Secure Score not scoring properly

%3CLINGO-SUB%20id%3D%22lingo-sub-1049018%22%20slang%3D%22en-US%22%3ESecure%20Score%20not%20scoring%20properly%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1049018%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20seem%20to%20be%20having%20some%20issues%20with%20our%20Secure%20Score%20lately.%20The%20score%20goes%20up%20and%20down%20and%20shows%20controls%20as%20not%20configured%20while%20they%20have%20been%20for%20a%20long%20time.%3CBR%20%2F%3E%3CBR%20%2F%3EExample%20%231%3B%3C%2FP%3E%3CP%3EThe%20%22Turn%20on%20audit%20data%20recording%22%20control%20setting%20is%20worth%2015%20points.%20We%20enabled%20it%20months%20ago.%20We%20scored%20points%20for%20it%20the%20entire%20time%2C%20since%20last%20Tuesday..Now%20its%20in%20the%20%22Not%20completed%22%20filter%20list%20again%20and%20we%20dropped%20in%20points.%20It%20shows%20up%20as%20%22feature%20in%20place%3A%20false%22%20scoring%200%2F15.%20If%20we%20follow%20the%20%22Review%22%20button%2C%20its%20all%20working%20fine%20and%20gathering%20data%20throughout%20the%20entire%20period.%3CBR%20%2F%3E%3CBR%20%2F%3EExample%20%232%3B%3CBR%20%2F%3EThe%20counts%20for%20MFA%20are%20not%20correct.%20We%20understand%20the%20difference%20between%20%22required%22%20and%20%22registered%22%20for%20MFA%20but%20still%20the%20numbers%20are%20incorrect.%3CBR%20%2F%3EThe%20%22Require%20MFA%20for%20all%20users%22%20control%20shows%20%22%3CSPAN%3EYou%20have%2053%20of%2083%20user%20accounts%20that%20don't%20use%20MFA..%3C%2FSPAN%3E%22.%3CBR%20%2F%3EThe%20%22%3CSPAN%3ERegister%20all%20users%20for%20multi-factor%20authentication%3C%2FSPAN%3E%22%20control%20shows%20%22%3CSPAN%3EYou%20have%2048%20out%20of%2083%20users%20who%20don't%20have%20MFA%20registered.%3C%2FSPAN%3E%22.%3CBR%20%2F%3EFirst%20off%20we%20can't%20match%20the%2083%20count%20of%20users..My%20Azure%20exports%20show%2097%20users..What%20filters%20apply%20to%20obtain%20that%20number%20of%20users%3F%20If%20we%20subtract%20shared-mailboxes%20it%20still%20doesn't%20add%20up.%20If%20we%20remove%20guest-users%20its%20way%20to%20high.%26nbsp%3B%3C%2FP%3E%3CP%3ESecondly%2C%20we%20have%20a%20policy%20in%20place%20that%20requires%20MFA%20for%20all%20guest%20users.%20Given%20the%20number%20of%20our%20own%20users%20that%20we%20require%20MFA%20for%20plus%20that%20guest%20policy%2C%20the%20number%20of%20not%20listed%20as%20required%20MFA%20users%20should%20be%20way%20lower%20(around%2030%20at%20this%20stage).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20also%20have%20some%20features%20that%20are%20not%20scored%20properly%20that%20are%20most%20likely%20related%20to%20our%20Hybrid%20Exchange%20config%2C%20we%20don't%20really%20care%20about%20those%20but%20I%20think%20you%20should%20be%20able%20to%20detect%20the%20Hybrid%20config%20and%20apply%20filters%20for%20it.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EEDIT%3A%3CBR%20%2F%3EAnother%20example%20is%20the%20%22%3CSPAN%3EDo%20not%20allow%20users%20to%20grant%20consent%20to%20unmanaged%20applications%3C%2FSPAN%3E%22%20control.%20We%20had%20this%20setting%20set%20to%20Enabled%2C%20so%20it%20always%20was%20allowed.%20We%20changed%20it%20to%20Not%20enabled%20so%20it%20would%20be%20more%20secure.%20As%20a%20reward%20we%20lost%2010%20points...%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F160211iF2176CC4934FADA2%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20anyone%20provide%20insights%20in%20the%20above%20deviations%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1055790%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20Score%20not%20scoring%20properly%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1055790%22%20slang%3D%22en-US%22%3EI%20second%20the%20issue%20on%20%22Turn%20on%20audit%20data%20recording%22%20not%20scoring%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1055793%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20Score%20not%20scoring%20properly%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1055793%22%20slang%3D%22en-US%22%3EAlso%2C%20the%20TLS%201.0%2F1.1%20report%20has%20not%20been%20updated%20since%2010%2F30%2F2019%2C%20but%20I%20am%20getting%20points%20for%20being%20compliant.%20Not%20complaining.%20Will%20take%20the%20points%20whenever%20I%20can%20get%20them.%20Just%20saying.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1062520%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20Score%20not%20scoring%20properly%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1062520%22%20slang%3D%22en-US%22%3E%3CP%3E%2B1%20Currently%20helping%20Client%20with%20Secure%20Score%20Assessment%2C%20It%20looks%20bad%20that%20despite%20my%20changes%2C%20the%20score%20is%20dropping!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20understand%20why%20the%20score%20dropped%20(admin%20accounts%20not%20having%20MFA%20applied%20increased%20in%20number)%20but%20No%20improvement%20for%3A%3C%2FP%3E%3CP%3EMailbox%20Auditing%20for%20all%20users%3C%2FP%3E%3CP%3EActivating%20IRM%3C%2FP%3E%3CP%3EAnything%20that%20involves%20%22Review%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20the%20new%20Secure%20Score%20is%20in%20preview%2C%20but%20i%20think%20this%20should%20still%20be%20working%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1064231%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20Score%20not%20scoring%20properly%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1064231%22%20slang%3D%22en-US%22%3E%3CP%3EAlso%20having%20this%20problem.%26nbsp%3B%20We%20had%2015%20points%20since%20I%20started%20my%20position%20here%20(About%209%20months%20ago)%20but%20since%20around%202%20weeks%20ago%20its%20said%20not%20scored%20and%20feature%20in%20place%3A%20False.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERunning%20%22Get-AdminAuditLogConfig%22%20in%20powershell%20shows%20%22AdminAuditLogEnabled%3A%20True%22%20so%20it's%20definitely%20on.%26nbsp%3B%20I%20tried%20toggling%20it%20off%20and%20on%20again%20to%20see%20if%20that%20forces%20secure%20score%20to%20re-calculate%20the%20score.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EReading%20this%20thread%20made%20me%20go%20and%20check%20our%20other%20scores%20and%20we%20also%20have%20scoring%20issues%20with%20TLS%2C%20MFA%20and%20configure%20expiry%20times%20for%20SharePoint%20links%2C%20all%20were%20scored%20and%20the%20score%20was%20removed%20despite%20the%20features%20being%20in%20place.%26nbsp%3B%20we%20dropped%20from%20around%20130%20points%20to%2090%20points%20in%20about%202%20weeks%20without%20anything%20in%20our%20environment%20changing%20and%20no%20settings%20getting%20changed%20in%20the%20admin%20portal.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1064847%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20Score%20not%20scoring%20properly%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1064847%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20my%20Demo%20Tenant%20has%20finally%20updated%20some%20scores!%20a%20full%2096%3F%20(might%20be%20longer)%20hours%20after%20I%20made%20the%20changes!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20note%20that%20its%20not%20all%20the%20items%20I%20have%20updated%2C%20only%20a%20few%2C%20and%20its%20hard%20to%20recall%20Which%20changes%20I%20made%20on%20which%20days%20because%20I%20was%20expecting%20an%20update%20after%2024%20hours.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20will%20keep%20you%20updated%20if%20I%20see%20any%20items%20I%20know%20have%20changed%20not%20updating%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1082660%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20Score%20not%20scoring%20properly%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1082660%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F478511%22%20target%3D%22_blank%22%3E%40KeizerJ%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20issue%20still%20persists.%200%20solutions%20or%20explanations%20provided%20so%20far...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EScores%20controls%20change%20over%20time%20with%20no%20related%20reason.%20The%20Audit%20Log%20control%20changes%20once%20or%20twice%20a%20week%20without%20any%20changes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20other%20controls%20take%2072%20hours%20to%20update%2C%20others%2012%20hours.%20Neither%20of%20those%20delays%20is%20listed%2C%20should%20be%2048%20hours.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

