Identity Secure Score is an analytical tool within Azure AD that measures your organization’s identity security posture. It functions as an indicator of how aligned you are with Microsoft’s recommendations for security and compares it against a baseline score.
The score ranges from 1% to 100% and is being updated regularly, allowing organizations to track their progress over time and make adjustments as needed. The higher the score stronger the Identity Posture.
Each recommended action in the Identity Secure Score is tailored to your organization’s configuration. The more improvements you make, the more your identity security posture improves.
Identity Secure Score is available in all editions of Azure AD. You can check your score from the Azure portal > Azure Active Directory > Security > Identity Secure Score.
Identity Secure Score helps organizations easily measure and secure their security posture. With this, organizations can:
On the dashboard of Identity Security Score, you can find:
- Your organization’s current Identity Score.
- A graph that shows the comparison of your score to other organizations in the same industry of similar size.
- A score history graph showing how your Identity Secure Score has changed over time.
- And a list of possible improvement actions.
All these above data provide a clear and measurable security posture for your organization. You can track your progress, identify security gaps, and make improvements before any security attack happens.
The Secure Score dashboard gives you access to visualization tools and other ways to proactively monitor and identify areas of risk where security controls are not being used effectively or where additional controls may be needed.
By identifying these areas, you can take the required steps to improve your security posture.
Also, the dashboard provides recommended actions tailored to your organization’s needs to ensure that your organization is truly secure.
Constantly monitoring your score and making progress helps you to easily compare it against industry benchmarks like HIPPA, NIST, etc.
You are already provided with recommendations. You can address them, plan, and set goals to complete throughout your organization to raise the standard of security.
Only a single person or department within the organization cannot maintain security. It’s the responsibility of every person in the organization and Identity Secure Score can be the best way to encourage everyone to adopt secure behaviors.
Although Identity Secure Score dashboard provides recommendations tailored to your organization to improve your secure score and security posture.
It’s important to understand how you should prioritize those recommendations.
To help you with this, we are mentioning the top five configurations from our experience with Azure security and customers we have worked for. One can configure these to improve the organization’s Identity security and Secure Score. These are:
Global Administrators essentially have unrestricted access, and it is in your best interest to keep the attack surface low. As a best practice, it is recommended that you assign the Global Administrator role to the right number of people in your organization.
Neither restrict it to a single person nor assign more than five Global Administrators as a general rule of thumb.
If there is only one global tenant administrator, he or she can perform malicious activity without the possibility of being discovered by another admin. If there are numerous global tenant administrators, the more likely it is that one of their accounts will be successfully breached by an external attacker.
When planning your access control strategy, it's a best practice to manage to least privilege and avoid assigning broader roles at broader scopes even if it initially seems more convenient to do so.
Least privilege means you grant your administrators exactly the permission they need to do their job. There are three aspects to consider when you assign a role to your administrators:
- Specific set of permissionsBy limiting roles and scopes, you limit what resources are at risk if the security principal is ever compromised.
While passwords protect digital assets, they are simply not enough. Threat actors actively find passwords. By discovering one password, they can potentially gain access to multiple accounts for which you might have reused the password.
Setting up multi-factor authentication for administrative roles acts as an additional layer of security to prevent unauthorized users from accessing these accounts. It works by requesting multiple forms of ID from the user at the time of account registration. The system stores this ID and user information to verify the user for the next login. The login is a multi-step process that verifies the other ID information along with the password.
Multi-factor authentication minimizes risks due to human error, misplaced passwords, and lost devices. MS Best Practice guide for MFA setup.
Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator of a sign-in attempt that might not have been performed by the legitimate owner of a user account.
Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.
When the policy triggers, the user will need MFA to access the account. In the case of a user who hasn't registered MFA on their account, they would be blocked from accessing their account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the Sign-in Risk policy.
There can be two ways for controls scored. One involves binary fashion - you get 100% of the score if you have the feature or setting configured based on our recommendation.
The second involves the calculation as a percentage of the total configuration - if the improvement recommendation states there's a maximum of 10.71% increase if you protect all your users with MFA and you have 5 of 100 total users protected, you're given a partial score around 0.53% (5 protected / 100 total * 10.71% maximum = 0.53% partial score).
There will be some actions labeled as [Not Scored] that you can still perform to improve your security but won’t gain any score.
The score is calculated once per day (around 1:00 AM PST).
If you make any changes, the score will automatically update the next day. It may take up to 48 hours for a change to be reflected in your score. Also, don’t be alarmed if your score fluctuates sometimes, our years of experience tells us that this happens very rarely when buggy code gets to production and Microsoft has to fix it – during this time we see scores fluctuating even though nothing changed in your tenant.
In the fast-paced world of cyber safety, achieving a flawless Identity Secure Score of 100 is a testament to our unwavering commitment to safeguarding digital identities.
It's not just about numbers; it's about our team pulling together, putting up a solid defense, and staying on top of all the tricks the bad actors try to pull.
This Cyber Security Month Awareness, we are introducing an exciting opportunity for organizations to benefit from our expertise with a Free Microsoft 365 Security Assessment. This assessment comes at zero cost and aims to evaluate and enhance the security posture of your Microsoft 365 environment.
Stay Ahead of Threats with Microsoft Copilot for Security - What You Need to Know
Cybersecurity threats are constantly evolving, keeping IT professionals on their toes. But what if you had a powerful AI assistant by your side, proactively hunting threats and simplifying security operations? Enter Microsoft Copilot for Security, a game-changer in the cybersecurity landscape.
9 Essential Insights from the Microsoft Digital Defense Report 2023
The article outlines 9 key insights from the 2023 Microsoft Digital Defense Report, including topics such as basic security practices, ransomware trends, password attacks, BEC incidents, nation-state targeting, IoT/OT vulnerabilities, AI-powered cyberattacks, and supply chain risks.
How to choose the best Antivirus Software for your business
Are you a business owner or security decision-maker looking for the best antivirus solution to protect your data? Read on. This blog will guide you on what aspects you must look at to choose the best Antivirus for your business.
