharePoint.
- Enable Safe Attachments for SharePoint and OneDrive.
- Configure anti-malware protection in the tenant.
- Prevent downloads of infected files from M365 SharePoint.
- Block OneDrive synchronization from unmanaged devices.
- Limit external sharing in OneDrive to internal organizational users only. Control external sharing in SharePoint by restricting it to existing guests or pre-approved external collaborators.
- Prevent guest users in SharePoint from resharing content they do not own.
- Manage external sharing in SharePoint through domain allow lists.
- Set guest access to sites or OneDrive to expire automatically.
- Ensure that Defender for Office 365 SafeLinks for Office applications are enabled.
- Disable macros where they are not used.
- Configure macro execution scanning.
- Disable macros unless they are in trusted files (signature or location).
- Block macros from the Internet.
- Ensure third party integrated applications are not allowed.
- Set default for link sharing to view only.
- Enable Safe Links protection for URLs shared in OneDrive and SharePoint.
- Sign out inactive users in SharePoint Online.
- Train users on secure use of OneDrive and SharePoint, covering file sharing, permission management, access settings, link-sharing risks and restoring or reverting files.
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.3.3 Footnote [11]
Additional references:
- CIS Microsoft 365 Foundations Benchmark, sections 7.2.1, 7.2.3, 7.2.5, 7.2.7, 7.2.9, 7.3.3, 8.5.1, 8.5.3, 8.5.5, 8.6.1 Footnote [30]
Related security controls from ITSG-33:
- AC-02, AC-03, AC-04, AC-06, AC-12, AC-20(3), AT-02, CM-07, SI-03, SI-04
2.3.5 Information Barriers
Information Barriers (IB) are to be evaluated and implemented, as needed, to prevent communication and collaboration between specific individuals or groups in accordance with business and legal requirements.
Why it matters:
Certain departments or roles must not communicate or share information due to legal, privacy or compliance obligations. For example, IB policies can be used to prevent communication between groups of staff during the procurement process. Without restrictions, sensitive or protected information may be exposed inappropriately, increasing the possibility of legal risks or non-compliance.
Related services: Microsoft Teams, SharePoint, Exchange Online
Licensing requirements:
- M365 E5 Compliance: Microsoft Purview Information Barriers
Task to complete:
- Evaluate the implementation of IB policies, as needed, to restrict communication between specific individuals or groups to meet business requirements.
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.2.2 Footnote [11]
Additional references:
- None
Related security controls from ITSG-33:
- AC-03, AC-04, CA-03c
2.4 Endpoints
The Endpoint Management Configuration Requirements Footnote [37] and GC Cloud Guardrails Footnote [4] require that endpoints accessing GC systems or sensitive information adhere to approved endpoint configurations. This includes protecting endpoints against both known and unknown malicious activity with appropriate host-based protections. Enabling advanced threat protection and compliance features can ensure alignment of endpoints to meet Treasury Board policy security and compliance requirements.
2.4.1 Device management and hardening
Endpoints connecting to M365 are to be hardened according to the GC’s Endpoint Management Configuration Requirements Footnote [37] and managed centrally.
Why it matters: Endpoints are one of the most common targets for threat actors and compromised endpoints can have a significant impact on the confidentiality and integrity of GC data. Hardening endpoints prevents attacks and enables security teams to detect and respond to incidents more effectively.
Related services: Microsoft Defender for Endpoint, Microsoft Intune
Licensing requirements:
- M365 E5 Security: Microsoft Defender for Endpoint Plan 2, Microsoft Defender for Cloud Apps and Microsoft Defender for XDR
- M365 E5 Compliance: Microsoft Defender for Cloud Apps, Microsoft Endpoint DLP
Tasks to complete:
- Prevent any unauthorized device from accessing sensitive business or personal information.
- Use GC-issued and managed endpoints and verify device compliance with Endpoint Management Configuration Requirements Footnote [37].
- Enable and ensure BitLocker encryption is active on all disk drives (HDDs, SSDs and USB drives).
- Turn on Microsoft Defender Firewall.
- Secure Microsoft Defender Firewall domain, private and public profiles.
- Ensure Microsoft Defender for Cloud Apps is enabled and properly configured.
- Turn on Microsoft Defender Antivirus and ensure that it is up to date.
- Turn on Microsoft Defender Antivirus real-time protection for Linux.
- Enable Microsoft Defender Antivirus cloud-delivered protection for Linux.
- Turn on Microsoft Defender for Endpoint sensor and ensure that it is properly collecting data.
- Fix Microsoft Defender for Endpoint impaired communications.
- Turn on Tamper Protection.
- Update Microsoft Defender Antivirus definitions.
- Update Microsoft Defender Antivirus definitions for Linux.
- Update Microsoft Defender for Endpoint core components.
- Fix Windows Defender Antivirus cloud service connectivity.
- Enable cloud-delivered protection.
- Turn on all system-level Exploit protection settings.
- Ensure user behaviour monitoring capabilities are configured to flag any suspicious activities.
- Enable real-time monitoring.
- Enable behaviour monitoring.
- Enable email scanning.
- Enable full scan of removable drives.
- Scan all downloaded files and attachments.
- Allow script scanning.
- Enable file hash computation.
- Enable network protection in block mode.
- Ensure Potentially Unwanted Applications (PUA) Protection is enabled.
- Enable advanced protection against ransomware.
- Set controlled folder access to enabled or audit mode, allowing exceptions only for approved business requirements.
- Block executable content from email clients and webmail, permitting exceptions solely for business-approved cases.
- Block Office applications from:
- creating child processes
- creating executable content
- injecting code into other processes
- Block JavaScript or VBScript from launching downloaded executable content.
- Block execution of potentially obfuscated scripts.
- Block executable files from running unless they meet a prevalence, age or trusted list criterion.
- Monitor process creations originating from PowerShell PSExec and Windows Management Instrumentation commands.
- Block Adobe Reader from creating child processes.
- Block persistence through WMI event subscription.
- Block abuse of exploited vulnerable signed drivers.
- Block Office communication applications from creating child processes.
- Set ’Account lockout duration’ to 15 minutes or more.
- Set ’Reset account lockout counter after’ to 15 minutes or more.
- Set ’Account lockout threshold’ to 1-10 invalid login attempts.
- Disallow offline access to shares.
- Fix unquoted service paths for Windows services.
- Change service executable paths to common protected locations.
- Change service accounts to avoid cached passwords in Windows registry.
- Remove unrestricted access accounts for Linux.
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.3.3 Footnote [11]
- GC Cloud Guardrail #3 – Secure endpoints Footnote [4]
- Endpoint Management Configuration Requirements Footnote [37]
- Patch Management Guidance Footnote [55]
Additional references:
- Top 10 IT security actions to protect Internet connected networks and information (ITSM.10.089) Footnote [40]
- CIS Microsoft Intune for Windows 11 Benchmark, section 3.11.42.2, 21.1 to 21.10 Footnote [56]
- CIS Microsoft 365 Foundations Benchmark, section 2.4.3 Footnote [30]
Related security controls from ITSG-33:
- AC-02, AC-03, AC-06, AC-07, AC-20(3), IA-05, CM-05, CM-06, CM-07, SC-07, SC-28, SC-28(1), SI-02, SI-03, SI-04, SI-16
2.4.2 Mobile device management and hardening
Mobile devices, like other client endpoints, require comprehensive inventory management, security and oversight. Mobile device management solutions enable organizations to centrally monitor and configure these devices with appropriate safeguards as outlined in the Endpoint Management Configuration Requirements.
Why it matters: Since mobile devices provide access to M365 services, they represent an additional attack vector that must be secured. Threat actors increasingly target mobile endpoints and without proper hardening, these devices can be exploited to gain unauthorized access to organizational data. Strengthening mobile security ensures that M365 access remains protected against evolving threats.
