Managing Microsoft Secure Score (Video)

Managing Microsoft Secure Score (Video)

Managing Microsoft Secure Score is a simple, transparent way to manage the security of your Office 365, Windows and EMS environments. When you think about modern security, there are a lot of challenges. Identity attacks alone are up 300% this year alone and many attacks are going through identity because it is the easiest path to get at your information. With so many avenues for attack, it is difficult to know what to secure, what is secure and how to improve your security score. By providing visibility into you enterprise attack surfaces, Microsoft Secure Score helps you monitor, maintain and make improvements to your cybersecurity.

﻿﻿﻿

What is Microsoft Secure Score?

Originally called Office 365 Secure Score when it launched in February 2017 it expanded its focus across the entire Microsoft 365 enterprise suite (Office 365, EMS and Windows 10) in April of 2018 and became Microsoft Secure Score. Secure Score was envisioned as “a credit score for security”; a simple at-a-glance way to be sure that the proper security controls were in place in Office 365. Secure Score determines the Office 365 services you use (One Drive, Share Point, and Exchange), looks at your configuration and behaviors then compares it to a suggested baseline. If your configuration and behaviors are in line with best practices, you get points, which can be tracked over time. This gives you the ability to quickly determine what to do to reduce your risk.

How to Access Secure Score?

Secure score can be accessed in two ways:

Go to SecureScore.Microsoft.com. (You must have admin privileges to view your secure score)

There is also a Secure Score widget available in the Microsoft Security and Compliance Center that will take you to your Secure Score controls.

Understanding The Secure Score Dashboard

The secure score dashboard is a single-pane view of your security posture. What you see on the secure score dashboard once you log in are:

The date of your current secure score. Secure Score is calculated every 24 hours at around 1 am PST)

Your present secure score for Office 365 above your target score for comparison.

Your present Windows Secure Score if you have Windows Defender ATP.

A risk assessment widget that shows you what your attack risks are.

A comparison widget that shows your secure score as compared to: All Office 365 tenants Other tenants of the same seat size as yours The secure score of other tenants in your industry.

The Target Score Slider

Using Microsoft Secure Score’s Target Score Slider

The target score slider allows you to set your target score. By moving the slider to the left you lower your level of desired security, and moving it right increases it. As you move the slider, you will see your target score above go up and down, as well as the number of actions needed to be taken to reach the desired score. Below the slider is your action queue, a list of actions needed to be taken to reach the desired state.

Reading the Secure Score Action Queue

If you click the expand arrow to the right of each action item, you will get an in-depth view of the action needed. This view includes:

A brief explanation of the action

What category of defense the action impacts

The user impact if implementing the change

The predicted costs of performing the action

Your score for the particular action

The total score possible for implementing the action

Threats that the action will reduce

The compliance controls the action can affect

Links to learn more about the control, ignore the recommendation, or to adapt the score for third-party applications.

What Suggested Actions are Available With Microsoft 365 Secure Score?

The actions available to you will vary based on the products and licenses in your particular tenant. Below is a complete list of all actions available with Microsoft 365 stack. This list is subject to change as new threats and capabilities are discovered or released.

