SOLVED

Announcement: Office 365 Secure Score Released to Public Preview

Microsoft

Microsoft is pleased to announce the preview availability of a new security analytics service called the Office 365 Secure Score. The Secure Score is a security analytics tool that will help you understand what you have done to reduce the risk to your data in Office 365, and show you what you can do to further reduce that risk. We think of it as a credit score for security. Our approach to this experience was very simple. First, we created a full inventory of all the security configurations and behaviors that our customers can do to mitigate risks to their data in Office 365 (there are about 77 total things that we identified). Then, we evaluated the extent to which each of those controls mitigated a specific set of risks and awarded the control some points. More points means a more effective control for that risk. Lastly, we measure the extent to which your service has adopted the recommended controls, add up your points, and present it as a single score.

 

The core idea is that it is useful to rationalize and contextualize all of your cloud security configuration and behavioral options into one simple, analytical framework, and to make it very easy for you to take incremental action to improve your score over time. Rather than constructing a model with findings slotted into critical, moderate, or low severity, we wanted to give you a non-reactive way to evaluate your risk and make incremental changes over time that add up to a very effective risk mitigation plan.

 

The Office 365 Secure Score is a preview experience, so you may find issues, and you will note that not all of the controls  are being measured. Please share any issues on the Office Network Group for Security. You can access the Secure Score at https://securescore.office.com.

 

The Secure Score does not express an absolute measure of how likely you are to get breached. It expresses the extent to which you have adopted controls which can offset the risk of being breached. No service can guarantee that you will not be breached, and the Secure Score should not be interpreted as a guarantee in any way.

 

Your Secure Score Summary

The first, most important piece of the Secure Score experience is the Score Summary. This panel gives you your current Secure Score, and the total number of points that are available to you, given your subscription level, the date that your score was measured, as well as a simple pie chart of your score. The denominator of your score is not intended to be a goal number to achieve. The full set of controls includes several that are very aggressive and will potentially have an adverse impact on your users’ productivity. Your goal should be to optimize your action to take every possible risk mitigating action while preserving your users’ productivity.

 

As mentioned, the Office 365 Secure Score is in a preview release. Over the coming months you will see us continue to add new controls, new measurements, and improvements to the remediation experiences. If you like what you see, please share with your network. If you see something we can improve, please share it with us on the Office Network Group for Security. We’re looking forward to seeing your scores go up, and making the Secure Score experience as useful, simple, and easy as it can be.

 

Read More Here: https://blogs.technet.microsoft.com/office365security/new-security-analytics-service-finding-and-fix...

72 Replies

I have the same problem

 

403

Sorry! Access denied :(

 


@Chris Roberts wrote:
Unable to access this, I get the following:

403
Sorry! Access denied :(
You don't have permission to open this page. If you're a new user or were recently assigned credentials, please wait 15 minutes and try again.

Anyone else seeing this?

 

Hey Anil,

Are you setup as some kind of admin in the tenancy in question? You'll need to be an admin to get access.

Thanks!

Brandon Koeller

Thanks Brandon for quick response. I understand now how it works. I am following your video posted here. very useful :)

my interest is more towards understand the impact of Skype for business online related to secure score.
for example, if we enable federation with another organization or if any parameters / policies such as allowing file share or allowing app share etc in skype , will it impact the overall secure score?
interested in learning more architectural parameters related to secure score, which will help me with right conversations with customers and partners on this subject..

thanks for your help

Hey Anil,

Thanks for the follow-up. There is one control in the action list related to Skype for Business:

 

"You should not allow your users to communicate with Skype users outside your organization. While there are legitimate, productivity-improving scenarios for this, it also represents a potential security threat in that those external users will now be able to interact with your users over Skype for Business. Attackers may be able to pretend to be someone your user knows, and then send malicious links or attachments, resulting in an account breach, or leaked information. We found that your external domain skype communications setting is set to [Not Measured]. If you restrict this, your score will go up 5 points."

 

At the moment, the control is not measured, so enabling external domain connections won't actually reduce your score. Long term, we think this is a defense in depth control, however. The risk is marginal, and can be fairly detrimental to user productivity. Its on the list, but ranked relatively low. 

Thanks!

Brandon Koeller

InfoSec teams who'd find securescore useful for GRC purposes wouldnt want or shouldn't get the permission required to access it. Segregation of roles associated with access to this kind of functionality would be v useful.

Hey John,

Thanks for the feedback. So, the way the access model is implemented users of the tool are only able to perform actions that align with their assigned role. So, if a control requires global admin permissions and the user is assigned an Exchange Online Admin role, they won't be able to make the change. This leaves some roles such as Security Administrator as functionally read-only roles. Most of the read-only state and configuration data is already accessible to all those roles anyway (although it would take more work to get the state data). We tried to strike a balance between exposure of the recommendations to the right set of company stakeholders while respecting the constraints of their assigned roles. 

Thanks!

Brandon Koeller

I have the same issue with Intune scores not reflecting. We have been moved to intune on azure with Office 365 and dont get any scores showing up.

Hi Brandon,

 

I've granted all my InfoSec guys access in the Security and Compliance center as Security Administrators and Compliance Admins, but that doesn't seem to allow them to access SecureScore.
I then gave them Custom Administrator/Reports Reader, but they still got 403 when accessing the page. Will try going up to Service Admins and see if that allows them in. I also noticed that Compliance Admin is not listed in the available admin roles for Office 365 users. Am I missing a preview feature or something?

Secure score is great. We have slowly been tracking up as we fix the items that have been shown. 

 

I seem to get incorrect scores for all the mobile options. I assume this is due to us using intune. Any idea when the secure secure will reflect the intune mobile settings and security?

Hi Greg,

 

For the MDM actions we currently have the telemetry wired up for built in Office 365 MDM controls.  We are currently working on bringing in the Intune telemetry, so hold tight.  If you want points for using Intune now you can press the third party button for those controls.

what are the plans for adding Power Apps, Flow and/or Power BI to Secure Score?

Hi Dean,

 

I have not heard of any plan for these apps.  If you have ideas on what security controls should be measured for them, send me a private message and I am happy to share it with the engineering team.

Same thing is happened to me. I'm not a global admin.

 

Does anyone know what's the minimum access required to access this feature?


 wrote:
Unable to access this, I get the following:

403
Sorry! Access denied :(
You don't have permission to open this page. If you're a new user or were recently assigned credentials, please wait 15 minutes and try again.

Anyone else seeing this?

 

www.000webhost.com