Office 365 Secure Score is a portal that helps you assess the security posture of your Office 365 tenant. In this Ask the Admin, I’ll show you what it can do for the online security of your business.
Moving sensitive business data to the cloud is a step too far for many organizations. There can be valid reasons for keeping data on-premises but the cloud can be at least as secure as your own datacenter, sometimes more secure. To help manage security in the cloud and give extra confidence to businesses that are still sitting on the fence, Office 365 Secure Score is a tool for analyzing and implementing security best practices in your Office 365 tenant.
Office 365 is complex and trying to understand your security posture quickly and easily is an almost impossible task using the Office 365 management portal and various admin centers. Secure Score taps into the power of Microsoft Graph, which uses a set of REST-based APIs to collect information from multiple endpoints, like Exchange, SharePoint, and Microsoft Teams. Secure Score also has its own API which administrators can connect to using PowerShell to get reports. For more information on connecting to the Secure Score API, see Microsoft’s website here.
Secure Score’s dashboard gives your tenant a score, from a maximum of 364, and a list of actions that can be used to improve the score. The score is calculated based on your tenant’s security settings and user behavior, with the help of data collected from Microsoft Graph. Actions are tasks that will improve the security of the tenant. Each action includes information about what setting(s) should be changed, why the change will make the tenant more secure, and the threats associated with the vulnerability.
You can set a target score for your organization on the dashboard. As the target score increases, so does the list of recommended actions. As you increase the target score, you move from a BASIC security posture though BALANCED to AGGRESSIVE. Because security is always a balancing act between security and usability, actions are prioritized according to effectiveness and compared to the impact on end users.
Office 365 Secure Score Dashboard (Image Credit: Russell Smith)
Actions that are not applicable to your organization can be ‘ignored’ so that they don’t affect your score. There’s also the option to assign actions to a third-party so that if another provider is managing a security feature, such as multifactor authentication, you can note that in Secure Score. The Score Analyzer tab shows your historical score over time. You can list all actions, filter them by category, or just see incomplete actions.
Secure Score in Practice
Secure Score is a great tool for quickly understanding your organization’s security posture and remediating any critical problems. Many actions can be completed right in the Secure Score dashboard, which is important for novice administrators that might be put off by the sometimes-complex administration centers. For example, Secure Score recommended that I enable outbound spam notifications, which I was able to do without using the Exchange administration center.
Office 365 Secure Score Actions (Image Credit: Russell Smith)
Enabling mailbox auditing was another matter entirely. I was prompted to download and run a PowerShell script to enable auditing for all mailboxes, except that it wasn’t quite so easy. Because I have multifactor authentication (MFA) enabled for the global administrator account, Microsoft’s script didn’t work. I got an access denied message at the authentication stage. To connect using an account that has MFA enabled, you need to download and install the Exchange Online Remote PowerShell Module. You can find detailed steps for using MFA accounts to manage Exchange Online here. Once I got my PowerShell session authenticated with Exchange Online, I was able to run the rest of Microsoft’s script.
Office 365 Secure Score Security Analyzer (Image Credit: Russell Smith)
But without scripting and PowerShell experience, it would be difficult to configure some of the settings recommended by Secure Score. Many actions recommend that you review security reports, like the risky logins report in Azure Active Directory. You are provided with a link so that you don’t have to go looking for the report. It would be better if Secure Score provided basic information from the report to save you the trouble of switching to Azure AD, only to find out that there were no risky logins since the last time you reviewed the report.
Enable Auditing for All Mailboxes Using PowerShell (Image Credit: Russell Smith)
While Secure Score could clearly improve many of the actions it suggests, being able to gather all the information that is required to assess your tenant’s security posture is a plus. If you haven’t already looked, I recommend you head over to the Secure Score site to check your score.