Code on laptop

Improve Security Posture with Actionable Insights


Posted by Tom Hind

Microsoft Secure Score is a part of the Microsoft Cloud Security toolkit available within Microsoft 365. Over the last few years, it has grown from a simple recommendations tool to an action centre for viewing recommendations across an organisations Microsoft 365 estate, from identity to devices and general service configuration.

With the split of the protection centre into the new Security and Compliance portals, Microsoft Secure Score fits into the Security portal alongside incidents, alerts, endpoint protection and email and collaboration security tools.

Secure Score isn’t just useful for organisations who have just started on their Microsoft 365 journey, it can be useful to any IT or security team to check overall compliance and to see how the security posture of the estate is looking, by tracking improvements and regressions it is possible to plan for change and what impact this may have on the user and device estate.

As part of the ‘Good, Better, Best’ workshop we run with organisations, we step through the different levels of security which are possible with the licenses that are available to the organisation, rather than looking at additional purchases which may not be immediately necessary. This provides us with a baseline for what good looks like with minimal change, moving into better which may have an impact on users or how IT operate the Microsoft cloud environment. Finally, the best tier may potentially include additional investment in services such as Azure AD Privileged Identity Management (PIM) for managing administrative access to services, or MCAS for auditing and tracking user actions throughout their lifecycle.

Microsoft Secure Score matches this methodology by providing IT security with a view to how many ‘points’ the organisation has currently with a maximum amount of points achievable with the suggested changes. Secure Score also provides a graph view of the organisation in comparison to similar organisations based on size and industry. Across the Secure Score metrics and trends it is also possible to ‘accept risk’ based on actions which may not be achievable due to constraints or decisions based off third-party solutions.

Whilst Secure Score metrics, trends and historical information can be useful. The core of the solution is within the improvement actions. Improvement actions the individual items which IT, information governance or security can take on to increase the security posture of the M365 environment. We would recommend grouping these improvement actions by product and filtering by licenses which exist within the tenant. This gives a good overview as to what actions to focus on and plan out the solutions to target first.

The example above shows the level of information available when an improvement action is selected, in this case for ensuring all users can complete multi-factor authentication within the tenant. As an administrator I can set this action to planned and share it out with my team via Microsoft Teams, Planner or email for wider collaboration or assignment of the action. Alongside sharing it is possible to see the prerequisites for the action as well as a step-by-step guide on how best to implement the action. Not all actions have this level of detail although it is constantly being updates, and in most cases the action page will allow you to directly navigate to the area for configuration via the manage option.

As action items are delegated and completed the score of the organisation will update within a 24-hour window and the items will be closed off as completed. From this point when items are completed if any of the settings change due to Microsoft updates this will also be reflected against the item within the portal. In some cases, policies may change due to internal restructuring of device management or identity policies, via the Secure Score reporting it is easily possible to analyse regressions or improvements against the previous baseline.

Whilst Microsoft Secure Score is a great way to baseline and constantly improve on security posture, having an active awareness of the solutions available in your cloud ‘toolbox’ is the best way to keep informed on updates and provide IT and operations with the knowledge and information required to keep an environment secure and actively searching for threats whilst responding to incidents in a managed state.