Part of the excitement of working with Office 365 is there is no shortage of new features being rolled out to keep your job interesting. As a consultant, it certainly keeps you on your toes and reminds you of the importance of continual education.
There are the features documented on the Office 365 Roadmap, features that are noted in the “Change Alerts” group in Yammer and then features that are little hidden gems that no one seems to be talking about.
I recently stumbled across one of these hidden gems called “Secure Score”.
What is “Secure Score”?
“Secure Score” appears to use a series of PowerShell scripts that gather configuration information from your Office 365 tenant; that data is then evaluated against various criteria to determine a “score” representing your security posture and recommendations on how to improve it.
Here’s the description from the site:
We take you through 10 best practices, considerations, and suggestions that can enrich your Microsoft Teams deployment and ensure both end-user adoption and engagement.
To some extent, it’s like the Microsoft Baseline Security Analyzer (MBSA) utility for Office 365.
How To Use It
First of all, it’s very clear from the site that this is a tool that is under development. The site states that the feature is “Alpha Preview” and to “Please understand that this service and software is a very early alpha and subject to issues”. That said, I always welcome the opportunity to check out bleeding edge features with the understanding that they will only get better.
You can access the “Secure Score” tool via the URL: https://o365securescore.azurewebsites.net/
The tool, in it’s current form, requires that you have the PowerShell modules for various components installed. So you’ll need the PowerShell modules for each of the following:
- Azure AD
- Azure RMS
- Skype for Business
- SharePoint Online
Fortunately, I already had these installed on my workstation but if you don’t, the “Secure Score” site and scripts will point you to the download links.
Once you have the prerequisites installed, you’ll download the “Secure Score Collector” which is essentially some PowerShell scripts and modules. When running the collector, there’s a few points where you’re questioned as to whether some activities are “weird or illicit”. While the scripts are running, you can see how early in the development the tool is, the output is a bit ugly and the logs include some interesting statements like “Cool, looks like everything is square”. Some of the mailbox checks seem like they would take a significant amount of time in a large environment, I’d be curious to see how this portion of the tool scales.
My tenant scored a 301 out of 492:
Once the data collection is completed, it is uploaded to the Microsoft service for further analysis.
Looking At The Results
The score is presented in a dashboard view and the “Score Viewer” shows multiple runs of the tool for historical purposes.
Each of the criteria evaluated is listed as a “GOOD” or “FIX IT!” result with the latter providing a link to the general area of configuration. I suspect you won’t find that all of the “FIX IT!” items will necessarily be resolved based on your organization’s requirements. As an example, “Let external people access your sites” was flagged as being enabled in my tenant, but I’m aware of it and want it enabled; regardless, it’s nice to see it listed there as a reminder.
This feature is certainly in a development stage so I’m sure the collector tool will be polished and the UI will be cleaned up. I do like that Microsoft is putting effort into this type of feature and believe it could become a portion of a larger “health check” for Office 365 tenants in the future. It’ll be interesting to see how this tool evolves, how deep it will be able to go and how well it will be able to keep up with the constant change in Office 365. In the meantime, feel free to check it out, there is an email address on the site for comments or issues that you may find.
Did you find this article helpful?
Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.
Looking to do some more reading on Office 365?
Catch up on my past articles here: Joe Palarchio.