Clients frequently turn to us for advice on how to enhance the security of their Microsoft 365 environment. A good starting point, and a lesser known offering from Microsoft, is the Secure Score portal.
The Microsoft Secure Score portal (Figure 1), displays your current score as a percentage, along with recommended actions to help boost it. Each recommended action is a weight or percentage, reflecting Microsoft’s assessment of its impact on your security posture.
Figure 1 – Example of Microsoft Secure Score Overview.
The “Actions to Review” section lists various categories. “Regressed” items highlight previous addressed issues that have resurfaced, either from changes made or an increase in risk from a rising user count. For example, if you add 10 new users without 2FA enabled, your Secure Score will regress until those accounts have 2FA enabled.
“To Address” items are Microsoft’s recommendations to improve your Secure Score percentage. Clicking each recommended action item provides a description, count of affected devices/users, and implementation steps. Microsoft has provided a “Manage” button on most recommended actions, under the “Implementation” tab, which takes you directly to the configuration page to make the change (Figure 2).
Figure 2 - Example of recommended action with “Manage” button to remediate item.
The “Planned” and “Risk Accepted” categories are similar in that they are manually recorded settings. By clicking on a recommended action, you can access the “Edit status & action plan” button (Figure 3) and choose whether the item is in a “Planned”, “Risk Accepted”, or “Resolved through third party/alternate mitigation” state. This feature is meant for organizational purposes, allowing you to categorize items and determine which to address next. Keep in mind that selecting “Risk Accepted” will not raise your Secure Score percentage, whereas choosing “Resolved through third party/alternate mitigation”, will.
Figure 3 – Example of Status and action plan settings.
The last two categories, “Recently Added” and “Recently Updated”, are straightforward.
What to Watch Out For
But it’s important to highlight some important caveats or “gotchas” with this Secure Score process. Note that some recommended actions in Microsoft Secure Score only increase your score when fully completed. For example, if a score reduction is caused by not having 2FA enabled on all accounts, and some of those accounts are unable to enable 2FA, editing the action plan to “Resolved through alternate mitigation” with a note describing the details of situation, is a better approach.
Another thing to remember is that changes made by users may take a day to be reflected in Secure Score. If it’s an admin-level setting change, the score should increase within an hour.
What is the Catch?
You may be wondering, when does this “Sales Pitch” reference come into play and, here it is. The most interesting caveat to consider is that Microsoft will reduce your score for items you don’t have a license to correct, pushing you to purchase additional licenses. An example of this is the “Create Safe Links policies for email messages” recommendation, which requires a Microsoft Defender for Office 365 P1 license (Figure 4). I appreciate Microsoft telling us that we could improve our security posture if we enabled this setting, but they should put these in a separate category altogether that does not affect your score.
Figure 4 – Example of recommended action showing that an additional license is required to remediate this item.
The Secure Score recommendations should be taken with caution as they are generic and automated suggestions, lacking human input on how to best improve your organization’s security posture in Microsoft 365. Moreover, the portal also does not cover important areas like SharePoint, which requires intricate settings and permissions to prevent security vulnerabilities. Your Microsoft Secure Score is one way to assess your M365 environment for areas of weakness, but a custom manual assessment suited to your specific environment and risk factors may be a better fit. We work with clients who need an outside, independent view of their IT environment and the security vulnerabilities at play. The Secure Score may be a good place to start, but it has limitations, and a human touch is necessary for a comprehensive security review.
Contact our dedicated IT Services team here to book a meeting today.
