Office 365 Partner Community: Introducing Office 365 Secure Score


Michael Panciroli, Technology Solutions Professional, Office 365 and Voice

Consider this security prediction from Gartner in their top predictions for IT organizations and users for 2016 and beyond: "Through 2020, 95 percent of cloud security failures will be the customer's fault." (Gartner, 2015) While your core cloud service may be secure, are you taking the appropriate measures and doing your part to implement the available customer controls? Do you know what controls are available, where they are, and how to access them?

A new security analytics tool, Office 365 Secure Score, can help you get the visibility and insights needed to prevent breaches. In this post, I'll introduce you to Office 365 Secure Score and explain why every partner should make it part of their Office 365 practice. The March 2 Office 365 Partner call will be an in-depth discussion of Secure Score.

Sign up for the March 2 Office 365 Partner call

Introducing Office 365 Secure Score

Office 365 Secure Score is a new security analytics tool that applies a score to Office 365 customers’ current Office 365 security configuration. It helps organizations better understand their security posture and how to improve and reduce their risk in Office 365. Secure Score helps customers balance their security and productivity needs with guidance to help them enable the right mix of the 71 available security features and to model what their score would look like after adopting some of these features. Organizations can also compare their score with other organizations and see how their score has been trending over time.

Office 365 Secure Score

Take a look at the Secure Score summary in the image above. In this example, the Secure Score is 123 out of 273 points possible.

  • The numerator is the total points you have based on the security features you have enabled (in this example, 123)
  • The denominator is the maximum number of points you can acquire if you enabled all features your tenant has access to in your current Office 365 Plan (in this example, 273)
  • To the right of the summary is information on what is new and the current attack risks that you could be mitigating better. Click on each of these risks to see additional information. Under Risk assessment, you can see how your score stacks up against the average Office 365 score.

Secure Score offers suggestions for improving your score with the Action Pane. In the Action Pane, you can model how to increase your score while optimizing for the balance between productivity and security. In the example above, the target score of 266 is based on the slider underneath it. Moving the slider increases or decreases the number of actions in your list and adjusts the target score. The suggested actions can even be filtered by criteria such as actions that have low end user impact, or actions that apply to user accounts. The target score adjusts dynamically based on your selection to show you how much your score will increase if you take all of the actions in the queue.

If you are wondering why the maximum score shown in the Action Pane modeler can be higher than the denominator of your Secure Score, it’s because some organizations may not have access to security features available in premium plans. We want customers to be aware other security options are available to help you protect users and data, and provide a view of all options in the service.

Video: Introduction to Office 365 Secure Score

Watch this video online

Partner opportunity with Secure Score

I think Office 365 Secure Score is one of our best-kept secrets, but it shouldn't be. Let me tell you why I'm excited about Secure Score and what it means for partners.

Many Office 365 customers I work with don’t fully understand current security settings and the related security risk. Others lack cloud security knowledge and capacity in their IT departments. Still others don’t own or use security solutions that provide adequate protection against current security threats. Partners should offer Office 365 security assessments to customers, using both Secure Score and Advanced Security Management. When you run Secure Score for a customer, you get an immediate assessment of the current status of Office 365 security. And, you have a prioritized list of remediation actions you can take to help improve the customer's security posture. Secure Score provides guidance and recommendations on how to successfully implement Office 365 security features.

You can use the model and consult with your customer to customize and prioritize the actions as part of a security roadmap that maps Office 365 security capabilities to customer security objectives and requirements.

For example, my top recommended action was to enable multi-factor authentication (MFA) for my global administrators. When you click on an action in the queue you can see more details about that action, including a description of what the recommendation is, what threat is being mitigated, and what the status of that action is in your organization. You can click "Learn More" to open a pane for further explanation. Then you will see a “Launch Now” button. In this example, Launch Now takes me directly to the Office 365 Administration user settings for multi-factor authentication so that I can enable it.

Enable MFA for your team in Office 365 Secure Score

A useful feature of Secure Score for partners is that it will track the score over time. With the Secure Score Analyzer, you can see a table of the actions you completed on a specific date and how many points you accrued for this action. You can then share those actions you have completed with your customer by exporting this information out to a CSV or PDF file. With this report, you can demonstrate how you have made their tenant more secure by reviewing their historical score and the actions you have taken to get that score.

Here are some services you can provide as part of an Office 365 security assessment offering, with the help of Secure Score:

  • Provide an overview of Office 365 security controls
  • Provide guidance, recommendations, and best practices about successfully implementing Office 365 security features
  • Assess the current status of Office 365 security
  • Identify potential security challenges
  • Map Office 365 security capabilities to customer security objectives and requirements
  • Discuss and create a prioritized, actionable security roadmap
  • Offer your services to help close identified gaps
  • Monitor and maintain their score over time

Getting started with Secure Score

Note: This information was updated on March 6.

Office 365 Secure Score is now generally available to organizations with an Office 365 commercial subscription and who are in the multi-tenant and Office 365 US Government Community clouds. Within those organizations, Secure Score is accessible to Global administrators, Delegated / Password administrators, Service administrators, and User management administrators. If you are one of these designated administrators you can go to securescore.office.com and see the Secure Score for your tenant, interact with the model, and see your security recommendations.

Resources

Community call about Office 365 Secure Score on Thursday, March 2

I hope this introductory blog post has given you some ideas about how and why to learn more about Office 365 Secure Score and add it to your offers for customers. Join me on the March 2 community call for an in-depth discussion, and ask questions in our Yammer group.

Office 365 and Voice Partner Community

Office 365 Partner call on March 2     Microsoft Trust Center Office 365 Security     Office 365 Roadmap

Comments (2)

  1. Dean Gross says:

    When we activate MFA for Global Admins, they can't run many of the PowerShell cmdlets they need. When will all of the O365 related modules be updated to support MFA?

    1. The Exchange Online Remote PowerShell in preview will support MFA - I don’t have dates for Azure RMS, SfB Online or the Security and Compliance Center. Until then, if possible, consider disabling a role-based admin account that doesn’t have MFA so it can't be used to login and then when you need it to accomplish a specific task you can enable it temporarily. If you have AAD Premium available to you then consider leveraging Privileged Identity Management to enforce MFA when temporarily granting the required permission for a role-based admin.

Skip to main content