Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Office 365 Secure Score is now Microsoft Secure Score
Published Apr 17 2018 07:26 AM 116K Views

The threat landscape is continually evolving and in talking with organizations we hear about the many challenges you face in managing your security position to protect against these threats. From having too many security solutions with various places to configure lots of controls, a lack of knowledge around which controls are the most effective, and being unable to benchmark yourself against other organizations, we can understand why security teams are having trouble finding the right balance of security and productivity while staying on top of everything.

 

With Office 365 Secure Score we made this easier by helping you understand your security position, giving you advice on what controls you should consider enabling, and helping you understand how your score compared to other organizations. We saw a lot of interest around Secure Score and a common piece of feedback we heard was that it was great that we were doing this for Office 365 but what about the other Microsoft solutions? Over the past few months we have been working on this and today Office 365 Secure Score is now Microsoft Secure Score. Microsoft Secure Score builds on top of what was in Office 365 Secure Score and adds even more.

 

One new feature you will notice as soon as you log in is the new Microsoft score which is made up of your Office 365 Secure Score and your Windows Secure Score. The Windows score come from Windows Defender Advanced Threat Protection (ATP) which provides information about the status of your antivirus, OS security updates, firewall, and other controls. To get the details of your Windows score, you can click on the “Windows Defender Security Center” link below your Windows score to go directly to the dashboard in Windows Defender ATP.

 

summary.png

Microsoft Secure Score Summary

 

Beyond adding Windows to Secure Score, we also now support Microsoft Intune. This surfaces though the existing mobile device management (MDM) controls.   Previously we used the telemetry from the Office 365 MDM solution. However, we know that some of you are using Intune and were clicking on the Third Party button to give yourself points as you were meeting the spirit of these controls. This will no longer be necessary. If you are using Intune, we recommend that you remove the third party tag from these controls so they can be scored based on your Intune data.

 

Lastly, we heard from many organizations that they loved the compare your score section where we show how you benchmark against the Office 365 average score and the recently added Office 365 seat size average score. What they also wanted to see was a score based on organizations in the same industry. This new industry average is now rolling out and should be available to everyone by April 20th. Based on what industry you designate in the Service Assurance section of the Office 365 Security and Compliance Center we will show you the average score for that industry. Note that if you change your industry designation, the new average will not appear until your score is recalculated.

 

comparefinal.png

Industry average score to help you better benchmark your organization

 

This is just the first step in building out Microsoft Secure Score. Over the coming months we will continue to add new functionality and add additional solutions to provide you an even better experience.

 

To try out Microsoft Secure Score now you can go to https://securescore.microsoft.com and log in with your administrative credentials or click on the Secure Score widget on the Office 365 Security and Compliance Center home page. We also created a new Microsoft Mechanics video that can give you a quick overview of the solution if you have not used Secure Score before.

 

[video]

 

As always, the team loves the feedback and comments so feel free to leave them below. If you happen to be at the RSA conference in San Francisco this week swing by the Microsoft booth to say hi and check out the sessions we are running.

20 Comments
Copper Contributor

Hi,

 

please provide a score for conditional MFA enable settings.

Today the score is limited for fully MFA enforce only.

 

Regards

Itzik 

Hi Itzik,

 

Thanks for the feedback.  We have heard this from many people and based on demand we have this on our list of controls to enable.  This should go live in the next few months.

Copper Contributor

We have a security team that would like to access this but we dont give them admin rights and it seems there is no way to give anyone access to Secure Score without letting them make changes.

Is there a secret way of giving non-administrators access?

Hi Peter,

 

You can give them Security Reader access in the Office 365 Security and Compliance Center and they should get access to Secure Score.

Copper Contributor

Sadly that doesn’t seem to work

We have also tried the Security Administrator and Compliance Administrator roles but they still cant access the page.

Hi Peter,

 

Sorry about that.  I tried myself and got the same issue.  I have asked the engineering team to look at this, but I found a quick workaround.  Grant the account security reader rights in Azure Active Directory.  When I did this it worked. 

 

Info on how to do that is here.

Copper Contributor

Anthony,

 

thank you for the previous answer. I see one major missing feature with the great Office365 secure score product.

in the "Score Analyzer" and "compare score" we would like to get full information and audit who changed the configuration and reduced/increased the score.

 

let's say admin X cancel the MFA for all admins, we will see it in the score analyzer while investigating why the secure score was reduced but we won't see who was the admin that changed that configuration.

