Introducing the Office 365 Secure Score
Ever wonder how secure your Office 365 organization really is? Time to stop wondering - the Office 365 Secure Score is here to help. Secure Score analyzes your Office 365 organization's security based on your regular activities and security settings and assigns a score. Think of it as a credit score for security.
In this article
How do I get to Secure Score?
Anyone who has admin permissions (global admin or a custom admin role) for an Office 365 Business Premium or Enterprise subscription can access the Secure Score at https://securescore.office.com. Users who aren't assigned an admin role won't be able to access Secure Score. However, admins can use the tool to share their results with other people in their organization.
How does it work?
Secure Score figures out what Office 365 services you're using (like OneDrive, SharePoint, and Exchange) then looks at your settings and activities and compares them to a baseline established by Microsoft. You'll get a score based on how aligned you are with best security practices.
If you want to improve your score, review the action queue to see what you can do to help increase security and reduce risks.
Expand an action to learn about what threats it'll help protect you from and how you'll get the job done.
To see the impact of your actions on your organization's security, go to the Score Analyzer page and review your history.
Click any data point to see a breakdown of your score for that day. You can scroll down to see which controls were enabled and how many points you earned that day for each control.
How will it help me?
Using Secure Score helps increase your organization's security by encouraging you to use the built-in security features in Office 365 (many of which you already purchased but might not be aware of). Learning more about these features as you use the tool will help give you piece of mind that you're taking the right steps to protect your organization from threats.
But don't just take our word for it. Customers who are using Secure Score have seen their score increase 5 times more than customers who aren't using it. (The increase in score corresponds with the security features being used in their organizations.)
Check out our blog post to learn more.
The Secure Score does not express an absolute measure of how likely you are to get breached. It expresses the extent to which you have adopted controls which can offset the risk of being breached. No service can guarantee that you will not be breached, and the Secure Score should not be interpreted as a guarantee in any way.
Who can use Secure Score?
Anyone who has admin permissions (global admin or a custom admin role) for an Office 365 Business Premium or Enterprise subscription can access the Secure Score at https://securescore.office.com. Users who aren't assigned an admin role won't be able to access Secure Score . However, admins can use the tool to share their results with other people in their organization. We're looking at including other, non-admin roles in the permissions list in the future. If there are specific roles you'd like us to consider, let us know by posting on the Office Security, Privacy & Compliance community.
What does [Not Scored] mean?
Actions labeled as [Not Scored] are ones you can perform in your organization but won't be scored because they aren't hooked up in the tool (yet!). So, you can still improve your security, but you won't get credit for those actions right now.
How often is my score updated?
The score is calculated once per day (around 1:00 AM PST). If you make a change to a measured action, the score will automatically update the next day. It takes up to 48 hours for a change to be reflected in your score.
Who can see my results?
Results are filtered to show scores only to people in your organization who are assigned an admin role (global admin or a custom admin role).
My score changed. How do I figure out why?
On the Score Analyzer page, click a data point for a specific day, then scroll down to see the completed and incomplete actions for that day to find out what changed.
Does the Secure Score measure my risk of getting breached?
In short, no. The Secure Score does not express an absolute measure of how likely you are to get breached. It expresses the extent to which you have adopted features that can offset the risk of being breached. No service can guarantee that you will not be breached, and the Secure Score should not be interpreted as a guarantee in any way.
How should I interpret my score?
You're given points for configuring recommended security features or performing security-related tasks (like reading reports). Some actions are scored for partial completion, like enabling multi-factor authentication (MFA) for your users. Your Secure Score is directly representative of the Microsoft security services you use. Remember that security should always be balanced with usability. All security controls have a user impact component. Controls with low user impact should have little to no effect on your users' day-to-day operations.
To see your score history, go to the Score Analyzer page. Choose a specific date to see which controls were enabled for that day and what points you earned for each one.
I have an idea for another control. How do I let you know what it is?
We'd love to hear from you. Please post your ideas on the Office Security, Privacy & Compliance community. We're listening and want the Secure Score to include all options that are important to you.
Something isn't working right. Who should I contact?
If you have any issues, please let us know by posting on the Office Security, Privacy & Compliance community. We're monitoring the community and will provide help.
My organization only has certain security features. Does this affect my score?
The Secure Score calculates your score based on the services you purchased. For example, if you only purchased an Exchange Online plan, you won't be scored for SharePoint Online security features. The denominator of the score is the sum of all the baselines for the controls that apply to the products you purchased. The numerator is the sum of all the controls for which you completed, or partially completed, the actions to fulfill that control.