SANS ISC shares an in-depth list of Best Security Practices for Azure cloud based Microsoft Exchange 365 protection

The shared security model adopted by most cloud service shifts a portion of securing data to the customer. Microsoft is no different in this respect, and they have published their security support matrix here: In this model, Microsoft will protect the platform by securing access to the physical components, making sure the underlying operating systems and applications have the latest patches and providing the customer the ability to apply additional data and configuration controls

Securing Identity — Account takeover is one of the most common forms of breach in Office 365.
Identity source — The following four authentication methods are available: Cloud only Directory sync with password hash, Directory sync with pass through authentication, Directory sync with Active Directory Federation Services
Multifactor Authentication (MFA)
Conditional Access.
Azure AD Identity Protection
Azure AD Password Protection
Limit Global / Exchange Administrators
Securing Exchange Online
Disable third party app integration
Disable auto-forwarding email
Enable notifications
Mark external emails with a banner.
Disable Legacy Authentication
Disable app passwords.
Enable Mobile Device quarantine.
Enable Mailbox Level auditing
Enable Sender Policy Framework (SPF)
Enable Domain Keys (DKIM) and DMARC
Limit Calendar Sharing
Restrict email from outside senders to sensitive groups