Related services: Microsoft Defender for Endpoint, Microsoft Intune, SSC Enterprise Mobile Device Management (EMDM) service
Licensing Requirements: N/A
Tasks to complete:
- Ensure mobile device password policies are configured according to GC Guideline on Password Security Footnote [24].
- Prohibit password reuse.
- Set passwords to never expire.
- Block access from jailbroken or rooted devices.
- Configure devices to automatically lock after a period of inactivity.
- Set devices to wipe data after multiple unsuccessful sign-in attempts to prevent brute force attacks.
- Enable encryption on all mobile devices to secure data at rest.
- Implement mobile threat defence solutions to proactively detect and mitigate threats on mobile devices.
- Implement capabilities for remotely managing mobile devices, including options to remotely lock or wipe lost or stolen devices.
- Mandate advanced security configurations to protect against basic internet attacks.
- Block guest users from mobile access to the M365 tenant.
- Require that only GC-issued and managed devices be used to access organizational resources.
- Ensure M365 work applications can only be accessed by approved GC user accounts.
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.3.3 Footnote [11]
- GC Cloud Guardrail #3 – Secure Endpoints Footnote [4]
- Endpoint Management Configuration Requirements Footnote [37]
- GC Guideline on Password Security Footnote [24]
- Patch Management Guidance Footnote [55]
Additional references:
- Top 10 IT security actions to protect Internet connected networks and information (ITSM.10.089) Footnote [40]
Related security controls from ITSG-33:
- AC-02, AC-03, AC-07, AC-11, AC-17(2), AC-19, AC-20(3), IA-05, IA-05(1), SC-28, SC-28(1), SI-04
2.5 Applications
2.5.1 Power Platform
Microsoft Power Platform (formerly PowerApps and Microsoft Flow) is a platform that integrates applications, connectors and a data platform to automate processes, analyze data and build solutions that work with M365 and other services.
Why it matters: Hardening the configuration of Microsoft Power Platform is crucial because it significantly strengthens the security framework, protects sensitive data from unauthorized access and breaches, ensures compliance with regulatory standards and minimizes vulnerabilities within business applications and workflows. This not only helps in safeguarding an organization’s data integrity, but also builds trust by ensuring the reliability and resilience of its technological operations.
Related services: Microsoft Power Platform
Licensing Requirements:
- M365 E5
Tasks to complete:
- Ensure that the configuration for ’Set blocked file extensions’ in Power Platform is consistent with the enterprise’s approved block list.
- Ensure that access to the environment is geographically restricted based on location.
- Ensure that cross-tenant isolation is activated for Power Platform apps and flows to prevent unauthorized external access.
- Ensure that the data storage location for all operations is set to Canada.
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.3.3 Footnote [11]
Additional references:
- CIS Microsoft Dynamics 365 Power Platform, sections 2.3, 2.4, 2.5, 3.3 Footnote [36]
Related security controls from ITSG-33:
- AC-03, AC-04, CM-06
2.5.2 Third-party applications
Only enable AI agents, applications and services that meet departmental security requirements and have explicit approval. Evaluate or disable all third-party applications, especially those attempting to connect to organizational M365 services.
Why it matters: Enforcing these controls ensures that only vetted applications access sensitive data, significantly reducing the risk of breaches and unauthorized data exposure.
Related services: Microsoft Entra ID, Microsoft Teams
Licensing requirements:
- M365 E5 Security: Microsoft Defender XDR, Microsoft Defender for Cloud Apps and Microsoft Defender for Endpoint
- M365 E5 Compliance: Microsoft Defender for Cloud Apps and Information Protection and Governance and Purview Insider Risk Management
Tasks to complete:
- Ensure that only approved M365 services, applications and AI agents are enabled.
- Disable third-party applications by default. Evaluate and get a Supply Chain Integrity assessment done prior to using any third-party applications or services.