 

Regards

Itzik 

 

Deleted
Not applicable

Update: [2018-06-27] I found this post that confirms my question below ... the score card only counts clicking "Review" from within the "Microsoft Secure Score" UI itself and does not actually do any real telemetry to verify the reports are utilized. It is just counting clicks... (sigh) ... 

https://techcommunity.microsoft.com/t5/Security-Privacy-Compliance/Office365-secure-score-Not-scorin...

 

It appears that the Microsoft Secure Score is only counting “last time you reviewed this report” based on clicking the Microsoft Secure Score link to the report rather than actually reviewing the report.

Can anyone confirm or invalidate this perception? [2018-06-27 - Confirmed - no real telemetry]

  

This report and others mentioned in the Microsoft Secure Score were reviewed on Thursday, June 21, 2018 in this tenant.

The "Microsoft Secure Score" says “6/14/2018” as last time the report was reviewed. This was the last time the reports were reached from clicking the links in the "Microsoft Secure Score" [Learn More] button, but not the last time the reports themselves were reviewed.  

Review signs-ins after multiple failures report weekly Account 0/45

You should review the Azure Security reports at least every week. These reports contains records of accounts that have successfully signed-in after multiple risk events, such as locations, IP addresses which could be an indication that the account could be compromised. We found that the last time you reviewed this report was on 6/14/2018. If you review this report, your score will go up 45 points.

You should review user role group changes at least every week. There are several ways you can do this, including simply reviewing the list of users in different administrative role groups in the Office 365 Admin Portal, or by reviewing role administration activity in the last week from the Audit Log Search. You should do this because you should watch for illicit role group changes, which could give an attacker elevated privileges to perform more dangerous and impactful things in your tenancy. We found that the last time you reviewed this report was on 6/14/2018. If you review this report, your score will go up 10 points.

Copper Contributor

We are still not seeing our Intune enablement affecting our security score, how can we get this turned on?

Deleted
Not applicable

LOL!

Microsoft Announced Office 365 Secure Score at Ignite 2018. Does that mean a Secure Score category in Office 365 user voice? https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/18474886-ad...

Will we have better visibility into what actions will be added or removed from the overall Secure Score list? e.g. "Review signs-ins after multiple failures report weekly" and "Review non-global administrators weekly" dropped out of the Score Analyzer this week. 

Will the exportable Control List, exportable Action List, Secure Score Analyzer details and Secure Score summary get synced up in a more consistent manner? 

Nothing like that on the Office 365 roadmap, but it would be nice to see. https://www.microsoft.com/en-us/microsoft-365/roadmap?rtc=1%26filters=%26searchterms=Secure%2CScore

Here is hoping with fingers crossed. 

Hi James,

 

Secure Score was updated this week with a new set of controls.  The blog on Tech Community has the details.  There should also be a message center post in the Office 365 admin center letting you know of this too.

 

There is no category in User Voice for Secure Score but we are happy to take feedback in the Tech Community.  I am not aware of controls being deleted so if something is missing please file feedback.  The admin MFA control was renamed though.  The control list is up to date with all the new controls.

Deleted
Not applicable

Yes, the announcement was posted in Office 365 on Wednesday as was the techcommunity article. 

Feedback is put in for each action that is broke or not matching each Thursday when we go through the Secure Score.

Data Loss Prevention (DLP) Policies:

[2018-09-27] Action Learn more still goes to Exchange Online admin instead of Security & Compliance Data loss prevention

[2018-09-27] Action still reports zero DLP polices enabled. We have two DLP policies enabled.

Azure AD administration:

[2018-09-27] “Review signs-ins after multiple failures report weekly” not in Secure Score Actions.

[2019-09-27] “Review role changes weekly” not in Secure Score actions.

[2018-09-27] “Review non-global administrators weekly” not in Secure Score actions.

Identity:

  • Summary Identity Actions: 7 of 27.
  • Summary Identity Score: 121/230.
  • Visible Identity Actions complete: 7 of 15.
  • Visible Identity Actions Score: 122/224

Data:

  • Summary Data Actions: 5 of 31
  • Summary Data Score: 27/214
  • Visible Data Actions complete: 5 of 28
  • Visible Data Actions Score: 27/211

Device

  • Summary Device Actions: 6 of 34
  • Summary Device Score: 70/246
  • Visible Device Actions complete: 6 of 33
  • Visible Device Score: 70/244

Apps

  • Summary Apps Actions: 1 of 9
  • Summary Apps Score: 20/140
  • Visible Apps Actions complete: 1 of 9
  • Visible Apps Score: 20/140

Our score comes out in Compare as 238 (us) to 58 (Seat Size Avg) to 83 (Industry Type Avg) to 31 (Microsoft Avg).

