Share via


Office 365 Secure Score - Find and Fix Risks in Office 365

Microsoft Office 365 Secure Score is a proactive security management service for Office 365.  Learn how Office 365 Secure Score can improve the security posture of an organisation and lessen the chance of being hacked or suffering from a data breach. 

Office 365 Secure Score can be used to assess a tenant, looking at the overall health and the steps that can be taken to reduce risk.    This can help improve the overall security by providing a list of actions to better secure a tenant. This article will introduce Office 365 Secure Score, how it can be used and some tips for getting the most out of it.

What is Office 365 Secure Score?

Here are some of the features of Office 365 Secure Score:

  • Analyse an Office 365 tenant, examining how secure it is and providing an overall assessment via a secure score
  • Secure score summary provides a way of grading how well available security controls have been implemented, offsetting the risk of being breached
  • The modeller provides a way to target an improved score and the corresponding set of actions that would need to be implemented to achieve this score
  • A Score Analyzer to track the Secure Score over time and to examine how each score was calculated  

This three-minute video provides an overview of Secure Score - Understanding your Office 365 security position and what you can do to enhance it.  Also, there is an interactive guide available called Assessing your organization's security posture with Office 365 with Secure Score.  

*Office 365 Secure Score was released as a public preview in August 2016. In February 2017, Office 365 Secure Score reached General Availability (GA). *

How does Office 365 Secure Score work?

Office 365 has many security settings and options but it can be difficult to track which of these are configured at any one time.  Office 365 Secure Score creates a full inventory of all the security configurations that reduce risk.  Points for each control that can reduce risk is calculated.  Certain control can be more effective and are assigned more points. Finally, the tenant is measured by how well these controls are being implemented.  All these points are added together providing an overall secure score.

This score is a snapshot of how well the tenant is being secured.  This can then be measured over time to track overall progress.  As administrators implement more controls, the score will improve accordingly.  The Secure Score is calculated automatically once a day.

Using Office 365 Secure Score

Office 365 Secure Score is available at this web address -  https://securescore.office.com.  Login to Office 365 Secure Score with a user that holds any of the administrative roles such as user admin or security admin.  When first run, a prompt asking for permissions in the tenant might be shown and which will have to be accepted before proceeding.

Office 365 Secure Score was initially only available to users with the global admin role, this is no longer the case. Office 365 Secure Score will be integrated into the Office 365 Security and Compliance Center in a future release.

The main focus of the interface is the Secure Score Summary, which displays the current Secure Score with the total number of points available to the tenant and the date the score was measured.  

The total number of points available isn’t a target to be achieved, as this would implement some severe security restrictions that would likely impact user productivity. The idea is to improve security by better making use of the security controls available while retaining user productivity.

Office 365 Risk Assessment

Office 365 Secure Score provides an overall risk assessment for the tenant.  This shows areas where the tenant is at risk with the top threats based on how the tenant is configured.

Here are some of the scenarios and the risks these represent:

  • Account Breach -  the risk includes an account in the tenancy is breached such that it can be used by an attacker to interact with either resource in Office 365, or with on-premises infrastructure
  • Elevation of Privilege -  an attacker has managed to compromise one or more accounts in the tenancy and is now working to increase their power
  • Data Exfiltration -  an attacker has found a way to move data out of the tenancy

How to Improve the Secure Score

As useful as the overall score is, the real power of  Office 365 Secure Score is the recommendations it makes that is personalised for each tenant.  This is an actionable list of controls that can be implemented that will improve security in a tenant and will be later reflected in a higher Secure Score.

Depending on how much an administrator wants to improve the score by, there is a sliding bar, known as the modeller, that can be used to target a particular score and the corresponding set of actions will change. For example to aim for a score of 200 it may require implementing 7 actions, while a score of 250 could require 14 actions to be enabled.

Each action has further information, showing how it will improve security and what threats it represents, along with how it's currently configured in the administrator's tenant.   It will also show the points available when implementing this action.

 

Clicking 'Lean more' will guide the administrator through making the specific configuration change.  In this example, it will show which Global Admins don't have Multi-Factor Authentication (MFA) enabled and an option to launch the console where this can be enabled.   After this action is performed, the Secure Score will be increased accordingly.  

Note: The score is calculated once per day (around 1:00 AM PST). After making a change to a measured action, the score will automatically update the next day. It can take up to 48 hours for a change to be reflected in the score.  There is no option to run a manual scan.

Note some actions are not scored, which means even if the corresponding actions are implemented, the secure score won't increase.  These actions are marked as [Not Scored] in the queue.  Microsoft has said, over time, Office 365 Secure Score will be able to better measure these controls and adjust the score accordingly.

Comparing Scores

Office 365 Secure Score will show tenants score compared to the Office 365 average score in the main dashboard.  The Office 365 average Secure Score is calculated from every Office 365 customer's Secure Score.  This provides a general comparison with the administrator's tenant against the average.  
  
 

Score Analyzer

The score analyzer will show scores over time, such as in the last week, 30 days or three months.  This will highlight any trends, where the score has been improved or worsened making it easily identifiable.  This graph is interactive, clicking on one of the points, will provide additional information with completed/incomplete actions at that point in time.  If an administrator needs to identify why a score has worsened or improved, it will show up here by comparing what has changed since the previous score.

Office 365 Secure Score Checklist

 
Here is a suggested set of steps for getting started with Office 365 Secure Score:

  • Sign up for Office 365 Secure Score service, which is at no additional cost and find the Secure Score for the tenant
  • Check what the recommended actions are, reviewing what could help improve the tenant security and take the appropriate action
  • Check the Secure Score once a week
  • Identify if there have been any significant changes and track what may have changed 
  • Join the Microsoft Tech Community (the link is in the next section) to stay up-to-date with Office 365 Secure Score

Changes to the tenant should only be done in accordance with the administrator's organisation change control process.  Many of the suggested actions could have a significant impact on end-users.

Further Information

There is an increasing amount of resources for Office 365 Secure Score, which is covered here.

Overview

Office 365 Secure Score was originally announced in August 2016 in this blog post:

New Security Analytics Service: Finding and Fixing Risk in Office 365

Office 365 Secure Score was released to General Availability in February 2017 in this announcement: 

New Office 365 capabilities help you proactively manage security and compliance risk

There is a 4 minute Microsoft Mechanics episode covering Office 365 Secure Score:

An introduction to Office 365 Secure score

There is now a Microsoft support article covering Secure Score - Introducing the Office 365 Secure Score.

Audit Transport Rules Forwarding to External Recipients

Audit Inbox Rules Forwarding to External Recipients

Demo 

There was a session from Microsoft Ignite 2016 all about Office 365 Secure Score: 

Learn about Office 365 Secure Score: actionable security analytics

Office 365 Secure Score was also covered during Microsoft Ignite Australia 2017, such as in this session - Security and Compliance Update for Office 365.

Support and new developments 

The best place to discuss and ask questions about Office 365 Secure Score is in the Microsoft Tech Community.  There is the Security, Privacy & Compliance community, which Microsoft monitor and can provide help. There is also the Securing Office 365 blog, which is the official blog of the Office 365 Security team.