x

Agile Insider Blog

Managing Microsoft Secure Score

Managing Microsoft Secure Score (Video)

Managing Microsoft Secure Score (Video)

Managing Microsoft Secure Score is a simple, transparent way to manage the security of your Office 365, Windows and EMS environments. When you think about modern security, there are a lot of challenges. Identity attacks alone are up 300% this year alone and many attacks are going through identity because it is the easiest path to get at your information. With so many avenues for attack, it is difficult to know what to secure, what is secure and how to improve your security score. By providing visibility into you enterprise attack surfaces, Microsoft Secure Score helps you monitor, maintain and make improvements to your cybersecurity.

 

 

What is Microsoft Secure Score?

Originally called Office 365 Secure Score when it launched in February 2017 it expanded it’s focus across the entire Microsoft 365 enterprise suite (Office 365, EMS and Windows 10) in April of 2018 and became Microsoft Secure Score. Secure Score was envisioned as “a credit score for security”; a simple at-a-glance way to be sure that the proper security controls were in place in Office 365. Secure Score determines the Office 365 services you use (One Drive, Share Point and Exchange), looks at your configuration and behaviors then compares it to a suggested baseline . If your configuration and behaviors are in line with best practices, you get points, which can be tracked over time. This gives you the ability to quickly determine what to do to reduce your risk.

How to Access Secure Score?

Secure score can be accessed in two ways:

Understanding The Secure Score Dashboard

The secure score dashboard is a single-pane view of your security posture. What you see on the secure score dashboard once you login are:

  • The date of your current secure score. Secure Score is calculated every 24 hours at around 1 am PST)
  • Your present secure score for Office 365 above your target score for comparison.
  • Your present Windows Secure Score if you have Windows Defender ATP.
  • A risk assessment widget that shows you what your attack risks are.
  • A comparison widget that shows your secure score as compared to:
    • All Office 365 tenants
    • Other tenants of the same seat size as yours
    • The secure score of other tenants in your industry.
  • The Target Score Slider

Using Microsoft Secure Score’s Target Score Slider

The target score slider allows you to set your target score. By moving the slider to the left you lower your level of desired security, and moving it right increases it. As you move the slider, you will see you target score above go up and down, as well as the number of actions needed to be taken to reach the desired score. Below the slider is your action queue, a list of actions needed to be taken to reach the desired state.

Reading the Secure Score Action Queue

If you click the expand arrow to the right of each action item, you will get an in-depth view of the action needed. This view includes:

  • A brief explanation of the action
  • What category of defense the action impacts
  • The user impact if implementing the change
  • The predicted costs of performing the action
  • Your score for the particular action
  • The total score possible for implementing the action
  • Threats that the action will reduce
  • The compliance controls the action can effect
  • Links to learn more about the control, ignore the recommendation, or to adapt the score for third party applications.

What Suggested Actions are Available With Microsoft 365 Secure Score?

The actions available to you will vary based on the products and licenses in your particular tenant. Below is a complete list of all actions available with Microsoft 365 stack. This list is subject to change as new threats and capabilities are discovered or released.

Name Action Category Action score User Impact
Activate Information Rights Management (IRM) services [Not Scored] Data 10 Low
Activate mobile device management services Device 20 Moderate
Allow anonymous guest sharing links for sites and docs Data 1 Moderate
Apply Data Loss Prevention policies Data 20 Moderate
Apply IRM protections to documents Data 5 Moderate
Apply IRM protections to email [Not Scored] Data 5 Moderate
Automate log upload from firewalls Apps 5 Low
Block Client Forwarding Rules [Not Scored] Data 20 Moderate
Block jail broken or rooted mobile devices from connecting Device 1 Moderate
Compile alternate contact info for all users Identity 1 Low
Configure expiration time for external sharing links Data 2 Moderate
Consume audit data weekly Data 5 Low
Create a Microsoft Intune App Protection Policy for Android Device 10 Moderate
Create a Microsoft Intune App Protection Policy for iOS Device 10 Moderate
Create a Microsoft Intune Compliance Policy for Android Device 10 Moderate
Create a Microsoft Intune Compliance Policy for Android for Work Device 10 Moderate
Create a Microsoft Intune Compliance Policy for iOS Device 10 Moderate
Create a Microsoft Intune Compliance Policy for macOS Device 10 Moderate
Create a Microsoft Intune Compliance Policy for Windows Device 10 Moderate
Create a Microsoft Intune Configuration Profile for Android Device 10 Moderate
Create a Microsoft Intune Configuration Profile for Android for Work Device 10 Moderate
Create a Microsoft Intune Configuration Profile for iOS Device 10 Moderate
Create a Microsoft Intune Configuration Profile for macOS Device 10 Moderate
Create a Microsoft Intune Configuration Profile for Windows Device 10 Moderate
Create a Microsoft Intune Windows Information Protection Policy Device 10 Moderate
Delete/block accounts not used in last 30 days Identity 1 Moderate
Designate less than 5 global admins Identity 1 Low
Designate more than one global admin Identity 5 Low
Discover risky and non compliant shadow IT applications used in your organization Apps 20 Low
Do not allow anonymous calendar sharing [Not Scored] Data 10 Moderate
Do not allow calendar details sharing [Not Scored] Data 5 Moderate
Do not allow external domain skype communications [Not Scored] Data 5 Moderate
Do not allow mailbox delegation Data 1 Moderate
Do not allow simple passwords on mobile devices Device 2 Moderate
Do not allow users to grant consent to unmanaged applications Identity 10 Moderate
Do not expire passwords Identity 10 Moderate
Do not use mail forwarding rules to external domains [Not Scored] Data 1 Low
Do not use transport white lists [Not Scored] Data 5 Low
Enable Cloud App Security Console Apps 20 Low
Enable Enhanced Jailbreak Detection in Microsoft Intune Device 10 Moderate
Enable Microsoft Intune Mobile Device Management Device 20 Moderate
Enable Password Hash Sync if hybrid Identity 10 Low
Enable policy to block legacy authentication Identity 20 Moderate
Enable self-service password reset Identity 5 Moderate
Enable user risk policy Identity 30 Moderate
Enable Windows Defender ATP integration into Microsoft Intune Device 10 Low
Mark devices with no Microsoft Intune Compliance Policy assigned as Non Compliant Device 10 Moderate
No transport rule to external domains [Not Scored] Data 5 Low
Reduce mobile device password re-use Device 1 Moderate
Register all users for multi-factor authentication Identity 20 High
Remove TLS 1.0/1.1 and 3DES Dependencies Data 5 Low
Require all devices to be patched, have anti-virus, and firewalls enabled [Not Scored] Device 10 Moderate
Require all devices to have advanced security configurations [Not Scored] Device 5 Moderate
Require MFA for all users Identity 30 Moderate
Require MFA for Azure AD privileged roles Identity 50 Low
Require mobile devices to block access and report policy violations Device 5 Moderate
Require mobile devices to have minimum password length Device 1 Moderate
Require mobile devices to lock if inactive Device 1 Moderate
Require mobile devices to manage email profile Device 5 Moderate
Require mobile devices to never expire passwords Device 1 Moderate
Require mobile devices to use a password Device 5 Low
Require mobile devices to use alphanumeric password Device 1 Moderate
Require mobile devices to use encryption Device 1 Moderate
Require mobile devices to wipe on multiple sign-in failures Device 1 Moderate
Review blocked devices report weekly [Not Scored] Device 5 Low
Review mailbox access by non-owners report bi-weekly Data 5 Low
Review mailbox forwarding rules weekly Data 5 Low
Review malware detections report weekly Data 5 Low
Review permissions & block risky OAuth applications connected to your environment Apps 15 Moderate
Set automated notification for new OAuth applications connected to your corporate environment Apps 20 Moderate
Set automated notifications for new and trending cloud applications in your organization Apps 15 Moderate
Set custom activity policy for your organization to discover suspicious usage patterns in cloud apps Apps 10 Moderate
Set outbound spam notifications [Not Scored] Data 15 Low
Set up Office 365 ATP Safe Attachments Data 15 Moderate
Set up Office 365 ATP Safe Links to verify URLs Data 15 Moderate
Set up versioning on SharePoint online document libraries Data 2 Moderate
SPO Sites have classification policies [Not Scored] Data 10 Moderate
Store user documents in OneDrive for Business Data 10 Low
Tag documents in SharePoint [Not Scored] Data 2 Moderate
Turn on audit data recording [Not Scored] Data 15 Low
Turn on customer lockbox feature Data 5 Moderate
Turn on mailbox auditing for all users Data 10 Low
Turn on sign-in risk policy Identity 30 Moderate
Use Cloud App Security to detect insider threat, compromised account, and brute force attempts Apps 15 Low
Use non-global administrative roles Identity 1 Low

What Controls Are Available with Office 365 Secure Score?

