Secure Score Explained

Office 365 tenant administrators have access to what’s known as a “Secure Score”—Microsoft’s assessment of your security profile. That is, how vulnerable you are to attacks from within or without, and how your administrative processes are contributing to a lower (or higher) score. Factors such as whether you have dormant accounts with administrative rights or user accounts whose passwords don’t expire. Eliminating these are important in raising your score and ensuring your security profile is better than others in your field of industry or service. This service spans your Office 365 estate, including Azure Active Directory, Exchange Online, SharePoint Online, OneDrive etc.



Secure Score allows you to be proactive against threats to your organization, making changes to better secure your tenant before issues become problems.



You may see references to scores out of 1,000 but Microsoft has since made the change to a percentage. Gravitate towards articles that mention percentages when doing research; they will be the more recent ones to follow.

Raising Your Score

The Secure Score is found in the Security and Compliance section of the Administrative portal. You’ll see a chart that looks something like the screen shot below:

Below that overview chart will be some headline items:

Take a look at the first item: “Do not expire passwords.” Yes, you read that right. Click the line and you will be presented with information and links on why expiring passwords are not necessarily a good thing—and can even be counter to a secure environment—because users reuse passwords with only slight tweaks. Attackers can steal previous password hashes, then use that information to obtain actual previous passwords and make an educated guess as to the current, and potential future, passwords.



This applies to the Office 365 setting and not the on-premises Active Directory setting. So, if you are managing passwords in AD, the best thing to do is to follow the guidance and select “Resolved though alternate mitigation,” This will increase your overall score.



For all Office 365 tenants, administrative accounts should be protected by Multi-Factor Authentication. If MFA has not been implemented, then do so, promptly. It’s good practice to have one Global Administrator account that does not have MFA enabled, but every other account should have MFA enforced. So long as you regularly audit the assignment of Global Admin roles, selecting “Resolved through alternate migration” will increase your score.
As you progress through the list of recommendations, mark each item as completed (by whatever action chosen) so it may be reflected in your secure score. Be sure to check back on a monthly basis as new features are introduced and new vulnerabilities come to light.

Licensing

You may not have licenses for all items identified. Here, your choices are to assess the risk and either purchase the right licenses or accept that the risk exists. For example, many organizations with E3 licenses will procure similar numbers of EMS3 licenses. They will have a balance between cost, functionality and security. For example, the second item in the above image: “Turn on sign-in risk policy” requires Azure AD Premium 2, which is included in EMS5. Azure AD Premium 1 is included in EMS3 but Azure AD Premium 2 is not. The decision of whether to accept the risk and no more regular monitoring, trade the EMS3 for EMS5, or add standalone Azure AD Premium 2 licenses is one for you and the business to discuss, decide and manage.



You can see what items are available to review based on licensing by clicking the Improvement Actions tab, scrolling down, and looking at the last column. In the image below you can see that two improvement actions can be addressed immediately and two cannot. The sign-in risk policy is one that requires Azure Active Directory P2 (or EMS5), as is the user risk policy. This allows you to act on vulnerabilities you can resolve immediately and then research those for which you are not licensed and review whether or not to procure the additional licenses.

In Summary

Your Secure Score percentage provides a snapshot of known vulnerabilities compared with similar organizations and industries. It shows which items you can quickly address to increase your score and which items you might need to devote some time to your licensing posture. If your organization has any further questions about ways to increase your Secure Score (or any other Office 365 questions) please don’t hesitate to reach out to us. We’d love to help you out.