- Require administrative consent workflow.
- Configure app permission policies in Microsoft Teams.
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.6.3 Footnote [11]
- GC Cloud Guardrail #12 – Configuration of cloud marketplaces Footnote [4]
- SPIN 2017-01 – section 6.2.5 Asset and configuration management Footnote [12]
Additional references:
- CIS Microsoft 365 Foundations Benchmark, sections 5.1.2.2, 5.1.5.3, 8.4.1 Footnote [30]
Related security controls from ITSG-33:
- AC-03, AC-06, CM-07, SR-06
2.6 Auditing, logging and monitoring
Continuously monitor system events and performance and include a security audit log function in all information systems to enable the detection of incidents. It is essential that an adequate level of logging and reporting, including a security audit log function in all information systems hosted in the cloud environment and for cloud-based workloads, be implemented. The use of a central logging solution should be considered whenever and wherever possible. Capabilities that automate event and behaviour analysis and offer real-time alerting can help to identify possible security threats and incidents.
2.6.1 Logging and monitoring at the tenant level
Collect and enable logging for all enterprise assets according to the enterprise’s audit log management process. Review these logs at least once a week to detect anomalies or unusual events that may indicate potential threats.
Why it matters: Enabling logging across all enterprise assets ensures comprehensive monitoring and timely detection of anomalies, which facilitates early intervention to prevent security breaches and minimize potential damage.
Related services: Microsoft 365 Defender, Microsoft Purview
Licensing requirements:
- M365 E5 Security: Microsoft Defender XDR, Microsoft Defender for Cloud Apps and Microsoft Defender for Endpoint
- M365 E5 Compliance: Microsoft Defender for Cloud Apps and Information Protection and Governance and Purview Insider Risk Management
Tasks to complete:
- Enable logging and monitoring of M365 services in accordance with the GC Event Logging Guidance.
- Ensure that mailbox auditing for all users is enabled.
- Ensure that M365 audit log search is enabled.
- Leverage M365 Management Activity API to retrieve information about user, admin, system and policy actions and events from M365 and Microsoft Entra activity logs.
- Configure the service to send audit log records to a centralized logging facility if one is available.
- Enable mailbox auditing for users with the following specific logs:
- Mail Items Accessed: Logs when mail data is accessed
- Search Query Initiated: Logs when searches are performed in a mailbox
- Send: Logs when emails are sent, replied to or forwarded
- Ensure that ’AuditBypassEnabled’ is disabled on all mailboxes.
- Enable and configure Priority Account Protection for high-risk accounts, such as social media managers, chief financial officers and Deputy Heads.
- Ensure that Environment Activity logging is enabled for the Power Platform.
- Create an OAuth app policy that can identify new OAuth applications.
- Create an app discovery policy to identify new and trending cloud apps in the organization.
- Deploy a log collector to discover shadow IT activity.
- Create a custom activity policy to get alerts about suspicious usage patterns.
- Assign personnel to monitor and audit the logs.
- Continuously monitor system events and performance.
- Ensure that reports are reviewed at least once a week, including the following:
- access reports for all administrative accounts
- Microsoft Entra ’Risky sign-ins’ report
- user role group changes
- account Provisioning Activity report
- non-global administrator role group assignments
- self-service password reset activity report
- DLP policy matches report
- DLP incidents report
- DLP false positives and overrides report
- spoofed domains report
- restricted entities report
- Threat Protection Status report
- Application Usage report
- security role changes for Power Platform
- Configure alerts and notifications to be sent to security or operations staff via valid email addresses or directly to a security operations centre.
- Develop a plan to respond to and understand the impact of security incidents, in accordance with the GC Cyber Security Event Management Plan (GC CSEMP).
- Ensure that mail forwarding rules are reviewed at least once a month.
- Monitor when a new Power App is created in the Power Platform environment.
- Monitor high priority sensitivity label activities as collected by the Microsoft Purview Audit Log and Activity Explorer.