Again, the controls available to you through secure score will vary based on your products and licenses. To get a current list of controls available in your office 365 tenant, visit securescore.microsoft.com.

Name Control Type Action Category User Impact Implementation Cost
Compile alternate contact info for all users Behavior Identity Low Low
Apply Data Loss Prevention policies Config Data Moderate Moderate
Do not allow users to grant consent to unmanaged applications Config Identity Moderate Low
Designate less than 5 global admins Behavior Identity Low Low
Use non-global administrative roles Behavior Identity Low Low
Require mobile devices to use alphanumeric password Config Device Moderate Low
Require mobile devices to use encryption Config Device Moderate Low
Require mobile devices to manage email profile Config Device Moderate Low
Require mobile devices to have minimum password length Config Device Moderate Low
Require mobile devices to expire password Config Device Moderate Low
Require mobile devices to never expire passwords Config Device Moderate Low
Require mobile devices to use a password Config Device Low Low
Block jail broken or rooted mobile devices from connecting Config Device Moderate Low
Do not allow simple passwords on mobile devices Config Device Moderate Low
Require mobile devices to wipe on multiple sign-in failures Config Device Moderate Low
Activate mobile device management services Config Device Moderate Moderate
Require mobile devices to lock if inactive Config Device Moderate Low
Reduce mobile device password re-use Config Device Moderate Low
Require mobile devices to block access and report policy violations Config Device Moderate Low
Set outbound spam notifications [Not Scored] Config Data Low Low
Turn on audit data recording [Not Scored] Review Data Low Low
Review sign-ins report weekly Review Identity Low Low
Review signs-ins after multiple failures report weekly Review Identity Low Low
Turn on mailbox auditing for all users Config Data Low Low
Review sign-ins from unknown sources report weekly Review Identity Low Low
Review signs-ins from multiple geographies report weekly Review Identity Low Low
Review role changes weekly Review Identity Low Low
Store user documents in OneDrive for Business Config Data Low Low
Require strong password complexity Config Identity Moderate Low
Activate Information Rights Management (IRM) services [Not Scored] Config Data Low Low
Consume audit data weekly Review Data Low Low
No transport rule to external domains [Not Scored] Config Data Low Low
Do not use transport white lists [Not Scored] Config Data Low Low
Review mailbox forwarding rules weekly Review Data Low Low
Review mailbox access by non-owners report bi-weekly Review Data Low Low
Review malware detections report weekly Review Data Low Low
Do not use mail forwarding rules to external domains [Not Scored] Behavior Data Low Low
SPO Sites have classification policies [Not Scored] Config Data Moderate Moderate
Review sign-in devices report weekly Review Identity Low Low
Require passwords to be reset at least every 60 days Config Identity Moderate Low
Do not expire passwords Config Identity Moderate Low
Do not allow anonymous calendar sharing [Not Scored] Config Data Moderate Low
Do not allow external domain skype communications [Not Scored] Config Data Moderate Low
Review account provisioning activity report weekly Review Identity Low Low
Review account provisioning activity report weekly Review Identity Low Low
Review non-global administrators weekly Review Identity Low Low
Do not allow calendar details sharing [Not Scored] Config Data Moderate Low
Apply IRM protections to documents Behavior Data Moderate Moderate
Apply IRM protections to email [Not Scored] Behavior Data Moderate Moderate
Configure expiration time for external sharing links Config Data Moderate Low
Set up versioning on SharePoint online document libraries Config Data Moderate Low
Tag documents in SharePoint [Not Scored] Behavior Data Moderate Moderate
Review list of external users invited to documents monthly Review Data Low Low
SyncManagement Config Data Moderate Low
User account password age meets policy Behavior Identity Moderate Low
Delete/block accounts not used in last 30 days Behavior Identity Moderate Low
Do not allow mailbox delegation Behavior Data Moderate Low
