Administrators of Microsoft Office 365 environments can evaluate how the security configurations of their tenants measure up to the baseline. Here’s information about how the score is tallied and how to improve it.
What’s in a Number?
The Secure Score is made up of two numbers, a numerator (79 in the example shown), and the denominator (273). The numerator is the sum of all the security capabilities that are enabled in the tenant. The denominator is the sum of all the possible security capabilities that could be enabled. In other words, it’s the total of all the options that are available to you through the Office 365 subscription that your organization purchased. As an example, if a tenant has Office 365 E3, they have DLP capabilities through the Compliance center, auditing, and MFA for Office 365 accounts, so their denominator is higher than an organization who has purchased the E1 license.
It’s the numerator that counts, however. Microsoft calculates your score every night, and provides a list of recommended tasks to improve your score. They will also compare your score to all other organizations using Office 365. Since smaller organizations may have a lower score that large organizations who have less tolerance for risk and a larger IT staff, Microsoft’s been given feedback from customers who’d like to see comparisons against similar seat size or line of business.
Finally, there’s a third number, a hypothetical Target Score. The Target Score may actually be bigger than the denominator. The action queue includes enabling features you’ve not purchased. Premium services like Advanced Security Management, Advanced Threat Protection, and AAD Premium features like Priveleged Identity Management are there. If you did everything possible in Microsoft’s portfolio, your Secure Score would be ~440.
Who can see this Number?
People configured as any of the following Office 365 roles can view the tool: TenantAdmin, SecurityAdmin, HelpdeskAdmin, ExchangeAdmin, SharePointAdmin, UserAccountAdmin. Only the TenantAdmin can make changes to improve the score.
Now that you Know the Number
Microsoft has some suggestions to improve it. Below the secure score, you’ll see a table listing “Actions in the queue.” This is a prioritized list of all the capabilities that your organization pays for that you can employ, but haven’t yet.
The top recommended action is to enable Multifactor Authentication for Admins. That’s because the risk of an breach in an admin acct is the most dangerous risk in Office 365. Microsoft estimates that 90% of breaches start with a phish, and most attacks are after some elevated acct. Enabling MFA for all admin accounts will raise the Secure Score by 50 points!
As an aside, it’s recommended to have fewer than five (5) global tenant admins. You can change admin “roles” right from the security score UI, which is much easier to invoke than poking around to find it in the admin center.
Additional recommendations to avoid breach can be found in one of our previous blog posts.
Before you click
Each action may have a user impact, so before invoking the change, administrators can gauge its impact by looking at the “How will this effect my users” section. There’s also an “implementation cost” ranking, which infers the difficulty for the administator making the change. Some things (like enabling MFA for all users) of course have a higher impact than others (such as enabling MFA for a few users). It’s the combination of the impact and the implementation cost that sets the priority for the Action queue. It should be noted that some of the changes which are noted as “moderate” may actually be more impactful than Microsoft expects (i.e. Multifactor authentication for users), so be sensitive to the user reaction.
You can see all of the security configs and their difficulty/impact in a spreadsheet format with something called the Secure Score Control list. It’s an Excel export of the data model behind the Secure Score. It includes the “Action URL” where Admins can go directly to take the steps to improve security.
Analyzing, Comparing, and Planning ahead
To see the trend in your score and compare your score over time to the baseline, check the Score Analyzer page. There you will also see the three categories (users, devices, data) that add up to the overall score, and how well you’re taking advantage of the available configuration.