Hey Anil,

Are you setup as some kind of admin in the tenancy in question? You'll need to be an admin to get access.

Thanks!

Brandon Koeller

Hey Anil,

Thanks for the follow-up. There is one control in the action list related to Skype for Business:

"You should not allow your users to communicate with Skype users outside your organization. While there are legitimate, productivity-improving scenarios for this, it also represents a potential security threat in that those external users will now be able to interact with your users over Skype for Business. Attackers may be able to pretend to be someone your user knows, and then send malicious links or attachments, resulting in an account breach, or leaked information. We found that your external domain skype communications setting is set to [Not Measured]. If you restrict this, your score will go up 5 points."

At the moment, the control is not measured, so enabling external domain connections won't actually reduce your score. Long term, we think this is a defense in depth control, however. The risk is marginal, and can be fairly detrimental to user productivity. Its on the list, but ranked relatively low. 

Thanks!

Brandon Koeller

Hey John,

Thanks for the feedback. So, the way the access model is implemented users of the tool are only able to perform actions that align with their assigned role. So, if a control requires global admin permissions and the user is assigned an Exchange Online Admin role, they won't be able to make the change. This leaves some roles such as Security Administrator as functionally read-only roles. Most of the read-only state and configuration data is already accessible to all those roles anyway (although it would take more work to get the state data). We tried to strike a balance between exposure of the recommendations to the right set of company stakeholders while respecting the constraints of their assigned roles. 

Thanks!

Brandon Koeller

I have the same issue with Intune scores not reflecting. We have been moved to intune on azure with Office 365 and dont get any scores showing up.

Hi Brandon,

I've granted all my InfoSec guys access in the Security and Compliance center as Security Administrators and Compliance Admins, but that doesn't seem to allow them to access SecureScore.
I then gave them Custom Administrator/Reports Reader, but they still got 403 when accessing the page. Will try going up to Service Admins and see if that allows them in. I also noticed that Compliance Admin is not listed in the available admin roles for Office 365 users. Am I missing a preview feature or something?

Secure score is great. We have slowly been tracking up as we fix the items that have been shown. 

I seem to get incorrect scores for all the mobile options. I assume this is due to us using intune. Any idea when the secure secure will reflect the intune mobile settings and security?

Hi Greg,

For the MDM actions we currently have the telemetry wired up for built in Office 365 MDM controls.  We are currently working on bringing in the Intune telemetry, so hold tight.  If you want points for using Intune now you can press the third party button for those controls.

what are the plans for adding Power Apps, Flow and/or Power BI to Secure Score?

Hi Dean,

I have not heard of any plan for these apps.  If you have ideas on what security controls should be measured for them, send me a private message and I am happy to share it with the engineering team.