We seem to be having some issues with our Secure Score lately. The score goes up and down and shows controls as not configured while they have been for a long time.

Example #1;

The "Turn on audit data recording" control setting is worth 15 points. We enabled it months ago. We scored points for it the entire time, since last Tuesday..Now its in the "Not completed" filter list again and we dropped in points. It shows up as "feature in place: false" scoring 0/15. If we follow the "Review" button, its all working fine and gathering data throughout the entire period.

Example #2;
The counts for MFA are not correct. We understand the difference between "required" and "registered" for MFA but still the numbers are incorrect.
The "Require MFA for all users" control shows "You have 53 of 83 user accounts that don't use MFA..".
The "Register all users for multi-factor authentication" control shows "You have 48 out of 83 users who don't have MFA registered.".
First off we can't match the 83 count of users..My Azure exports show 97 users..What filters apply to obtain that number of users? If we subtract shared-mailboxes it still doesn't add up. If we remove guest-users its way to high. 

Secondly, we have a policy in place that requires MFA for all guest users. Given the number of our own users that we require MFA for plus that guest policy, the number of not listed as required MFA users should be way lower (around 30 at this stage).

 

We also have some features that are not scored properly that are most likely related to our Hybrid Exchange config, we don't really care about those but I think you should be able to detect the Hybrid config and apply filters for it.


EDIT:
Another example is the "Do not allow users to grant consent to unmanaged applications" control. We had this setting set to Enabled, so it always was allowed. We changed it to Not enabled so it would be more secure. As a reward we lost 10 points...

clipboard_image_0.png

 

 

Could anyone provide insights in the above deviations? 

 

6 Replies
Highlighted
I second the issue on "Turn on audit data recording" not scoring
Highlighted
Also, the TLS 1.0/1.1 report has not been updated since 10/30/2019, but I am getting points for being compliant. Not complaining. Will take the points whenever I can get them. Just saying.
Highlighted

+1 Currently helping Client with Secure Score Assessment, It looks bad that despite my changes, the score is dropping!

 

I understand why the score dropped (admin accounts not having MFA applied increased in number) but No improvement for:

Mailbox Auditing for all users

Activating IRM

Anything that involves "Review"

 

I know the new Secure Score is in preview, but i think this should still be working

 

Highlighted

Also having this problem.  We had 15 points since I started my position here (About 9 months ago) but since around 2 weeks ago its said not scored and feature in place: False.

 

Running "Get-AdminAuditLogConfig" in powershell shows "AdminAuditLogEnabled: True" so it's definitely on.  I tried toggling it off and on again to see if that forces secure score to re-calculate the score.  

 

Reading this thread made me go and check our other scores and we also have scoring issues with TLS, MFA and configure expiry times for SharePoint links, all were scored and the score was removed despite the features being in place.  we dropped from around 130 points to 90 points in about 2 weeks without anything in our environment changing and no settings getting changed in the admin portal. 

Highlighted

So my Demo Tenant has finally updated some scores! a full 96? (might be longer) hours after I made the changes!

 

I would note that its not all the items I have updated, only a few, and its hard to recall Which changes I made on which days because I was expecting an update after 24 hours.

 

I will keep you updated if I see any items I know have changed not updating

Highlighted

@KeizerJ 

The issue still persists. 0 solutions or explanations provided so far...

 

Scores controls change over time with no related reason. The Audit Log control changes once or twice a week without any changes.

 

Some other controls take 72 hours to update, others 12 hours. Neither of those delays is listed, should be 48 hours.