Forum Discussion
Secure Score not Scoring....
- PM Sent...
I've had a ticket open with Premier support since 4/19 for this issue. We (myself and the 3rd party guy who got the ticket) are still waiting for an MS Engineer to pick the ticket up so we can even START troubleshooting. Seems to me waiting 5+ weeks for the ticket to even get touched is well beyond the realm of reason.
I guess my point is this interface is horribly broken and MS seems to have little to no interest in correcting the issue. My advice is not to waste your time on Secure Score if you want a metric that is actually useful.
MicrosoftHi Christopher B.
Sorry to hear that you are having issues with getting support. Private message me your ticket number and if you have the name of any technical person you talked to at Microsoft about your ticket and I will look into it.
christopherp- I feel like a standing ovation is in order for your statement you just made! As an IT Security, Risk and Compliance professional I whole heatedly agree with your entire statement. O365 available roles are not being appropriately allocated to match the real world roles that actually align with IT compliance guidelines that must be kept. One also must be a global admin in O365 to access, read and use items from ATP and TI which is not the role of a Global Amin which is why they are listed under the Security and Compliance area of O365.
75 days later since we opened our ticket, here is our answer as to why reviewing reports as a compliance administrator, security reader, or as any other role besides global admin fails to give credit and increase the secure score:
"The issue is this: in order to get points for these controls, the user reviewing these reports must be a Global Administrator. A user set as a Compliance Administrator isn't able to raise their securescore by reviewing reports, it must be a Global Admin.”
One of the securescore recommendation is to designate five or fewer global admins. Now we have to designate one of those five just to look at reports and increase our score? What about separation of duties, and principle of least privilege? I, as a security professional, do not want access to functions I will never use (but a hacker certainly would, should my account become compromised) just so that I can read reports and increase our score. The actual global admin doesn't want to spend her day reading security reports - that is my job. She wants to focus on turning on the new features that secure score recommends be implemented in our tenant.
- Anthony-Smith
Hi Zeff,
Thanks for bringing this to my attention. You have a good point.
The spirit of the "Review role changes weekly" report was to have you see if someone was made a global admin, while the "Review non-global administrators weekly" report focuses on roles like billing admin, user admin, etc. The "Review role changes weekly report" does not correctly communicate the spirit. In talking with the engineering team they are going to make a change to merge the two actions into one and update the text to say that you need review changes to your global and non-global admin roles weekly. No ETA yet on when that will get updated.
Thanks again for bringing this to my attention!
Anthony, what is the difference between Review Non-Global Administrators and Review Role Changes? They both point to the same place. You are reviewing the same data from what I can tell...
