Last week I got an email from a coworker that Microsoft has created a score website (https://securescore.office.com/) for Office 365 tenants. This website measures the security of your Office 365 tenant.
By default the score of your Office 365 tenant is very low, I got on my personal tenant a score of 29 out of 243 and on one of my customers also got 29 out of 243.
What does it rank
This website ranks about 60 settings within your tenant divided by three categories
On the tab Score Analyzer, you can see all the actions that you already did and what actions you can take to get your score up.
For every action that you can take there is an explanation why you should do it and what the impact is on the users. Also with most of them there is a link to your Office 365 tenant where you can change the setting.
Some of these actions are very easy to implement like ‘Set strong outbound spam policy’ or ‘Enable Mailbox auditing for all users’
There are some catches that I have found with just setting the recommended settings. One of those are ‘Enable MFA for all Tenant Admins’, when you do that some of the PowerShell scripts will not work, so when you have PowerShell Automation running on your tenant as we have with some of our clients, this is not possible for every account. This does not mean you should not do it for all other tenant admins.
The customer might not be ready to enforce MFA for every single user, so you need to plan for that.
Some settings that are not that secure might be there for a particular business case of the customer.
How to use this in my opinion
This site was for me a great starting point to get my tenant more secure, I did not just do everything that Microsoft is saying what must be done to make the tenant more secure.
It is a great way to do an audit on the security of your tenant and gives you a great way to create a plan to make the tenant more secure.
The security officer is very happy with this insight on the tenant.