Name Action Category Action score User Impact Activate Information Rights Management (IRM) services [Not Scored] Data 10 Low Activate mobile device management services Device 20 Moderate Allow anonymous guest sharing links for sites and docs Data 1 Moderate Apply Data Loss Prevention policies Data 20 Moderate Apply IRM protections to documents Data 5 Moderate Apply IRM protections to email [Not Scored] Data 5 Moderate Automate log upload from firewalls Apps 5 Low Block Client Forwarding Rules [Not Scored] Data 20 Moderate Block jail broken or rooted mobile devices from connecting Device 1 Moderate Compile alternate contact info for all users Identity 1 Low Configure expiration time for external sharing links Data 2 Moderate Consume audit data weekly Data 5 Low Create a Microsoft Intune App Protection Policy for Android Device 10 Moderate Create a Microsoft Intune App Protection Policy for iOS Device 10 Moderate Create a Microsoft Intune Compliance Policy for Android Device 10 Moderate Create a Microsoft Intune Compliance Policy for Android for Work Device 10 Moderate Create a Microsoft Intune Compliance Policy for iOS Device 10 Moderate Create a Microsoft Intune Compliance Policy for macOS Device 10 Moderate Create a Microsoft Intune Compliance Policy for Windows Device 10 Moderate Create a Microsoft Intune Configuration Profile for Android Device 10 Moderate Create a Microsoft Intune Configuration Profile for Android for Work Device 10 Moderate Create a Microsoft Intune Configuration Profile for iOS Device 10 Moderate Create a Microsoft Intune Configuration Profile for macOS Device 10 Moderate Create a Microsoft Intune Configuration Profile for Windows Device 10 Moderate Create a Microsoft Intune Windows Information Protection Policy Device 10 Moderate Delete/block accounts not used in last 30 days Identity 1 Moderate Designate less than 5 global admins Identity 1 Low Designate more than one global admin Identity 5 Low Discover risky and non compliant shadow IT applications used in your organization Apps 20 Low Do not allow anonymous calendar sharing [Not Scored] Data 10 Moderate Do not allow calendar details sharing [Not Scored] Data 5 Moderate Do not allow external domain skype communications [Not Scored] Data 5 Moderate Do not allow mailbox delegation Data 1 Moderate Do not allow simple passwords on mobile devices Device 2 Moderate Do not allow users to grant consent to unmanaged applications Identity 10 Moderate Do not expire passwords Identity 10 Moderate Do not use mail forwarding rules to external domains [Not Scored] Data 1 Low Do not use transport white lists [Not Scored] Data 5 Low Enable Cloud App Security Console Apps 20 Low Enable Enhanced Jailbreak Detection in Microsoft Intune Device 10 Moderate Enable Microsoft Intune Mobile Device Management Device 20 Moderate Enable Password Hash Sync if hybrid Identity 10 Low Enable policy to block legacy authentication Identity 20 Moderate Enable self-service password reset Identity 5 Moderate Enable user risk policy Identity 30 Moderate Enable Windows Defender ATP integration into Microsoft Intune Device 10 Low Mark devices with no Microsoft Intune Compliance Policy assigned as Non Compliant Device 10 Moderate No transport rule to external domains [Not Scored] Data 5 Low Reduce mobile device password re-use Device 1 Moderate Register all users for multi-factor authentication Identity 20 High Remove TLS 1.0/1.1 and 3DES Dependencies Data 5 Low Require all devices to be patched, have anti-virus, and firewalls enabled [Not Scored] Device 10 Moderate Require all devices to have advanced security configurations [Not Scored] Device 5 Moderate Require MFA for all users Identity 30 Moderate Require MFA for Azure AD privileged roles Identity 50 Low Require mobile devices to block access and report policy violations Device 5 Moderate Require mobile devices to have minimum password length Device 1 Moderate Require mobile devices to lock if inactive Device 1 Moderate Require mobile devices to manage email profile Device 5 Moderate Require mobile devices to never expire passwords Device 1 Moderate Require mobile devices to use a password Device 5 Low Require mobile devices to use alphanumeric password Device 1 Moderate Require mobile devices to use encryption Device 1 Moderate Require mobile devices to wipe on multiple sign-in failures Device 1 Moderate Review blocked devices report weekly [Not Scored] Device 5 Low Review mailbox access by non-owners report bi-weekly Data 5 Low Review mailbox forwarding rules weekly Data 5 Low Review malware detections report weekly Data 5 Low Review permissions & block risky OAuth applications connected to your environment Apps 15 Moderate Set automated notification for new OAuth applications connected to your corporate environment Apps 20 Moderate Set automated notifications for new and trending cloud applications in your organization Apps 15 Moderate Set custom activity policy for your organization to discover suspicious usage patterns in cloud apps Apps 10 Moderate Set outbound spam notifications [Not Scored] Data 15 Low Set up Office 365 ATP Safe Attachments Data 15 Moderate Set up Office 365 ATP Safe Links to verify URLs Data 15 Moderate Set up versioning on SharePoint online document libraries Data 2 Moderate SPO Sites have classification policies [Not Scored] Data 10 Moderate Store user documents in OneDrive for Business Data 10 Low Tag documents in SharePoint [Not Scored] Data 2 Moderate Turn on audit data recording [Not Scored] Data 15 Low Turn on customer lockbox feature Data 5 Moderate Turn on mailbox auditing for all users Data 10 Low Turn on sign-in risk policy Identity 30 Moderate Use Cloud App Security to detect insider threat, compromised account, and brute force attempts Apps 15 Low Use non-global administrative roles Identity 1 Low