There is a high flux in score and scoring as well as an ongoing vagary in the Microsoft Secure Score development.

It would be helpful to have well outlined plans and developments communicated before the date of their release.

Hi James,

 

I have asked the team to check the telemetry stream for DLP and to update the URL.

 

For the reports, I talked with the team and four Azure AD reports (review sign-ins after multiple failures, review role changes, review account provisioning activity, and review non-global admins) have been deprecated.  They were deprecated based on feedback from customers and the Azure Active Directory team as some are no longer available and others were not as good as we initially thought at increasing your security position.  We apologize for not giving you information around this and will look to do so in the future via a Message Center post.

Deleted
Not applicable
Anthony Smith (A.J.) Microsoft; Your follow up is appreciated! Thank you.
Copper Contributor

Unfortunately for us, adding the "Grant the account security reader rights in Azure Active Directory" is still not allowing for the Secure Score widget to appear. We've added Compliance Admin, Message Center Privacy Reader, Message Center Reader, Reports Reader, and Service Administrator.

 

Still no Secure Score appearing

Iron Contributor

Re “Office 365 Secure Score is now Microsoft Secure Score”

Initially “Office 365 Secure Score” was available to all _Office 365 E3/E5_ users. And as far as I see full “Microsoft Secure Score” is part of “Microsoft 365 security center”. Unless you are having premium SKU _Microsoft 365 E3/E5_ or _EMS E3/E5_ (do not confuse first two with _Office 365 E3/E5_) you are locked down to see mostly raw data at  stripped down Security Score portal https://security.microsoft.com/securescore?viewid=overview only.

It is sad that past fictionality was available to non EMS customers and now it is gone. Is there a plan to bring more features back to base o365 license bands?

Microsoft

Hi @Sergg,

when we transitioned Secure Score to the Security Center platform we didn't port over 100% of the functionality as customer feedback either suggested that it wasn't proving useful or satisfying the actual customer need would require significant design changes that we’d need to address later in the timeline.  Our “A new home…” blog provided some insights on some of these types of changes.  

 

What functionality are you looking for that is no longer present? Also can you explain what you mean by “raw data”. I’m not understand as I assume by “data” you mean the Improvement Action content and that should be very similar to what we’ve had in the past.     

 

On a related note I have two things to share:

 

  1. Check out the new Secure Score Public Preview at: http://aka.ms/securescorepreview. There are LOTS of great changes in there.
  2. In Jan we expect to expand SKU support. It will include: M365 E3/E5, O365 E3/E5, EMS E3/E5, Windows 10 Enterprise, and Microsoft Defender ATP

 

 

Iron Contributor

Hello @Chris Hallum 

 

We were slightly flabbergasted when we found Devices and Infrastructure areas completely blank. It required a service request and conversation with Microsoft to find out it was intentionally removed. We were pointed to March What's new. Security Score was an integral part of Microsoft Security Assessment Delivery Kit and once half of the items got removed the delivery kit became hard to use.

Removal spree mentioned in https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score?view=o365-worldwi...  I should say it came really sudden. It was sad to see Device and Infrastructure bars becoming grey and reporting "no data to show" even with tenants fully covered with E5 security.

What's new?

March 2020

Removed improvement actions that don't meet expectations for reliable measurement or don't provide a useful representation of security posture

To ensure that the Microsoft Secure Score is meaningful and that every improvement action is measurable and reliable, we are removing the following improvement actions.

Removed device improvement actions

Brass Contributor

@Sergg I absolutely agree, I would say probably more than half has been removed. As of now I only have a total of 22 actions whereas it was close to 90. So much has been removed, that the Microsoft Security Assessment Delivery Kit has become almost useless. It is a great tool, I really hope someone is going to review the kit and align with the changes. 

Microsoft

When looking at Microsoft Secure Score, "Score last calculated" is showing a date in November and it is now January, a few months later.  How is this "Score last calculated" date determined?

Version history
Last update:
‎Apr 17 2018 07:26 AM
Updated by: