About nine or ten months ago I wrote a details article on the Office Secure Score report. Since that time, Microsoft has made a lot of changes to what is counted towards the Secure Score Report and has even renamed it to the ‘Microsoft Secure Score’. Additionally there is a new ‘Windows’ score that has been added to the Secure Score report page:
Changes Made:
Added
Designate less than 5 global admins
Do not expire passwords
Do not allow users to grant consent to unmanaged applications
Enable versioning on all SharePoint online document libraries
Use non-global administrative roles
Ensure all users are registered for multi-factor authentication
Review permissions & block risky OAuth applications connected to your corporate environment
Detect Insider Threat, Compromised account, and Brute force attempts in cloud applications
Enable self-service password reset
Do not allow mailbox delegation
Discover risky and non compliant Shadow IT applications used in your organization
Set automated notification for new OAuth applications connected to your corporate environment
Enable sign-in risk policy
Enable user risk policy
Enable policy to block legacy authentication
Enable Office 365 Cloud App Security Console
Set automated notifications for new and trending cloud applications in our organization
Enable Advanced Threat Protection safe attachments policy
Enable Advanced Threat Protection safe links policy
Set custom activity policy for your organization to discover suspicious usage patterns in cloud apps
Identify Shadow IT application usage in your organization by automating log upload from firewalls
Create a Microsoft Intune Compliance Policy for iOS
Create a Microsoft Intune Compliance Policy for Android
Create a Microsoft Intune Compliance Policy for Android for Work
Create a Microsoft Intune Compliance Policy for Windows
Create a Microsoft Intune Compliance Policy for macOS
Create a Microsoft Intune App Protection Policy for iOS
Create a Microsoft Intune App Protection Policy for Android
Create a Microsoft Intune Windows Information Protection Policy
Create a Microsoft Intune Configuration Profile for iOS
Create a Microsoft Intune Configuration Profile for Android
Create a Microsoft Intune Configuration Profile for Android for Work
Create a Microsoft Intune Configuration Profile for Windows
Create a Microsoft Intune Configuration Profile for macOS
Mark devices with no Microsoft Intune Compliance Policy assigned as Non Compliant
Enable Enhanced Jailbreak Detection in Microsoft Intune
Enable Windows Defender ATP integration into Microsoft Intune
Enable mobile device management services
Review blocked devices report weekly
Require PC and Mobile devices to be patched, have anti-virus, and firewalls enabled
Removed
Review sign-in devices report weekly
Review account provisioning activity report weekly
Review non-global administrators weekly
Review list of external users you have invited to documents monthly
What Does This Mean?
There is now a greater emphasis on using Intune to help secure your Office 365 tenant. Lockbox checking was removed, which is interesting. There is more emphasis on Risk when it comes to clients and devices (sign-in, jailbreak, etc.). Most of these changes and additions appear to be a good thing on first review.
Further Analysis
I am planning to perform an analysis of each one of these features, like I did with the original article earlier this year. I want to do this to provide those who are looking at the recommendations that Microsoft has provided with the Secure Score to see if they are really things you should be applying. While Microsoft has their own reasons for these recommendations, they may not fit your organization needs. A good example of this is Intune. If you already have your MDM provider, these won’t apply to you and you should be aware what it means to ignore these.
Examples of feature reviews:
