Secure score doesn't score if utilized via CA

%3CLINGO-SUB%20id%3D%22lingo-sub-842775%22%20slang%3D%22en-US%22%3ESecure%20score%20doesn't%20score%20if%20utilized%20via%20CA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-842775%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20just%20me%20or%20is%20the%20secure%20score%20not%20scoring%20something%20that%20is%20implement%20it%20it%20being%20utilized%20via%20Conditional%20Access%3F%3C%2FP%3E%3CP%3EFor%20example%20'Require%20MFA%20for%20Azure%20AD%20privleged%20roles'%2C%20we%20are%20using%20Condtional%20Access%20on%20all%20the%20admin%20roles.%20We%20still%20haven't%20score%20full%20points%20on%20this%20one.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-849608%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20doesn't%20score%20if%20utilized%20via%20CA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-849608%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F219756%22%20target%3D%22_blank%22%3E%40Niklas%20Jern%3C%2FA%3E%26nbsp%3B%20you%20could%20use%20Azure%20AD's%20PIM%20so%20that%20you%20don't%20have%20any%20persistent%20global%20admins.%26nbsp%3B%20If%20you%20don't%20have%20persistent%20global%20admins%2C%20then%20there's%20nothing%20for%20the%20score%20reporting%20service%20to%20check%20against%20for%20ensuring%20that%20your%20global%20admins%20are%20MFA-protected.%26nbsp%3B%20That%20may%20end%20up%20getting%20you%20the%20score%20that%20you're%20after.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-852483%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20doesn't%20score%20if%20utilized%20via%20CA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-852483%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84670%22%20target%3D%22_blank%22%3E%40Thomas%20Garrity%3C%2FA%3E%26nbsp%3BThe%20problem%20isn't%20the%20amount%20of%20GA.%20The%20issue%20is%20that%20Secure%20Score%20doesn't%20score%20properly%20when%20you%20have%20fulfilled%20the%20task%20via%20CA%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-855805%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20doesn't%20score%20if%20utilized%20via%20CA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-855805%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F219756%22%20target%3D%22_blank%22%3E%40Niklas%20Jern%3C%2FA%3Eyou%20might%20be%20missing%20my%20point.%26nbsp%3B%20If%20you%20have%200%20GA's%2C%20then%20maybe%20you%20get%20a%20full%20score%20because%20therefore%20none%20of%20your%20GA's%20would%20fall%20into%20the%20category%20of%20not%20being%20forced%20to%20MFA%2C%20since%20you%20don't%20have%20any%20GA's.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20believe%20it's%20worth%20a%20shot.%26nbsp%3B%20It%20doesn't%20hurt%20to%20spin%20up%20a%20trial%20instance%20to%20test%20it%20out...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-856094%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20doesn't%20score%20if%20utilized%20via%20CA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-856094%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84670%22%20target%3D%22_blank%22%3E%40Thomas%20Garrity%3C%2FA%3E%26nbsp%3BI%20get%20it%2C%20it%20might%20work%20with%20this%20work%20around%20.%20But%20it%20still%20doesn't%20fix%20that%20the%20secure%20score%20is%20broken.%20%2B%20PIM%20is%20an%20E5%20functionality%2C%20that%20doesn't%20help%20either%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

Is it just me or is the secure score not scoring something that is implement it it being utilized via Conditional Access?

For example 'Require MFA for Azure AD privleged roles', we are using Condtional Access on all the admin roles. We still haven't score full points on this one.

 

Regards

 

4 Replies

@Niklas Jern  you could use Azure AD's PIM so that you don't have any persistent global admins.  If you don't have persistent global admins, then there's nothing for the score reporting service to check against for ensuring that your global admins are MFA-protected.  That may end up getting you the score that you're after.

@Thomas Garrity The problem isn't the amount of GA. The issue is that Secure Score doesn't score properly when you have fulfilled the task via CA

@Niklas Jernyou might be missing my point.  If you have 0 GA's, then maybe you get a full score because therefore none of your GA's would fall into the category of not being forced to MFA, since you don't have any GA's.

 

I believe it's worth a shot.  It doesn't hurt to spin up a trial instance to test it out...

@Thomas Garrity I get it, it might work with this work around . But it still doesn't fix that the secure score is broken. + PIM is an E5 functionality, that doesn't help either