What does Office 365’s Secure Score mean?

While working with various clients over the last year, the subject of security within Office 365 has come up. The Secure Score, in particular, is of importance. Clients frequently tell me that they don’t need any unique security solutions because they have a high Secure Score. I began to think about the Secure Score and why it makes us/clients feel good on the inside. I then remembered giving a presentation at a conference a few years back and advising everyone to please the CIO with an On-premises SharePoint configuration, be sure to remove the errors that appear in Central Administration owing to health analyzer rules.

I also joked that if they couldn’t repair them because they were “Microsoft features,” they should disable and delete them. That’s when it hit me: that’s the issue. Like disabling and erasing problems for the CIO, a Secure Score is just an artificial number that makes everyone happy. At this point, I must emphasize that obtaining a Secure Score entails far more than simply concealing a few mistakes. The Secure Score’s logic is derived on a Microsoft Baseline template that evaluates your Office 365 Tenant directly to it, allowing it to create a Score based on it.

What kind of checks does the Secure Score perform?

Office 365 is a massive platform with a plethora of features and services. Secure Score takes advantage of Microsoft Graph, which collects data from many endpoints such as Exchange, SharePoint, and Microsoft Teams by utilizing sets of REST-based APIs. The collected data is checked against the baseline Microsoft template, and the output includes the score and a list of activities that may be completed to improve the score.

So, how valuable is the Secure Score?

For me, the number itself is meaningless. It’s merely a number derived from data that I, as a Tenant Administrator, can view and should be aware of. If you ask me if having a good score implies you don’t need anything extra to safeguard Office 365, I will kindly inform you of your Security activities. In my opinion, the Secure Score should supplement, not replace, your usual security program. Moving to the cloud does not eliminate the need for security platforms and controls.

What kinds of duties should I anticipate?

When you open the Secure Score page, you will see a breakdown of tasks that “should” be done beneath the score. These are suggested depending on the existing configuration and the baseline template given by Microsoft.