← Back to all briefings
Cybersecurity 5 min read Published Updated Credibility 93/100

CISA Emergency Directive 20-03: Microsoft 365 hardening

CISA's Emergency Directive 20-03 is technically just for federal agencies, but the Microsoft 365 security checklist applies to everyone: enable unified audit logging, enforce MFA, block legacy authentication, and implement DMARC/DKIM/SPF. These are not nice-to-haves—they are the basics that prevent credential theft and business email compromise.

Kodi C.

Editor & Research Lead

Accuracy-reviewed by the editorial team

Cybersecurity pillar illustration for Zeph Tech briefings
Cybersecurity threat, control, and response briefings

High-level summary

On , CISA issued Emergency Directive 20-03 requiring federal civilian agencies to implement specific security configurations for Microsoft Office 365 (now Microsoft 365) environments. The directive responded to observations of agency tenants lacking basic security controls, creating vulnerability to credential theft, business email compromise, and data exfiltration. While directly applicable to federal agencies, the required configurations represent security good practices for all organizations.

Directive Background

Emergency Directive 20-03 follows CISA's observations of widespread Microsoft 365 misconfiguration across federal agencies:

  • Incident observations: CISA noted multiple instances where agencies failed to implement basic security controls, enabling successful compromises.
  • Configuration gaps: Rushed cloud migrations often left critical security features disabled or misconfigured.
  • Compliance urgency: The directive's emergency nature reflects the severity of identified risks requiring immediate action.
  • Federal applicability: Applies to all executive branch agencies under FISMA, with specified compliance deadlines.

Required Security Controls

The directive mandates five core security configurations:

  • Unified Audit Logging: Enable and retain logs for at least 90 days. Logging provides visibility into malicious activity and is essential for incident investigation.
  • Multi-Factor Authentication: Enforce MFA for all users, prioritizing administrators and privileged users. MFA defeats credential replay attacks from password spraying and phishing.
  • Password Sync Configuration: Review Azure AD password sync settings to ensure appropriate authentication architecture.
  • Legacy Authentication Blocking: Disable IMAP, POP, and legacy authentication protocols that bypass MFA and enable password-only attacks.
  • Email Authentication: Implement DMARC, DKIM, and SPF to protect against email spoofing and business email compromise.

Implementation Technical Details

Organizations implementing the directive's requirements should address specific technical components:

Audit Logging Configuration:

  • Enable Unified Audit Log in Microsoft 365 Security & Compliance Center.
  • Configure retention policies meeting the 90-day minimum requirement.
  • Consider extended retention through Azure Sentinel or third-party SIEM integration.
  • Verify mailbox audit logging is enabled for owner, delegate, and admin actions.

MFA Deployment:

  • Evaluate security defaults versus Conditional Access policies based on organizational needs.
  • Prioritize Global Administrator and other privileged role accounts.
  • Plan user communication and training to minimize deployment friction.
  • Consider phishing-resistant methods (FIDO2, certificate-based) for high-privilege accounts.

Legacy Authentication:

  • Identify legacy authentication usage through Azure AD sign-in logs before blocking.
  • Create Conditional Access policies blocking legacy authentication protocols.
  • Plan migration for applications requiring legacy authentication.

Email Authentication Implementation

Email authentication requires DNS configuration:

  • SPF (Sender Policy Framework): Publish DNS TXT records specifying authorized sending servers for your domains.
  • DKIM (DomainKeys Identified Mail): Enable DKIM signing in Exchange Online and publish public keys in DNS.
  • DMARC (Domain-based Message Authentication): Publish DMARC policies directing receiving servers how to handle authentication failures.

Start DMARC with monitoring policy (p=none) before progressing to quarantine (p=quarantine) and reject (p=reject) policies after validating legitimate mail flow.

Assessment and Monitoring

If you are affected, use available tools to assess compliance:

  • Microsoft Secure Score: Provides configuration assessment against Microsoft's security recommendations.
  • Azure AD Reports: Sign-in logs show legacy authentication usage and authentication failures.
  • Compliance Manager: Tracks compliance status against regulatory frameworks.
  • CISA SCuBA: CISA's Secure Cloud Business Applications assessment tool for Microsoft 365.

Broader Applicability

While ED 20-03 applies to federal agencies, the security configurations represent minimum baseline controls for any organization using Microsoft 365. Cloud misconfigurations remain a leading cause of breaches, and the directive's requirements address the most critical risks. Non-federal you should review their tenant configurations against these requirements as part of cloud security posture management.

Closing analysis

Emergency Directive 20-03 codifies essential Microsoft 365 security configurations that all you should implement. The directive provides a clear checklist for baseline cloud email and identity security, with requirements that effectively address common attack vectors including password spraying, business email compromise, and credential theft.

Similar analysis

Additional analysis covering similar themes.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Cybersecurity Operations Playbook

    Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

  • Network Security Fundamentals Explained Practically

    A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

  • Small Business Cybersecurity Survival Checklist

    A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published
Coverage pillar
Cybersecurity
Source credibility
93/100 — high confidence
Topics
Microsoft 365 · cloud security · CISA directive · security configuration
Sources cited
3 sources (cisa.gov, iso.org)
Reading time
5 min

Further reading

  1. Emergency Directive 20-03: Mitigate the Risks from Microsoft Office 365 — CISA
  2. CISA Alerts Archive — CISA
  3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization
  • Microsoft 365
  • cloud security
  • CISA directive
  • security configuration
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.