Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more improvement actions taken.
Navigation: More Reports Microsoft Secure Score
The MS Secure Score in Lifecycle Insights is a read-only report based on your Secure Score data in Azure. Microsoft makes the report data available on a daily basis, and as such we pull the data daily. With this in mind, if you make any changes in Azure that affects your Secure Score, that data will not be available to LCI until the next day.
How the MS Secure Score model works
You're given points for the following actions:
- Configuring recommended security features
- Doing security-related tasks
- Addressing the improvement action with a third-party application or software, or an alternate mitigation
Some improvement actions only give points when fully completed. Some give partial points if they're completed for some devices or users. If you can't or don't want to enact one of the improvement actions, you can choose to accept the risk or remaining risk.
If you have a license for one of the supported Microsoft products, then you'll see recommendations for those products. We show you the full set of possible improvements for a product, regardless of license edition, subscription, or plan. This way, you can understand security best practices and improve your score.
How improvement actions are scored
Each improvement action is worth 10 points or less, and most are scored in a binary fashion. If you implement the improvement action, like create a new policy or turn on a specific setting, you get 100% of the points. For other improvement actions, points are given as a percentage of the total configuration.
Products included in Secure Score
Currently there are recommendations for the following products:
- Microsoft 365 (including Exchange Online)
- Azure Active Directory
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Defender for Cloud Apps
- Microsoft Teams
Secure Score Categories
Each action is categorized as one of the following three categories:
- Apps
- Identity
- Device
Each Category is scored separately and contributes to the overall available secure score. LCI will show categories that are applicable to the company you are looking at based on products utilized.
Using The Microsoft Secure Score Dashboard in LCI
The dashboard has three main components:
- The Scoring Charts
- User Tools
- The Action Items Table
The Scoring Charts show the overall score as well as scoring by category.
The current overall score is shown in the graph as percentage of the total score. Hovering your cursor above the blue or grey porting of the graph will show total points opportunity or total points currently achieved.
The points by category chart shows the total points opportunity vs. total points currently achieved for each category available.
The User Tools section allows you to search through the Search the Action Items Table. Use the search bar to perform search actions in the table.
You can also modify columns within the Action Items Table
The Action Items Table shows each recommendation listed for licensed products registered with Microsoft.
The Category column shows which category the item will score against. The Score column show the current score for the item. Max Score show the highest attainable score you can achieve for the item. Score Impact shows the percentage of the total score's value that this item will impact for the category and overall scoring.
The table can be sorted on any field by clicking the sort arrows next to each column heading.
Note: Microsoft shows you the full set of possible improvements for a product, regardless of license edition, subscription, or plan.
MS Secure Score company reports can be exported to a PDF or MS Word file format. Click the create document icon located at the top-right of the secure score window, then select your export options.
We have also added a new component in Report Builder that allows you to bring in your Microsoft Secure Score data.
How to Enable the Microsoft Secure Score within LCI
Requirements:
If you have NOT previously set up an App Registration for LCI in Azure (either thru Delegated or Direct Access method, please follow the instructions as outlined in one of the following help articles:
- Delegated Set Up: Microsoft 365 Delegated Admin Setup
- Direct Set Up: Microsoft 365 Direct Configuration Setup
If you have previously set up an App Registration for LCI in Azure, you will need to adjust the App Registration by adding the necessary permissions that will allow LCI to pull Secure Score data. To add the necessary permissions, please follow the instructions.
1. Log into Azure
2. Go to Azure Active Directory
3. In the left pane, select App registrations
4. Click on the name of the App registration already configured for LCI
5. In the left pane, under Manage, click on API Permissions
6. Click + Add a permission
7. Click the Microsoft Graph Tile
8. Click Application Permissions (THIS IS IMPORTANT - DO NOT SELECT DELEGATED PERMISSIONS)
9. Search for SecurityEvents
10. Check SecurityEvents.Read.All
11. Click Add Permissions
12. Click Grant admin consent to <><></></>
If you utilize Delegated access to MS for your LCI customers, you are done. There is no further work to do. If you utilize Direct access to MS for your LCI customers, you will need to take this action for all MS tenants that you set up an App for.