Aug 12 2016
- last edited on
May 24 2021
Microsoft is pleased to announce the preview availability of a new security analytics service called the Office 365 Secure Score. The Secure Score is a security analytics tool that will help you understand what you have done to reduce the risk to your data in Office 365, and show you what you can do to further reduce that risk. We think of it as a credit score for security. Our approach to this experience was very simple. First, we created a full inventory of all the security configurations and behaviors that our customers can do to mitigate risks to their data in Office 365 (there are about 77 total things that we identified). Then, we evaluated the extent to which each of those controls mitigated a specific set of risks and awarded the control some points. More points means a more effective control for that risk. Lastly, we measure the extent to which your service has adopted the recommended controls, add up your points, and present it as a single score.
The core idea is that it is useful to rationalize and contextualize all of your cloud security configuration and behavioral options into one simple, analytical framework, and to make it very easy for you to take incremental action to improve your score over time. Rather than constructing a model with findings slotted into critical, moderate, or low severity, we wanted to give you a non-reactive way to evaluate your risk and make incremental changes over time that add up to a very effective risk mitigation plan.
The Office 365 Secure Score is a preview experience, so you may find issues, and you will note that not all of the controls are being measured. Please share any issues on the Office Network Group for Security. You can access the Secure Score at https://securescore.office.com.
The Secure Score does not express an absolute measure of how likely you are to get breached. It expresses the extent to which you have adopted controls which can offset the risk of being breached. No service can guarantee that you will not be breached, and the Secure Score should not be interpreted as a guarantee in any way.
Your Secure Score Summary
The first, most important piece of the Secure Score experience is the Score Summary. This panel gives you your current Secure Score, and the total number of points that are available to you, given your subscription level, the date that your score was measured, as well as a simple pie chart of your score. The denominator of your score is not intended to be a goal number to achieve. The full set of controls includes several that are very aggressive and will potentially have an adverse impact on your users’ productivity. Your goal should be to optimize your action to take every possible risk mitigating action while preserving your users’ productivity.
As mentioned, the Office 365 Secure Score is in a preview release. Over the coming months you will see us continue to add new controls, new measurements, and improvements to the remediation experiences. If you like what you see, please share with your network. If you see something we can improve, please share it with us on the Office Network Group for Security. We’re looking forward to seeing your scores go up, and making the Secure Score experience as useful, simple, and easy as it can be.
Oct 28 2016 02:26 AM
What are the roles other than the admin of Tenant who can access the Secure O365 Score function?
Thank you very much for your help and feedback.
Oct 28 2016 03:13 AM - edited Oct 28 2016 03:16 AM
Currently, it is Global Admins only. I attended an O365 Deep Dive webinar a few days ago and we were told that more roles are planned. They are currently gathering feedback so that they can determine what those roles should be.
@Brandon Koeller was the presenter and he should be able to provide more details
Oct 28 2016 01:05 PM
Nov 04 2016 01:16 PM
I really appreciate your feedback and information you share.
Following your answer, i discuss with my customer ans i am waiting information from him about role he would like to Add to grant access for Secure Score experience.
As soon as i receive information, i share.
Thank you very much for your feedback.
Nov 10 2016 08:51 AM
Dec 15 2016 05:47 AMSolution
Another issue with Secure Score.
"You should require that all of your users reset their password at least every 60 days"
This is no longer current best practice where strong passphrases and 2FA are used since more rapid enforced change of passwords leads to the use of weaker ones.
Dec 15 2016 09:19 AM
Dec 15 2016 11:42 AM
That password recommendations document contains a lot of good info. Can you get it copied from the Research org over into some public places, such as docs.microsoft.com and support.office.com?
Jan 03 2017 03:30 AM
Just a quick note, as well as writing about Office 365 Secure Score on my personal blog, which I have linked to previously, I have written a more comprehensive article on the Technet Wiki - Office 365 Secure Score - Find and Fix Risks in Office 365.
I'll keep an eye on the content as things change but it's open for contributions in general from the community. It's my first Wiki article, so it been an interesting experience, it's harder than it looks. I'm looking forward to Secure Score reaching GA and more people benefiting from this service.
Jan 10 2017 12:40 PM
Feb 09 2017 05:27 PM
Thanks for reaching out. You will need to be some kind of administrator for the tenancy that you wish to see the secure score for. I would suggest creating a demo tenant and working from there.
Mar 01 2017 07:47 AM
hi, do have or plan the ability to generate the report and mail them to determined recipients ? thanks
+1 : also for the ability to give the role to specific account without global admin role
Mar 01 2017 09:35 AM
Hey! Thanks for reaching out. There isn't a built in mailer feature, but the content on the Score Analyzer can be exported or screenshotted to stick into an email. Also, I'm pleased to report that we have made the Secure Score experience available to users that hold any administrative role (user admin, security admin, etc.).
Mar 01 2017 11:01 AM
Mar 02 2017 07:49 AM
greats news !
so service admin role would be sufficiant ? is it available already on all tenants ?
Mar 03 2017 08:53 AM
Hey! Thanks for the follow-up. Service Admin role (and any other admin role) is sufficient, and it is available for all O365 customers. Thanks!