Microsoft Secure Score has added new controls to support Microsoft Cloud App security and Azure Active Directory.
What is Microsoft Secure Score?
Microsoft Secure Score is a solution that rates how well you’re leveraging security controls for Office 365, Microsoft 365 and Windows 10.
You can check your secure score, and see how you compare against similar businesses at https://securescore.microsoft.com.
New Azure Active Directory Secure Score controls
The new Azure Active Directory controls relate to how well your securing identities in your organization.
Enabling self-service password reset to empower users and reduce help desk costs
You can login to Azure AD to enable self service password reset for all, or just selected, users. You can choose the authentication measures (eg. phone number and alternate email) that users can use to reset their passwords. The policy can require that users register these details on next login, and also define a time period for users to reconfirm their info.
Require just in time access for global administrators using Privileged Identity Management
Privileged Identity Management works on the principal of zero standing access. In practice it means that by default, admins don’t have the ability to perform actions which expose sensitive data, or potentially cause harm. When an admin needs to perform one of these types of actions, they follow a set approval process and provide a justification. This process is audited, and upon approval, the admin is only granted access for a limited period of time. Privileged Identity Management can be enabled in the admin portal, provided you have a plan which includes Azure AD P2.
Turning on password hash sync
If you’re running a hybrid organisation, you can setup password hash sync. This will ensure that users can have the same password for Office 365 and Azure AD services that they use on-premise.
Enable user risk policies
Companies with Azure AD P2 can enable policies that can block access or prompt a user for MFA when a risky sign-in is detected. A risky sign in could be a login from an unexpected location or from a device infected with malware.
Some other important Azure AD controls include:
Require MFA for admins (and also users)
At Microsoft Ignite this year it was reported that only 2% of all admins in Office 365/Azure AD had multifactor authentication enabled. This control is scored quite high as multi-factor authentication makes your accounts 99.9% less likely to be compromised.
Every Office 365/Azure AD tenant gets a free conditional access baseline policy which requires MFA for all privileged roles in Office 365 and Azure AD. This policy will soon be enabled by default, however you can login here and require it be enabled immediately.
Disable stale accounts
Microsoft recommends that you disable any accounts that haven’t been used for the last 30 days. While there may be legitimate circumstances where an account is unused for 30 days, these accounts can also be targets for attackers who are looking to find ways to access your data without being noticed. See here for a list of inactive users in your organisation.
Have less than 5 global admins
You should designate less than 5 global admins in your organisation, even if they are all protected by MFA. The more admin users you have, the more likely it is that one of them is breached or ends up in the hands of a malicious insider. Admin roles in Office 365 should be assigned with the least privilege required for the admin to perform their tasks. Microsoft recommends that you do have at least 2 global admins however, to ensure you can recover from a breached account or rogue insider.
Don’t expire passwords
Setting passwords to expire encourages bad security practices when users store them unsafely or set insecure passwords with patterns. It’s best practice to require users to set stronger passwords which never expire.
What is Microsoft Cloud App Security
Microsoft Cloud App Security gives you a framework to secure your Microsoft and non-Microsoft cloud apps. You can use it to setup policies which alert on suspicious logins or behaviours are across apps like Office 365, Dropbox, Box, Salesforce and many more.
Microsoft Cloud App Security is available in Microsoft 365 E5 and in Office 365 E5 (as Office 365 Cloud App Security). We recommend you purchase it stand alone if you don’t have an E5 plan.
Here are the new Secure Score controls for Cloud App Security:
Reviewing permissions and blocking risky OAuth applications
You can visit the App Permissions page for third party apps in Cloud App Security to see which permissions have been granted to access your company’s Office 365 data. Here, you can revoke permissions and prevent users from authorising these apps to access company info.
Reviewing anomaly detection policies
Anomaly detection policies use machine learning to detect suspicious activities amongst your users. They help you understand if users are logging in from locations that they normally don’t log in from, using anonymous IP addresses, and have multiple failed login attempts. Review them here.
Discover risky and non-compliant Shadow IT applications
Upload your firewall and proxy logs and use the cloud discovery dashboard to discover which applications are in use within your company. Cloud App Security has a rating system that can help determine the risk level of each application. Create a report here.
Creating custom activity policies to discover risky behaviour
In Cloud App Security you can create custom policies as well as take advantage of some of the built-in defaults. These policies can detect and alert when there are suspicious activities like mass downloads or deletions across your Microsoft and third party cloud apps.