What Controls Are Available with Office 365 Secure Score?

Again, the controls available to you through secure score will vary based on your products and licenses. To get a current list of controls available in your office 365 tenant, visit securescore.microsoft.com.

Name Control Type Action Category User Impact Implementation Cost Compile alternate contact info for all users Behavior Identity Low Low Apply Data Loss Prevention policies Config Data Moderate Moderate Do not allow users to grant consent to unmanaged applications Config Identity Moderate Low Designate less than 5 global admins Behavior Identity Low Low Use non-global administrative roles Behavior Identity Low Low Require mobile devices to use alphanumeric password Config Device Moderate Low Require mobile devices to use encryption Config Device Moderate Low Require mobile devices to manage email profile Config Device Moderate Low Require mobile devices to have minimum password length Config Device Moderate Low Require mobile devices to expire password Config Device Moderate Low Require mobile devices to never expire passwords Config Device Moderate Low Require mobile devices to use a password Config Device Low Low Block jail broken or rooted mobile devices from connecting Config Device Moderate Low Do not allow simple passwords on mobile devices Config Device Moderate Low Require mobile devices to wipe on multiple sign-in failures Config Device Moderate Low Activate mobile device management services Config Device Moderate Moderate Require mobile devices to lock if inactive Config Device Moderate Low Reduce mobile device password re-use Config Device Moderate Low Require mobile devices to block access and report policy violations Config Device Moderate Low Set outbound spam notifications [Not Scored] Config Data Low Low Turn on audit data recording [Not Scored] Review Data Low Low Review sign-ins report weekly Review Identity Low Low Review signs-ins after multiple failures report weekly Review Identity Low Low Turn on mailbox auditing for all users Config Data Low Low Review sign-ins from unknown sources report weekly Review Identity Low Low Review signs-ins from multiple geographies report weekly Review Identity Low Low Review role changes weekly Review Identity Low Low Store user documents in OneDrive for Business Config Data Low Low Require strong password complexity Config Identity Moderate Low Activate Information Rights Management (IRM) services [Not Scored] Config Data Low Low Consume audit data weekly Review Data Low Low No transport rule to external domains [Not Scored] Config Data Low Low Do not use transport white lists [Not Scored] Config Data Low Low Review mailbox forwarding rules weekly Review Data Low Low Review mailbox access by non-owners report bi-weekly Review Data Low Low Review malware detections report weekly Review Data Low Low Do not use mail forwarding rules to external domains [Not Scored] Behavior Data Low Low SPO Sites have classification policies [Not Scored] Config Data Moderate Moderate Review sign-in devices report weekly Review Identity Low Low Require passwords to be reset at least every 60 days Config Identity Moderate Low Do not expire passwords Config Identity Moderate Low Do not allow anonymous calendar sharing [Not Scored] Config Data Moderate Low Do not allow external domain skype communications [Not Scored] Config Data Moderate Low Review account provisioning activity report weekly Review Identity Low Low Review account provisioning activity report weekly Review Identity Low Low Review non-global administrators weekly Review Identity Low Low Do not allow calendar details sharing [Not Scored] Config Data Moderate Low Apply IRM protections to documents Behavior Data Moderate Moderate Apply IRM protections to email [Not Scored] Behavior Data Moderate Moderate Configure expiration time for external sharing links Config Data Moderate Low Set up versioning on SharePoint online document libraries Config Data Moderate Low Tag documents in SharePoint [Not Scored] Behavior Data Moderate Moderate Review list of external users invited to documents monthly Review Data Low Low SyncManagement Config Data Moderate Low User account password age meets policy Behavior Identity Moderate Low Delete/block accounts not used