Microsoft Secure Score
Microsoft Secure Score benefits you to advance your Microsoft Office 365 Security posture in numerous ways by recognizing possible issues before they become a problem, by making suggestions as to which settings need to be changed to implement better security controls by mapping your current status so you have a baseline against which you can chart your security improvements, allowing you to compare your organization’s Secure Score to others within the similar industry and size, so you have a better understanding of what’s considered to be the norm and displaying a history and current security status which is useful for auditing purposes.
Understanding Secure Score Dashboard
Microsoft Secure Score dashboard helps the customer to assess whole environment security health in one place. Secure Score gives an overview, highlight improvement actions and show the history of how your Office 365 tenant performing into security space.
How to access Secure Score Dashboard?
This is very simple. You just go to your internet browser and type: https://security.microsoft.com/securescore?viewid=overview
Once you enter your Office 365 Admin Credentials, you will see this page which is called Secure Score Overview Dashboard:
What are the key areas Microsoft looks and gives you a secure score?
Microsoft Secure Score fetches the information from 5 key areas and their sub-areas which can be compromised if Security Best Practice not applied.
- Azure Active Directory
- Intune
- Microsoft Information Protection
- Intune
- Exchange Online
- SharePoint Online
- Microsoft Cloud App Security
What are the key categories under sources Secure Score rates?
Identity
- Require MFA for Azure AD privileged roles
- Require MFA for all users
- Enable Password Hash Sync if hybrid
- Register all users for multi-factor authentication
- Enable self-service password reset
- Designate more than one global admin
- Designate fewer than 5 global admins
- Do not expire passwords
- Do not allow users to grant consent to unmanaged applications
- Use limited administrative roles
- Delete/block accounts not used in last 30 days
- Turn on sign-in risk policy
- Turn on user risk policy
- Enable policy to block legacy authentication
Data
- Turn on audit data recording
- Block Client Forwarding Rules
- Set outbound spam notifications
- Turn on mailbox auditing for all users
- Store user documents in OneDrive for Business
- Activate Information Rights Management (IRM) services
- Consume audit data weekly
- No transport rule to external domains
- Do not use mail flow rules that bypass anti-spam protection
- Review mailbox forwarding rules weekly
- Review mailbox access by non-owners bi-weekly
- Review malware detections report weekly
- Do not use mail forwarding rules to external domains
- SPO Sites have classification policies
- Do not allow anonymous calendar sharing
- Do not allow calendar details sharing
- Apply IRM protections to documents
- Apply IRM protections to email
- Remove TLS 1.0/1.1 and 3DES dependencies
- Configure expiration time for external sharing links
- Set up versioning on SharePoint online document libraries
- Tag documents in SharePoint
- Do not allow mailbox delegation
- Allow anonymous guest sharing links for sites and docs
- Apply Data Loss Prevention policies
- Set up Office 365 ATP Safe Attachment policies
Device
- Enable Microsoft Intune Mobile Device Management
- Create a Microsoft Intune Compliance Policy for iOS
- Create a Microsoft Intune Compliance Policy for Android
- Create a Microsoft Intune Compliance Policy for Android for Work
- Create a Microsoft Intune Compliance Policy for Windows
- Create a Microsoft Intune Compliance Policy for macOS
- Create a Microsoft Intune App Protection Policy for iOS
- Create a Microsoft Intune App Protection Policy for Android
- Create a Microsoft Intune Windows Information Protection Policy
- Create a Microsoft Intune Configuration Profile for iOS
- Create a Microsoft Intune Configuration Profile for Android
- Create a Microsoft Intune Configuration Profile for Android for Work
- Create a Microsoft Intune Configuration Profile for Windows
- Create a Microsoft Intune Configuration Profile for macOS
- Mark devices with no Microsoft Intune Compliance Policy assigned as not compliant
- Enable enhanced jailbreak detection in Microsoft Intune
- Enable Microsoft Defender ATP integration into Microsoft Intune
- Activate mobile device management services
- Require mobile devices to use a password
- Require mobile devices to block access and report policy violations
- Require mobile devices to manage email profile
- Review blocked devices report weekly
- Require all devices to be patched and have anti-virus and firewalls
- Do not allow simple passwords on mobile devices
- Require mobile devices to use alphanumeric password
- Require mobile devices to use encryption
- Require mobile devices to lock if inactive
- Require mobile devices to have minimum password length
- Require mobile devices to wipe on multiple sign-in failures
- Block jail broken or rooted mobile devices from connecting
- Remove mobile device policies that expire passwords
- Reduce mobile device password re-use
- Require all devices to have advanced security configurations
Apps
- Review permissions & block risky OAuth applications connected to your environment
- Discover risky and non-compliant shadow IT applications
- Set automated notifications for new OAuth applications connected to your corporate
- environment
- Turn on Cloud App Security Console
- Set automated notifications for new and trending cloud applications in your organization
- Create a custom activity policy to discover suspicious usage patterns
- Discover trends in shadow IT application usage
- Use Cloud App Security to detect anomalous behavior
Infrastructure
This is mainly for Azure Resources other than Active Directory.
What the core service source Microsoft secure score collect the information?
- Azure Active Directory
- Intune
- Microsoft Information Protection
- Intune
- Exchange Online
- SharePoint Online
- Microsoft Cloud App Security
Improvement Action Centre
This tab will show you what are the action items you can consider improving your environment IT security. You should refer your IT Security & Compliance policy as well before taking any actions:
In the improvement actions, you can filter actions by Category, Impact, Cost, Source and Status. This makes Security/IT Admin life so easy since he/she can filter and export selection items for internal review and change submission.
History
This history center you can use to review your security implementation/deployment performance for 90days. This is really helpful to track secure score improvement:
Is there any negative impact if I follow Microsoft Secure Score dashboard action plane and execute all of them?
This is always good if you follow Microsoft Recommendation, but you also need to make sure your other 3rd Party application, tools or services should not impact.
For example, you have Implemented MFA for all applications and resources which gave you a full score but some of your 3rd party applications stopped working. In such a case, best to contact with the service provider and run the complete test before making changes into production.