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.7.1 Footnote [11]
- GC Cloud Guardrail #11 – Logging and monitoring Footnote [4]
- SPIN 2017-01 – section 6.3.1 Information system monitoring Footnote [12]
- Event Logging Guidance Footnote [47]
Additional references:
- Guidance on defence in depth for cloud-based services (ITSP.50.104) , section 4.8 Footnote [19]
- Top 10 IT security actions to protect Internet connected networks and information (ITSM.10.089), #1 Footnote [40]
- CIS Microsoft 365 Foundations Benchmark, sections 2.1.11, 2.1.12, 2.1.13, 2.3.1, 2.3.2, 2.4.1, 3.1.2, 5.1.5.1, 5.2.6.1, 6.1.3, 6.1.4, 6.4.1 Footnote [30]
- CIS Microsoft Azure Foundations Benchmark, section 1.4 Footnote [31]
- CIS Microsoft Dynamics 365 Power Platform, sections 4.1, 4.2, 4.3 Footnote [36]
Related security controls from ITSG-33:
- AU-04, AU-06, AU-09, AU-12, IR-04, IR-08, SI-04
2.6.2 Centralized logging and monitoring
It is critical to capture security logs, alerts and detections from various M365 services using a central security logging service to enhance organizational and GC-wide detection and response capabilities.
Why it matters: Ingesting security logs and other data sources into a centralized logging facility system provides enterprise and departmental security operations centres (SOC) with real-time, prioritized information necessary to detect and respond to security events effectively.
Related services: N/A
Licensing requirements:
- M365 E5 Security: Microsoft Defender XDR, Microsoft Defender for Cloud Apps and Microsoft Defender for Endpoint
- M365 E5 Compliance: Microsoft Defender for Cloud Apps and Information Protection and Governance and Purview Insider Risk Management
Tasks to complete:
- Implement and integrate with a central logging solution whenever and wherever possible. Capabilities that automate event and behaviour analysis and offer real-time alerting can help a department and the GC at large identify security threats and incidents more efficiently.
- Deploy CCCS cyber defence sensors (for example, cloud based sensors, host based sensors, network based sensors) following the establishment of memoranda of understanding (MOU) via CDOServiceDeployments@cyber.gc.ca.
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.7.1 Footnote [11]
- GC Cloud Guardrail #4 – Enterprise monitoring accounts Footnote [4]
- GC Cloud Guardrail #9 – Network security services Footnote [4]
- GC Cloud Guardrail #10 – Cyber defence services Footnote [4]
- Event Logging Guidance Footnote [47]
Additional references:
- None
Related security controls from ITSG-33:
- AU-06, SI-04
2.6.3 Managing insider risks
Implement an insider risk management program to detect, investigate and act on unauthorized activities in the organization. Correlating various signals in M365 can help to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations.
Why it matters: Investigating and addressing both malicious and unintentional activities in the organization is important for protecting departmental information. When combined with DLP tools, insider risk management provides essential context. This integration enhances the application of policies, enabling better enforcement of rules and more effective identification of risks.
Related services: Microsoft Purview
Licensing requirements:
- M365 E5 Security: Microsoft Defender XDR and Microsoft Defender for Endpoint
- M365 E5 Compliance: Purview Insider Risk Management
Tasks to complete:
- Configure Insider Risk Management policies to address specific risks, such as data theft by departing employees, leaks of sensitive information and security breaches.
- Develop and maintain an incident response plan specifically tailored to manage insider threats effectively and efficiently.
- Conduct audits and assessments at a minimum quarterly to identify accidental changes, potential insider threats and vulnerabilities within the organization.
- Establish clear and confidential reporting mechanisms for employees to report suspicious activities without fear of retaliation.
- Continuously improve insider risk policies by incorporating analytics and feedback from incidents.
- Ensure that all insider risk management activities comply with legal standards and privacy principles, including pseudonymizing users by default and using role-based access controls and audit logs to help ensure user-level privacy.
