Office 365 Secure Score analyzes your Office 365 tenant’s security configuring, rating against a series of weighted criteria and providing an overall “score” to represent how many available security controls you’ve adopted.
The scoring system is a refreshing change from the usual critical/warning/information that sometimes distracts customers from addressing real issues. Instead of responding by trying to address every “critical” issue, you can take the results of Secure Score and improve your score over time by implementing the recommended controls.
I ran the Office 365 Secure Score tool over a few of my demo and customer tenants. Here’s a look at how Secure Score works. First, go to the Office 365 Secure Score website, and log in with a global admin account. Naturally this tool needs some access to read information about your tenant.
The Secure Score dashboard tells me that this tenant scores 75, and is currently at risk of account breach, elevation of privilege, and data exfiltration.
Secure Score has set a target score of 341 for my tenant. You can move the slider all the way to the right and set a target score of 514 if you like. In doing so, more actions are added to the list (mine increases to 49 actions at that level) which means more work for you to achieve that score. Should you go for the maximum score every time? Not necessarily. As Microsoft says…
The full set of controls includes several that are very aggressive and will potentially have an adverse impact on your users’ productivity. Your goal should be to optimize your action to take every possible risk mitigating action while preserving your users’ productivity.
And that’s where the Secure Score tool can start to be misapplied. If your approach to security is to aim for the maximum score, you’re going to need to implement controls that aren’t always a good idea. Let’s take the example of mobile device controls. In the score analyzer view I can filter the list of actions to see which device controls I’ve already implemented in this tenant. Secure Score has given me some points because I have:
- Required device encryption
- Required device passwords
- Disallowed jail broken devices
- Disallowed simple passwords
- Enabled Office 365 MDM
A default Office 365 tenant has none of those controls, so they would not score as well. You might agree that those are reasonable controls to implement. But to score even higher there’s some other security controls to consider, listed in the “Incomplete actions” view, such as requiring mobile devices to wipe on multiple sign-in failures.
That’s one of my favorite examples of why not every security control should be turned on. If you implement that option in your mobile device policies, chasing the perfect Secure Score result, you’re very likely to end up in a conversation with one of your users who lost all their family photos because their child got hold of their mobile device and started mashing buttons to on the lock screen.
So we shouldn’t just blindly implement everything. But of course, Secure Score is going to make a good number of recommendations that you determine are worth implementing. Back to my example tenant, I certainly don’t want my account breached (which Secure Score is warning me about), so let’s see what I can do about it. In the list of Account-related actions are a series of technical changes, as well as review tasks. Technical changes are those for which you can flip a switch or configure a feature, and you’ll be scored accordingly. For example, enabling multi-factor authentication (MFA) for all tenant admins would score me an additional 50 points. Review tasks involve such things as periodically checking the role assignments in your tenant to ensure that they are still aligned with your users’ responsibilities. In all cases, Secure Score provides a detailed explanation about why a control exists, what the recommendation is, and connects you to the appropriate admin portal to implement the recommendation.
When you’ve spent a few minutes exploring Secure Score, the value that it provides should be clear. Security is one of the top concerns for businesses when they are considering cloud services. The question is often asked, “Is the cloud secure?” For Office 365, and other cloud services, there is not a simple yes or no answer. Cloud services have a “shared responsibility” approach to security. Microsoft can secure the Office 365 datacenters, and protect your data in transit and at rest. But a lot of the responsibility for security falls on you, the customer. Security is not a single button you can press to enable it. Instead, security for your Office 365 services is the combination of dozens of technical controls, processes, and reviews that you as the customer need to implement. Office 365 Secure Score provides you with a wealth of information about what you should be doing to secure your tenant. In some ways, it is the “Office 365 security guide” that many people have been looking for.
Give Office 365 Secure Score a try and see for yourself. Do you think it’s providing you with valuable information you can use to secure your tenant? Leave a comment below with your thoughts.
Pingback: Multi-factor Authentication by Default for Administrators in Azure AD and Office 365 – SimpleITPro
hi on the Excel spreadsheet what does complete and incomplete imply.
Pingback: Securing Office 365 Admin Accounts with Multi-Factor Authentication
Paul, great job as usual. I find the security score update can take several days at times. Many of the auditing tasks require Azure AD Premium subscription. Most of these tasks are similar to what would normally be done on premise. This gives a good overall view of where your tenant stands. The Key thing is auditing the user logons and locations – impossible logons, locations in Nigeria mean your user has been compromised.
Thanks for sharing the details. I have completed most of the actions which were suggested by the MS for our Organization, however our score is not getting increased. Few of the action items in the list is to enable aduting for all users in the Organization and review the reports(eg:malware detection reports, non global admin activity, non owner access…etc). Can you please suggest is there any specific reports I need to download or go through? Do you have any document on how to perform all the actions in the list.
Some actions don’t move the score (yet) and I think there might also be some delay on some of the changes to the score while your tenant is re-analyzed. Everything that Secure Score recommends is documented in Secure Score or linked to from that item in Secure Score. If there’s anything that doesn’t have enough instructions yet, I’m sure that will improve over time.