A few days ago, I was reviewing some Office 365 Admin Center functionality with a team of IT admins and casually walked them through the security center. They’ve been using Office 365 for years, but they had neither heard of the security score, nor once checked the Security Center itself! The reality is that many organizations have both an on-prem and cloud presence, but for many the cloud is an afterthought. Regardless of how much or little you manage in the cloud, I highly recommend that every administrator take a little time to review their Office 365 Security Score and Alerts.
If you’re a hands-on learner, head on over to https://Security.Microsoft.com. Make sure to use Incognito Mode in your browser if you manage multiple accounts or use a dedicated global admin account. Microsoft has recently rebranded the whole Security Center as “Microsoft 365 Defender,” and this is *mostly* separate from the Windows Defender Antivirus—We’ll cover the Defender Client later.
Regardless of the name changes, the general functionality of the Security Center hasn’t changed much over the last few years. The main homepage allows you to add Cards that can show you various alerts at a glance, which include your current Secure Score, Defender Alerts, Users/Devices at Risk, and the Microsoft Defender Twitter feed.
Email & Collaboration Alerts will show you any recent security alerts related to collaboration within the O365 platform. If your alerts are disabled or not configured, this section may be completely empty.
Secure Score will show you a “representation of your organization’s security posture and give you the opportunity to improve it.” The score itself is calculated by giving different policies impact points; your percentage score is simply your current points divided by maximum points. Since some policies are applied by user or device, the maximum number of points will vary between organizations. At the top of the page, you can select Improvement Actions to see a list of recommendations from Microsoft. Clicking an individual improvement action will bring up a general description with easy-to-follow implementation guidelines and requirements.
Trials is a list of available demos for various compliance and security products for Office 365.
Reports will allow you to gather a lot of useful information regarding your Office 365 tenant. Note that some reporting may not be available depending on your licensing.
Audit will allow you to search through any logs relating the Office 365 platform. You can check who deleted or edited specific files in OneDrive, or which IT Administrator reset a user’s password. Please note that Auditing must be enabled for the logs to exist!
Health will just give you options to return to the Office 365 Message Center and Microsoft Service Health.
Permissions & Roles will help you identify users within your organization who hold administrative roles in Office 365. For best security, the recommendation is to follow the principal of “Least Privilege.”
Settings contains just a few minor options. I have a feeling it will be fleshed out more in the future, but it currently just has some redirection settings for the new 365 Defender webpage and Time Zone settings.
Under the Email & Collaboration section in the navigation panel, you will find even more useful tools:
Submissions will allow you to submit files, emails, or URLs to Microsoft for further analysis. If you use the Message Trace tool in the Exchange Admin Center to report mis-categorized email, they will show up in this list. You can submit items as false positives or false negatives, and supply Microsoft with the proper categorization.
Review will show you options for Quarantined Messages (incoming and outgoing) and Restricted Users. Quarantined Messages can be allowed through to their original destination if you determine they are clean. Restricted Users are users within your organization who have been blocked from sending mail. In my experience this occurs if the account shows abnormal behavior—such as sending out bulk spam after a user’s credentials were phished and account breached. You can remove restrictions from users here once you have them under control.
Exchange Message Trace will simply take you back to Exchange Admin Center and directly into the Message Trace tool. This is where you can query exchange and locate specific emails within your organization.
Policies and Rules will allow you to dive into a myriad of email and collaboration policies which can be applied across your organization. If you are already using a third-party mail filter, such as Proofpoint, I recommend a cautious approach to changing email policy on the 365 side—but many policies are just common-sense. For example, many alerts are not enabled by default, so I highly recommend at least enabling alerts for your admins! Microsoft even provides preset security policies which will apply a standard template to as many users as you like. As always, use a test group before making changes to your entire organization.
I hope that this post helps remind people about the Security Center; if you find you’ve been neglecting this aspect of Office 365, make it a priority to learn more and investigate the features that can keep your organization safe.
I have only worked with one cyber insurance company that asked specifically about a client’s Microsoft Secure Score and had a requirement that the client reach 75% on a deadline, but even if the score never catches on, it’s a great way to know where you stand and visualize a trend over time.
Finally, if you ignore all other advice, please:
- Limit your number of global admins and follow principle of least privilege.
- Enable Modern Authentication and MFA – especially for admins.
- Educate your users!