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.8 Footnote [11]
- Directive on Security Screening – section 4.5.4.3 Footnote [57].
- GC Cloud Guardrail #11 – Logging and monitoring Footnote [4]
Additional references:
Related security controls from ITSG-33:
- AC-02(7), AC-03, AU-06, CA-07, IR-04, IR-06, IR-08, SI-04
2.7 Continuity and resilience
According to the Policy on Government Security Footnote [10], departments and agencies must ensure the continuity of essential services during disruptions. The ability to respond to and recover from security incidents is critical and departments and agencies must align their efforts with the GC CSEMP Footnote [59] and coordinate the resolution of incidents with the CCCS. Departmental plans also need to support the integrated management of the departmental business continuity life cycle and the departmental cyber security management plans, processes and procedures to ensure the continued delivery of services.
2.7.1 Departmental cyber security event management
Departments and agencies are expected to develop plans to respond to and understand the impact of security events and incidents affecting M365 services in their organization, in accordance with the GC CSEMP. Departmental plans also need to support the integrated management of the departmental business continuity life cycle and the departmental cyber security management plans, processes and procedures to ensure the continued delivery of services.
Departments will support the GC’s overarching operational framework for managing cyber events (for example, GC CSEMP) by establishing an integrated approach that aligns the Departmental CSEMP with the departmental business continuity plan to ensure clear roles and responsibilities and supporting processes are established to enable rapid response to cyber events.
Why it matters: The ability for the GC to respond to cyber security events in a consistent, coordinated and timely manner is essential to ensure the security and resilience of GC programs and service delivery.
Related services: Microsoft Sentinel, Microsoft Defender for Endpoint
Licensing requirements: N/A
Tasks to complete:
- Ensure that M365 services and related operational scenarios are identified and included in the Departmental CSEMP.
- Report cloud-based security events following the GC-Microsoft Protocol for Managing Microsoft Cloud-based Security Events (accessible only on the Government of Canada network)Footnote [60].
- Perform tabletop exercises to test the Departmental CSEMP to ensure its effectiveness.
Applicable Treasury Board policy instruments:
- Directive on Security Management – Appendix F: Mandatory Procedures for Security Event Management Control
- GC Cloud Guardrail #13 – Plan for continuity Footnote [4]
- SPIN 2017-01 – section 6.3 Security operations Footnote [12]
- GC CSEMP Footnote [59]
Additional references:
- GC Cloud Event Management Standard Operating Procedure
- Department CSEMP Template (accessible only on the Government of Canada network)
Related security controls from ITSG-33:
- IR-03, IR-06, IR-08
2.7.2 Disaster recovery
Ensuring the identification of mission-critical assets and implementing a robust disaster recovery (DR) plan is essential for maintaining service continuity and minimizing the impact of disruptions on essential government operations.
Why it matters: Proper identification of mission-critical assets and the development of an effective DR plan are essential for minimizing downtime and data loss in the event of a disruption. Ensuring swift recovery of IT services, such as M365 safeguards the continuity of departmental operations, supports the delivery of essential services and maintains public trust in the resilience of GC programs.
Related services: N/A
Licensing requirements: N/A
Tasks to complete:
- Perform a detailed data identification exercise tailored to the department’s business needs. Focus on identifying mission-critical assets, prioritizing them based on their importance and availability to organizational operations. Ensure alignment with business continuity and risk management objectives.
- Use the findings from the data identification exercise to create a robust DR plan. At a minimum, the plan should include provisions for a warm site with real-time data replication. Ensure that it meets the department’s Recovery Point Objective, Recovery Time Objective and Maximum Tolerable Downtime, as defined by business requirements.
- Define actionable procedures for restoring services during a disruption, including clear roles, responsibilities and communication protocols to guide the response effectively and minimize downtime.
- Conduct annual testing and review of the DR plan to validate its effectiveness. Update the plan as needed to reflect changes in the operating environment, technological landscape, assets or organizational requirements. Incorporate lessons learned from testing or actual incidents.
