The Microsoft Secure Score is arguably one of the most important tools for keeping an organization’s Microsoft 365 environment secure. For those who might not be familiar with the Microsoft Secure Score, it is a numerical score reflecting how well an organization is doing at securing its Microsoft 365 assets. Points are given for implementing various security settings, and the Microsoft Secure Score dashboard displays the percentage of total possible points that an organization has achieved.
The Microsoft Secure Score has been a part of Microsoft 365 (and Office 365 before that) for quite some time. As such, it is relatively common for an organization’s IT staff to ignore the Microsoft Security Score feature once they feel that they have adequately secured Microsoft 365. However, it is important to periodically revisit your score because Microsoft sometimes updates its security recommendations and/or makes changes that can negatively impact an organization’s score. In fact, Microsoft is currently in the process of making a few such changes.
Before I explain what these changes entail, it’s important to understand how the Microsoft Security Score works.
To find your security score, log into the Microsoft 365 portal using an account with administrative access. Next, go to https://security.microsoft.com and then click on the Secure Score tab. This screen prominently displays the organization’s Microsoft Security Score, but it also provides a wealth of information describing how the Security Score was derived and what can be done to improve it.
One of the most important things to review on the Microsoft Security Score dashboard is the Improvement Actions tab.
As its name implies, the Improvement Actions tab contains a list of security tasks that you can perform in an effort to boost your security score. The items listed on the Improvement Actions tab are ranked according to their importance. Microsoft describes the impact that addressing each item will have on your security score, as well as the number of points you could potentially achieve by addressing the item.
For example, one of the top-ranking improvement actions is to require multi-factor authentication for accounts that have administrative privileges. You can earn 10 points for completing this task, boosting your Microsoft Secure Score by more than 17%. (Note that this and other percentages will inevitably change as additional improvement actions are added to the list.)
So, what about those changes that I mentioned Microsoft is making to the Secure Score? Microsoft 365 comprises numerous individual applications and services, any one of which has the potential to impact your overall security. Historically, however, the improvement actions haven’t been heavily tied to Microsoft 365 applications. Instead, they tended to be more closely aligned with general Microsoft 365 settings. For example, improvement actions have included:
- Enable policy to block legacy applications
- Turn on user risk policy
- Enable self service password reset
- Do not expire passwords
This obviously is not an exhaustive list, but it highlights the types of tasks that Microsoft has included in the improvement actions list.
Right now, however, Microsoft is in the process of adding some new improvement actions. Unlike the improvement actions that I have highlighted, the new improvement actions are going to be tied directly to Azure Advanced Threat Protection. These improvement actions are going to be related to four key areas:
- Risky lateral movement paths
- Unsecure account attributes
- Enable security features on Active Directory trusts
- Remove unsecure SID history attributes from entities
(You can read more about these changes here.)
Obviously, this change is not going to impact every organization, because not every Microsoft 365 subscription plan includes Azure Advanced Threat Protection. Even so, Microsoft’s actions may be a sign of things to come.
It seems perfectly plausible that Microsoft could add improvement actions related to additional areas as time goes on. Even if Microsoft chooses not to further expand its list of improvement items, it is still important to periodically revisit your Security Score to make sure that you haven’t inadvertently made any changes that have decreased your organization’s security score.