Some improvement actions give points only when fully completed, while others give partial points if they’ve been completed for some devices or users. Here we’ll provide 10 tips on how to improve your Microsoft Secure Score, along with the impact to your score should you complete them.
Multifactor Authentication (MFA)
Score impact = +3.9% | Achievable points = 9
Multifactor authentication adds an additional layer of security to protect devices and data accessible to users. If one factor, such as a password, gets compromised, the Microsoft authenticator app provides another layer of protection to prevent unauthorized access. While mobile numbers can also be used for MFA, authenticator apps are more secure, as phone numbers can be spoofed.
Disable Legacy Authentication
Score impact = +3.46% | Achievable points = 8
Most compromising security attempts today come from legacy authentication, as older clients do not support modern authentication and use legacy protocols like IMAP or POP3. Legacy authentication does not support multifactor authentication, and as such, should be disabled.
Avoid Expiring Passwords
Score impact = +3.46% | Achievable points = 8
Research shows that when periodic password resets are enforced, users tend to choose weaker passwords, meaning that passwords become weaker as a result. Microsoft’s official security position is that passwords will not expire periodically without a specific reason.
Enable Self-Service Password Reset
Score impact = +0.43% | Achievable points = 1
If self-service password reset is enabled in Azure Active Directory, users don’t need to engage help desks to reset their passwords. This helps the IT team lower their ticket volume and focus on other security measures, while supporting user productivity.
Use Least Privilege Model
Score impact = +0.43% | Achievable points = 1
Assign users the least amount of privilege required to complete their work, so that if their account does get breached, there is a lower likelihood of a global administrative privileged account being affected. With privileged identity management, users can activate needed roles temporarily but then reset back to their normal level of privilege.
Create Safe Links Policies
Score impact = +3.9% | Achievable points = 9
Turning on a safe links policy uses data from Microsoft Defender to determine whether an email link is safe or malicious. Certain URLs can also be blocked in advance.
Turn on Safe Attachments
Score impact = +3.46% | Achievable points = 8
Safe Attachments prevents messages with detected malware attachments from being delivered. These messages get quarantined and only admins are able to review, release, or delete them. Suspicious attachment types can be specified, and messages can be set up for dynamic delivery, so the body of the email is delivered while the attachment gets scanned.
Enable Impersonated User Protection
Score impact = +3.46% | Achievable points = 8
You can prevent specified internal or external email addresses from being impersonated in phishing attempts. It is highly recommended to add for key roles, such as members of the C-suite or board of directors.
Enable Impersonated Domain Protection
Score impact = +3.46% | Achievable points = 8
You can prevent specified domains from being impersonated by the message sender’s domain. When a domain is added to the ‘Enable Domains to Protect’ list, messages that come from those domains are subject to impersonation protection checks.
Protect Users with Sign-In Risk Policy
Score impact = +3.03% | Achievable points = 7
Turning on the sign-in risk policy for all users ensures that all suspicious sign-ins, such as major change in location, are challenged for multifactor authentication (MFA) to decrease the likelihood of unauthorized access.
Ref: How to Improve Your Microsoft Secure Score for Better Cloud Security – Klarinet Solutions®, LLC