- Choose a disaster recovery tool that aligns with the DR plan and supports the department’s specific infrastructure and requirements. Ensure that the tool is compatible, scalable and capable of meeting the recovery objectives defined in the DR plan.
Applicable Treasury Board policy instruments:
- Directive on Security Management – Appendix D: Mandatory Procedures for Business Continuity Management Control Footnote [61]
- GC Cloud Guardrail #13 – Plan for continuity Footnote [4]
- Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN) – section 6.3 Security operations Footnote [12]
- Security Playbook for Information System Solutions, section 3.8 Footnote [62]
Additional references:
- None
Related security controls from ITSG-33:
- CP-02, CP-04, CP-06, CP-07, CP-10, IR-09
2.8 Maintenance
2.8.1 Change management
Departments and agencies are expected to implement the M365 baseline configurations as the minimum configurations within the departmental tenant in consideration of departmental business and threat context. Deviations from the baseline configuration must be managed through a structured change control process that ensures changes are evaluated to assess any security impacts. This includes updating departmental baselines regularly to incorporate GC updates to the playbook and associated configurations.
A security review must be performed to verify potential impact on changes. Where changes are expected to increase residual risk, departments and agencies are expected to consult with the departmental designated official for cyber security (DOCS) for further guidance.
Why it matters: Implementing a change management process for configuration changes improves the overall security posture by ensuring that every modification undergoes thorough assessment, authorization and documentation prior to deployment. This approach not only prevents unauthorized changes that could make the environment vulnerable to attacks, but also enables quick reversal and clear accountability if a change unintentionally causes security breaches or compliance problems.
Related services: N/A
Licensing requirements: N/A
Tasks to complete:
- Establish baseline configurations and change management procedures.
- Update departmental baselines quarterly or on an ad hoc basis to incorporate new M365 updates and address evolving security threats.
- Establish a formal process for all configuration changes in the M365 tenant, including proposal, review and authorization steps.
- Thoroughly assess the security implications of each change, considering its impact on the existing threat model and overall security posture.
- Conduct regular reviews and audits of M365 configurations to ensure alignment with baselines, detect unauthorized changes and adjust for updates in Microsoft’s features and settings.
Applicable Treasury Board policy instruments:
- Directive on Security Management – section B.2.3.3.1 Footnote [11]
- GC Cloud Guardrail #12 – Configuration of cloud marketplaces Footnote [4]
- SPIN 2017-01 – section 6.2.5 Asset and configuration management Footnote [12]
Additional references:
- None
Related security controls from ITSG-33:
- CM-02, CM-03, CM-04
3. Compliance framework
According to the GC Cloud Operationalization Framework, to support authority to operate, implementing and validating the solution-specific information technology (IT) security configurations is required.
Validating M365 compliance to the playbook configurations will be supported by SSC.
SSC will develop the SDM (accessible only on the Government of Canada network) to provide detailed implementation instructions for the configurations outlined in this playbook. Compliance validation will follow SSC guidelines, with periodic audits of departmental tenant environments conducted after the first 30 business days to ensure adherence to the playbook.
To enable compliance monitoring and configuration validation, departments must ensure proper RBAC and provide tenant access to SSC. This playbook specifies the required security configurations and controls, while the SSC’s SDM offers step-by-step guidance on how to implement them.
Departments will be responsible for establishing a plan of action and milestones to address any residual risks identified from security assessment activities before obtaining a departmental authority to operate.
To self-assess compliance, Departments can leverage tools such as:
- Microsoft Purview Compliance Portal
- Compliance Manager
- Microsoft Compliance Score
Departments are expected to maintain the security of their M365 environments, working in collaboration with SSC. As M365 is a SaaS solution, departments and agencies should monitor notifications from Microsoft or SSC for newly introduced features and ensure that these features are reviewed and configured appropriately (or disabled if not required).