Microsoft 365 Secure Score – Easily Improve Your Security Posture

UPDATE 16th February 2022: The Microsoft Secure Score have published a great video walking through the dashboard just days after I published my blog post. Embedding it below for reference:

I remember back in 2018 discovery Microsoft Secure Score for the first time when it was still primarily focused on Office365 – I wrote this blog about it. Revisiting it recently, it is awesome to see how far it has progressed with the integrated security features from the full Microsoft Defender suite contributing to a complete view of your organisation’s security posture. If you’re wondering what Secure Score is, then here is the blurb from Microsoft Docs:

Microsoft Secure Score is a measurement of an organization’s security posture, with a higher number indicating more improvement actions taken. It can be found at https://security.microsoft.com/securescore in the Microsoft 365 Defender portal.

Source: Microsoft Secure Score | Microsoft Docs

If you’re on time you can watch this quick video which shows me providing a very brief overview of Microsoft Secure and then acting on the top recommendation for my demo tenant which is to turn on MFA (Multi Factor Authentication) for administrators:

Why Use Microsoft Secure Score

Fundamentally, Secure Score helps organizations:

  • Report on the current state of the organization’s security posture.
  • Improve their security posture by providing discoverability, visibility, guidance, and control.
  • Compare with benchmarks and establish key performance indicators (KPIs).

As I engage with CIO, CTO, IT Managers and key Business Decision Makers, one of the constant hot topics of discussion is security. They all want to know how to get easy wins to improve their security posture but don’t always know where to start.

Security in education is challenging – protecting identities, devices, documents, cloud apps, let alone the age range of users from K-12 students through to varying technical competencies of teachers and school administrative staff, knowing where to start is not always easy.

A classic overview of the challenge school IT staff face

Moreover, many IT staff are genuinely keen to report ‘up the line’ to their managers about what is being done to improve their security posture and where the funding needs to be invested to accelerate this.

Enter Microsoft Secure Score.

One of the major appeals of Secure Score for me is the relative simplicity it offers. The overview is clear, the recommended improvement actions are obvious, the accompanying documentation on how to implement those improvements is right there, and the ability to monitor and report on security changes over time provides measurable feedback. For these reasons, I strongly recommend you check it out if you have IT administrative responsibilities for your organisation.

How To Access Secure Score

To check out Secure Score you can click this link directly or if you’re signed into the home of the Microsoft Security Admin Centre you can see it in the left hand menu:

Once you’re in the Secure Score you are presented with the Overview page that provides some key indicators for you, including:

  • Your current score
  • Actions that need reviewing
  • Top Improvement actions
  • Comparison with similar organisations

As you can see from the screenshot above, my demo tenant has a very low score as many things are not turned on and there is significant opportunity to quickly and easily improve the security posture. You can also see that compared to similar organisations my tenant is significantly less secure. Microsoft calculates this comparison based on similar sized tenants in your region and industry.

Improvement Actions

This is my favourite section as it provides an almost “paint by numbers” approach to how to get the quickest wins to improve your security posture:

Here are the top 5 recommendations for my demo tenant. You can clearly see what the actions are, what impact it will have on the overall secure score, what the current status is (note I changed MFA to planned), are you currently licensed for this (super helpful if you’re trying to justify further investment in security) and lastly what products are being used. It should be no surprise that 3/5 of the top recommendations involve identity as this remains one of the main attack vectors for bad actors and the education industry is not immune to this.

By clicking on any of the improvement actions a new pane appears from the right with detail overview and implementation steps – as you can see below after I clicked on “Require MFA for administrative roles”:

The level of information displayed here is actually pretty impressive and the fact it’s easily digestible means you should read it all. You’ll note it’s saying that 0/3 of my administrative roles are currently protected – giving you an immediate sense of the scale of the risk here. It’s also giving an overview of the end user impact – something that is very important to factor in when doing something like an organisation wide change and what level of end user training may be required. For example, implementing MFA for administrator users (3 in my instance) should have minimal impact given there are not many of them numerically and, given they’ve been allocated some form of administrative permissions, they should be technically capable of registering for MFA relatively easily. By contrast, if you were turning on MFA for all end users the scale of potential disruption and support tickets might be quite high!

Implementation Guide: Turning on MFA For Administrators

Simply clicking the ‘Implementation” tab provides another step by step guide on how to turn this on and ensure that you’re sending your Secure Score in the right direction. Things to note here:

  1. It automatically outlines what the prerequisites are and indicates whether you’ve met them (green tick). If you don’t meet these it’s recommending you simply turn on the Security Defaults and outlines what this does
  2. Given the licensing in this demo tenant has AzureAD Premium 2 it provides additional clarity around Conditional Access and how this can be used.
  3. Custom Implementation guidance is provided on creating a new policy to apply to users. I followed this in the video above if you want to watch it video form (click here to start at implementation point in the video)

If you prefer to follow step by step with screenshots then the below outlines how to do this. You need to start the AzureAD Conditional Access Portal here.

click to create a new policy
  1. Give your policy a name
  2. Select which users you’d like to this apply to
  3. I chose to select by Directory Roles, so that any new User Admins would automatically be included
  4. You can see my choice of User Administrator – this new policy will only apply to users who have been given this directory role

Next move down to Cloud apps or actions and then select for this to apply to all cloud apps. Note that it does warn you that you need to take care to not lock yourself out of the tenant! Given I’m only applying this to directory roles of User Administrator I would be fine as I was signed in as a Global Administrator. Do take care though!

In this example I did not configure any conditions here, but it’s worth noting this option exists. For example, you can set this policy to only apply if the sign in was attempted outside of your local area network (which implies some trust if someone is on your network either physically or VPN), or another common one I’ve seen is by IP address range – blocking or requiring MFA for any international IP address attempting to authenticate for example. If you have AzureAD Premium 2 then you can apply “User Risk” which uses Microsoft’s algorithms to determine if the sign in attempt is considered risky on a high / medium / low scale.

Next, you configure the “Grant” with either block or grant access, and for this instance I’ve selected to require MFA. NOTE: you need to hit select at the bottom right to continue! The final step is to enable the policy in the bottom left. Again, double check you’re not going to be locked out by this policy, and then select to “On” (by default it’s set to “Report-Only” which is a great way to test the impact by looking at the audit logs:

Conclusion

With that, you’ve implemented the highest recommendation to improve your security posture by making it far harder for a bad actor to gain administrative access inside your tenant. As you can see, this only takes a few minutes to implement and yet it starts you on your journey towards a more secure M365 tenant and the implementation guides hold your hand the entire way.

As always, I highly recommend you check out the documentation and then build out a plan to implement Secure Score across your Identity and Apps. I know of at least two organisations that include a Secure Score review in their weekly IT team meetings to ensure they’re trending in the right direction – an excellent practice that is easy to adopt!

I am always keen to discuss what I've written and hear your ideas so leave a reply here...

%d