SOLVED

Announcement: Office 365 Secure Score Released to Public Preview

Microsoft

Microsoft is pleased to announce the preview availability of a new security analytics service called the Office 365 Secure Score. The Secure Score is a security analytics tool that will help you understand what you have done to reduce the risk to your data in Office 365, and show you what you can do to further reduce that risk. We think of it as a credit score for security. Our approach to this experience was very simple. First, we created a full inventory of all the security configurations and behaviors that our customers can do to mitigate risks to their data in Office 365 (there are about 77 total things that we identified). Then, we evaluated the extent to which each of those controls mitigated a specific set of risks and awarded the control some points. More points means a more effective control for that risk. Lastly, we measure the extent to which your service has adopted the recommended controls, add up your points, and present it as a single score.

 

The core idea is that it is useful to rationalize and contextualize all of your cloud security configuration and behavioral options into one simple, analytical framework, and to make it very easy for you to take incremental action to improve your score over time. Rather than constructing a model with findings slotted into critical, moderate, or low severity, we wanted to give you a non-reactive way to evaluate your risk and make incremental changes over time that add up to a very effective risk mitigation plan.

 

The Office 365 Secure Score is a preview experience, so you may find issues, and you will note that not all of the controls  are being measured. Please share any issues on the Office Network Group for Security. You can access the Secure Score at https://securescore.office.com.

 

The Secure Score does not express an absolute measure of how likely you are to get breached. It expresses the extent to which you have adopted controls which can offset the risk of being breached. No service can guarantee that you will not be breached, and the Secure Score should not be interpreted as a guarantee in any way.

 

Your Secure Score Summary

The first, most important piece of the Secure Score experience is the Score Summary. This panel gives you your current Secure Score, and the total number of points that are available to you, given your subscription level, the date that your score was measured, as well as a simple pie chart of your score. The denominator of your score is not intended to be a goal number to achieve. The full set of controls includes several that are very aggressive and will potentially have an adverse impact on your users’ productivity. Your goal should be to optimize your action to take every possible risk mitigating action while preserving your users’ productivity.

 

As mentioned, the Office 365 Secure Score is in a preview release. Over the coming months you will see us continue to add new controls, new measurements, and improvements to the remediation experiences. If you like what you see, please share with your network. If you see something we can improve, please share it with us on the Office Network Group for Security. We’re looking forward to seeing your scores go up, and making the Secure Score experience as useful, simple, and easy as it can be.

 

Read More Here: https://blogs.technet.microsoft.com/office365security/new-security-analytics-service-finding-and-fix...

72 Replies

Hello,

 

What are the roles other than the admin of Tenant who can access the Secure O365 Score function?

 

Thank you very much for your help and feedback.

Vincent

Currently, it is Global Admins only.  I attended an O365 Deep Dive  webinar a few days ago and we were told that more roles are planned. They are currently gathering feedback so that they can determine what those roles should be.

 

@Brandon Koeller was the presenter and he should be able to provide more details

Hey Vincent,
Thanks for reaching out. Dean has it just right below: The Secure Score is currently only available to Global Administrators because the breadth of /actions/ that the Score enables requires that level of access. We've gotten feedback that some customers would really like to expose the experience to non-Admins (although not to everyone in their tenancy) to drive more awareness. Is there an in-built role in the service that you think you would want to use to grant access to your Secure Score experience? Security Administrators? Exchange and/or SharePoint admins?
Thanks!
Brandon Koeller

Hello,

 

I really appreciate your feedback and information you share.

Following your answer, i discuss with my customer ans i am waiting information from him about role he would like to Add to grant access for Secure Score experience.

As soon as i receive information, i share.

 

Thank you very much for your feedback.

best Regards.

Vincent

Thank you for your feedback Dean.
Hi Brandon/Karsten, I have the same issue, but it seemed to work fine yesterday (9th)
best response confirmed by Deleted
Solution

Another issue with Secure Score.

 

"You should require that all of your users reset their password at least every 60 days"

 

This is no longer current best practice where strong passphrases and 2FA are used since more rapid enforced change of passwords leads to the use of weaker ones.

Hey Julian,
Thanks for the feedback. We 100% agree, and have been working on 'flipping' this control to award points for /not/ setting a password expiration policy. Microsoft and NIST both recently released research that supports this change on our policies. Thanks again for the feedback!
As Per Microsoft's Recommendation: https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pd...
And updated NIST standards: https://pages.nist.gov/800-63-3/sp800-63-3.html
Brandon Koeller

That password recommendations document contains a lot of good info. Can you get it copied from the Research org over into some public places, such as docs.microsoft.com and support.office.com?

Hey Dean! I'll ask! Thanks, Brandon

Just a quick note, as well as writing about Office 365 Secure Score on my personal blog, which I have linked to previously, I have written a more comprehensive article on the Technet Wiki - Office 365 Secure Score - Find and Fix Risks in Office 365.

 

I'll keep an eye on the content as things change but it's open for contributions in general from the community.  It's my first Wiki article, so it been an interesting experience, it's harder than it looks. I'm looking forward to Secure Score reaching GA and more people benefiting from this service.

Awesome! Thanks for sharing and for the community support! Look for the GA announcement in the very near future (along with a couple of new features, like an API!). Thanks, Brandon Koeller

May I ask for access please?

May I ask for access please?

Hey Carol,

Thanks for reaching out. You will need to be some kind of administrator for the tenancy that you wish to see the secure score for. I would suggest creating a demo tenant and working from there.

Thanks!

Brandon Koeller

hi, do have or plan the ability to generate the report and mail them to determined recipients ? thanks

+1 : also for the ability to give the role to specific account without global admin role

Hey! Thanks for reaching out. There isn't a built in mailer feature, but the content on the Score Analyzer can be exported or screenshotted to stick into an email. Also, I'm pleased to report that we have made the Secure Score experience available to users that hold any administrative role (user admin, security admin, etc.). 

Thanks!

Brandon Koeller

That's good news with Secure Score not requiring Globlal Admin anymore just one of the admin roles. Thanks for the update.

greats news !

so service admin role would be sufficiant ? is it available already on all tenants ?

Hey! Thanks for the follow-up. Service Admin role (and any other admin role) is sufficient, and it is available for all O365 customers. Thanks!

Brandon Koeller