in last 30 days Behavior Identity Moderate Low Do not allow mailbox delegation Behavior Data Moderate Low Allow anonymous guest sharing links for sites and docs Config Data Moderate Low Set up Office 365 ATP Safe Attachments Config Data Moderate Low Set up Office 365 ATP Safe Links to verify URLs Config Data Moderate Low Review blocked devices report weekly [Not Scored] Review Device Low Low Require all devices to be patched, have anti-virus, and firewalls enabled [Not Scored] Config Device Moderate Moderate Require all devices to have advanced security configurations [Not Scored] Config Device Moderate Low Turn on customer lockbox feature Config Data Moderate Moderate Block Client Forwarding Rules [Not Scored] Config Data Moderate Moderate Enable Microsoft Intune Mobile Device Management Config Device Moderate Low Create a Microsoft Intune Compliance Policy for iOS Config Device Moderate Low Create a Microsoft Intune Compliance Policy for Android Config Device Moderate Low Create a Microsoft Intune Compliance Policy for Android for Work Config Device Moderate Low Create a Microsoft Intune Compliance Policy for Windows Config Device Moderate Low Create a Microsoft Intune Compliance Policy for macOS Config Device Moderate Low Create a Microsoft Intune App Protection Policy for iOS Config Device Moderate Low Create a Microsoft Intune App Protection Policy for Android Config Device Moderate Low Create a Microsoft Intune Windows Information Protection Policy Config Device Moderate Low Create a Microsoft Intune Configuration Profile for iOS Config Device Moderate Low Create a Microsoft Intune Configuration Profile for Android Config Device Moderate Low Create a Microsoft Intune Configuration Profile for Android for Work Config Device Moderate Low Create a Microsoft Intune Configuration Profile for Windows Config Device Moderate Low Create a Microsoft Intune Configuration Profile for macOS Config Device Moderate Low Mark devices with no Microsoft Intune Compliance Policy assigned as Non Compliant Config Device Moderate High Enable Enhanced Jailbreak Detection in Microsoft Intune Config Device Moderate Moderate Enable Windows Defender ATP integration into Microsoft Intune Config Device Low Low Discover risky and non compliant shadow IT applications used in your organization Config Apps Low Low Set custom activity policy for your organization to discover suspicious usage patterns in cloud apps Config Apps Moderate Low Review permissions & block risky OAuth applications connected to your environment Config Apps Moderate Low Use Cloud App Security to detect insider threat, compromised account, and brute force attempts Config Apps Low Low Automate log upload from firewalls Config Apps Low Moderate Set automated notifications for new and trending cloud applications in your organization Config Apps Moderate Low Set automated notification for new OAuth applications connected to your corporate environment Config Apps Moderate Low Enable Cloud App Security Console Config Apps Low Moderate Require MFA for Azure AD privileged roles Config Identity Low Low Require MFA for all users Config Identity Moderate Moderate Designate more than one global admin Behavior Identity Low Low Turn on sign-in risk policy Config Identity Moderate Moderate Enable user risk policy Config Identity Moderate Moderate Register all users for multi-factor authentication Config Identity High High Enable policy to block legacy authentication Config Identity Moderate Moderate Enable Password Hash Sync if hybrid Config Identity Low Low Enable self-service password reset Config Identity Moderate Moderate Remove TLS 1.0/1.1 and 3DES Dependencies Review Data Low Low



Agile IT Tech Talks are weekly sessions where we bring in subject matter experts for short, highly focused educational segments, followed by up to an hour of open Q&A where Agile IT clients can discuss their own environments with our engineers and a group of peers. While we release the demos and sessions on our blog, the Q&A benefit is only available to Agile IT Managed Service and Cloud Service Customers. Agile IT is a four-time cloud partner of the year and offers fully managed security as a service. To find out more, schedule a free call with a cloud service advisor, or REQUEST A QUOTE:





