Do You Know Your Office 365 Secure Score?

Secure Score analyzes and assigns a score to your Office 365 security. Learn how.

Secure Score is a security app that is available for free with an Office 365 subscription and lives at the URL securescore.office.com. As defined by Microsoft, “Secure Score analyzes your Office 365 organization’s security based on your regular activities and security settings and assigns a score.”

This tool benefits you by ensuring that you know all of the possible security settings available through your subscriptions (even if they are not yet scored by Microsoft). In this way, it is really a training tool in itself.

Remember Key Security Settings

Because of the breadth and depth of the Office 365 platform, it is easy to overlook (and even forget) some key security settings. But this tool ensures you do not miss anything.

That means your CISO will forget your name, which is a positive side effect! This tool, however, is not designed to gauge the likeliness of a security breach in your organization’s tenant.

If your admins are in a global or custom role, they will have access to this tool and will be able to share results with non-admin users. The results are available graphically at the site and are downloadable for manipulation in Excel.

How Secure Score Works

That is enough background, so let’s dive into how it works.

Each security setting has a category, impact, cost, and score assigned to it. The scores are calculated every day around 11:00 p.m. Eastern time.

The score itself is an aggregate of all possible options in the particular setting. For example, the Action Enable MFA for all global admins has a potential score of 50/50 points. If only half the available global admins have MFA activated, then the score will be 25/50. The total number of points available for your tenant depends on your subscription(s).

There are some actions described in the Secure Score app but accompanied by the tag [Not Scored]. These items are not yet wired up to Office 365 but are being added over time. Having these available means that every setting is covered, even if not scored.

In the app, you can use the slider to see what additional actions you could take to improve your score. As you move the slider to the right or the left, the actions list below the slider increase and decrease accordingly.

Microsoft also computes the average score across all Office 365 tenants so you can see how your score compares to other organizations using Office 365. Even so, keep in mind that all organizations have their own security needs and requirements, so the comparison is really just an interesting chart to note, but should not be used to gauge your company’s security effectiveness.

Finally, it should be noted that just because you can move the slider all the way to the right, and see what security settings are available tenant-wide, a balance should be the goal. While you can’t sacrifice security for the desires of the users, you also can’t sacrifice user satisfaction for the desires of the security team.

Recent Updates:

While this service has remained functionally static for the most part, in early 2018 a new “Ignore Action” option has been added. Once you activate this feature by clicking “ignore” on any item, within 24 hours you can select ignore for topics that don’t apply to your organization. This is also great for topics that have been remediated by a third party and they will not count towards your score.

If you need more automation and control over identities, consider using Privileged Identity Management and Cloud App Security.

Have a question? We’d love to hear it! Comment below.

Go Further

About the Author

Tad is a Solutions Architect and Senior Consultant in the Collaboration and digital workplace space with over 20 years of professional experience. His expertise includes Office 365 and Azure; Microsoft SharePoint Server 2013, 2010, 2007 and earlier; Microsoft Windows Server 2016, 2012 R2, 2008 R2, and earlier; Microsoft SQL Server 2014, 2012, 2008 R2, and earlier. Tad’s experience also includes managing hardware and network infrastructure, server operations roles, technical training, facilities, and retail.

Contact the Author to Learn More

  • This field is for validation purposes and should be left unchanged.

Leave a Reply

Your email address will not be published. Required fields are marked *