Allow anonymous guest sharing links for sites and docs Config Data Moderate Low
Set up Office 365 ATP Safe Attachments Config Data Moderate Low
Set up Office 365 ATP Safe Links to verify URLs Config Data Moderate Low
Review blocked devices report weekly [Not Scored] Review Device Low Low
Require all devices to be patched, have anti-virus, and firewalls enabled [Not Scored] Config Device Moderate Moderate
Require all devices to have advanced security configurations [Not Scored] Config Device Moderate Low
Turn on customer lockbox feature Config Data Moderate Moderate
Block Client Forwarding Rules [Not Scored] Config Data Moderate Moderate
Enable Microsoft Intune Mobile Device Management Config Device Moderate Low
Create a Microsoft Intune Compliance Policy for iOS Config Device Moderate Low
Create a Microsoft Intune Compliance Policy for Android Config Device Moderate Low
Create a Microsoft Intune Compliance Policy for Android for Work Config Device Moderate Low
Create a Microsoft Intune Compliance Policy for Windows Config Device Moderate Low
Create a Microsoft Intune Compliance Policy for macOS Config Device Moderate Low
Create a Microsoft Intune App Protection Policy for iOS Config Device Moderate Low
Create a Microsoft Intune App Protection Policy for Android Config Device Moderate Low
Create a Microsoft Intune Windows Information Protection Policy Config Device Moderate Low
Create a Microsoft Intune Configuration Profile for iOS Config Device Moderate Low
Create a Microsoft Intune Configuration Profile for Android Config Device Moderate Low
Create a Microsoft Intune Configuration Profile for Android for Work Config Device Moderate Low
Create a Microsoft Intune Configuration Profile for Windows Config Device Moderate Low
Create a Microsoft Intune Configuration Profile for macOS Config Device Moderate Low
Mark devices with no Microsoft Intune Compliance Policy assigned as Non Compliant Config Device Moderate High
Enable Enhanced Jailbreak Detection in Microsoft Intune Config Device Moderate Moderate
Enable Windows Defender ATP integration into Microsoft Intune Config Device Low Low
Discover risky and non compliant shadow IT applications used in your organization Config Apps Low Low
Set custom activity policy for your organization to discover suspicious usage patterns in cloud apps Config Apps Moderate Low
Review permissions & block risky OAuth applications connected to your environment Config Apps Moderate Low
Use Cloud App Security to detect insider threat, compromised account, and brute force attempts Config Apps Low Low
Automate log upload from firewalls Config Apps Low Moderate
Set automated notifications for new and trending cloud applications in your organization Config Apps Moderate Low
Set automated notification for new OAuth applications connected to your corporate environment Config Apps Moderate Low
Enable Cloud App Security Console Config Apps Low Moderate
Require MFA for Azure AD privileged roles Config Identity Low Low
Require MFA for all users Config Identity Moderate Moderate
Designate more than one global admin Behavior Identity Low Low
Turn on sign-in risk policy Config Identity Moderate Moderate
Enable user risk policy Config Identity Moderate Moderate
Register all users for multi-factor authentication Config Identity High High
Enable policy to block legacy authentication Config Identity Moderate Moderate
Enable Password Hash Sync if hybrid Config Identity Low Low
Enable self-service password reset Config Identity Moderate Moderate
Remove TLS 1.0/1.1 and 3DES Dependencies Review Data Low Low


Agile IT Tech Talks are weekly sessions where we bring in subject matter experts for short, highly focused educational segments, followed by up to an hour of open Q&A where Agile IT clients can discuss their own environments with our engineers and a group of peers. While we release the demos and sessions on our blog, the Q&A benefit is only available to Agile IT
Managed Service and Cloud Service Customers. Agile IT is a four time cloud partner of the year and offers fully managed security as a service. To find out more, schedule a free call with a cloud service advisor.

Leave a comment

Learn More Today

Have questions or want to learn more about the services and solutions Agile IT has to offer?

Schedule a call with us today!

Schedule a Call
or

Request a Quote