Forum Discussion

BrandonKoeller's avatar
BrandonKoeller
Icon for Microsoft rankMicrosoft
Aug 12, 2016
Solved

Announcement: Office 365 Secure Score Released to Public Preview

Microsoft is pleased to announce the preview availability of a new security analytics service called the Office 365 Secure Score. The Secure Score is a security analytics tool that will help you unde...
  • Julian Knight's avatar
    Julian Knight
    Dec 15, 2016

    Another issue with Secure Score.

     

    "You should require that all of your users reset their password at least every 60 days"

     

    This is no longer current best practice where strong passphrases and 2FA are used since more rapid enforced change of passwords leads to the use of weaker ones.

BrandonKoeller's avatar
BrandonKoeller
Icon for Microsoft rankMicrosoft
Aug 16, 2016
Hey Paul,
Thanks for the feedback! I'm adding the notification feature to the backlog. We intend to provide an easy way to 'undo' any given action, but I agree that a notification is a good extension of the control framework.
For your second question, the [Not Scored] items are definitely intended to be scored eventually. It is surprisingly hard to find the source data in the ecosystem, and we wanted to get the experience in the hands of real users sooner rather than later. We exposed the full list of controls because we'd love to hear if you think we've missed anything, or that the identified control is off target.
Lastly, I think facilitating a regular review cadence is a good suggestion. Several of the controls are for report reviews, which happen weekly or monthly. We explicitly wanted to avoid an 'alerting' framework, but finding ways to poke you to come back is a good suggestion. Possibly might use the Security and Compliance Center 'Action Center' functionality for that. For now, you'll have to manage manually.
Thanks again for the feedback!
Brandon Koeller
Julian Knight's avatar
Julian Knight
Steel Contributor
Oct 18, 2016
BrandonKoeller wrote:
Hey Paul,
... It is surprisingly hard to find the source data in the ecosystem, ...

Well, at last! Someone from Microsoft acknowledging this. Perhaps you could also raise the visibility of some of the audit issues - like missing data from the audit reports.

 

Also perhaps you could get someone to finally deal with the issue of trying to identify which users have not used the system recently (e.g. have not logged in in the last 90d). This appears to still be virtually impossible, especially when users are not using Exchange Online.

 

These issues are causing no end of problems.

 

I recently tried to identify people not using the system in order to recover licenses. I used the audit reports for the last 180d thinking that at the very least all active users must have changed their password in that time and that should have been audited. Needless to say that resulted in nearly 10% of identified users that were actively using the system.