Cybersecurity and Infrastructure Security Agency (CISA) issued a set of best practices designed to help organizations to mitigate risks and vulnerabilities associated with migrating their email services to Microsoft Office 365. CISA’s AR19-133A analysis report was published after it was discovered that a number of misconfigurations lowered the overall security of organizations which adopted Microsoft’s Office 365 as their default email provider. The majority of these organizations did not have a dedicated IT security team to focus on their security in the cloud.
Source: https://www.bleepingcomputer.com/news/security/us-govt-issues-microsoft-office-365-security-best-practices/