Office 365 Secure Score Script

In light of the discovery that a recent comprise involved administrator credentials that were not protected with multi-factor authentication, I thought revisiting might be a good idea.

For the uninitiated, Secure Score is a tool that we provide to examine some configuration items and give guidance on others in respect to creating a more secure operating environment for your Office 365 tenant.  We evaluate a number of things, such as how many global admins you have or whether your users have multi-factor authentication enabled.

A default tenant out of the box get score of about 45 (out of a total 452, currently).  We provide a web-based tool for giving both guidance and enabling some configuration items, but I thought ... How much of this can we script so that we can give an "easy button" approach to enabling some default features?

So, I created a script. You can run it in your tenant to do everything from creating and enabling default ATP rules, checking transport configs and inboxes for rules that configure mail to forward outside your tenant, configure transport rules to block client auto-forwarded messages, and enable some default ActiveSync policies.  I've got a whole list of things that it does (it took my score from the default 45 up to 194).  I've made some modifications to the script and I'm awaiting my score to get updated, and have started looking into how I can further automate even more configuration items.

Each parameter configures a single option, or you can be lazy and use the '-All' switch to flip on everything.  I'd recommend trying it out in a test tenant or an option at a time, or even examining the code to see how I'm enabling some of the features.  It's a pretty rough script at the moment, but I have a lot of ideas for it once I get some more time.

You can check it out at

Comments (3)

  1. turbomcp says:

    nice one

  2. Aj says:

    Your original reason into this is because of an admin account without mfa.

    How are you handling the automation if mfa is enabled on this account?

Skip to main content