25.10.2023

Top 5 Configurations to Improve Identity Secure Score

In this blog, we will discuss the overview of Identity Secure Score in Azure AD and the top 5 configurations that will improve your Secure Score. These recommendations come from working in the Azure AD security space for multiple years across different industry verticals.

Overview

Recognizing the challenges of maintaining hybrid identities for organizations and the rapid growth of cyberattacks, Microsoft developed a benchmarking system – Identity Secure Score, to help organizations reduce their identity risk of attacks in the Microsoft cloud.

The adoption of Cloud technologies and the increase in remote work in recent years have enabled organizations to structure themselves more flexibly and productively. These helped organizations’ endpoint fleets to become much more diverse, as employees can work from laptops, tablets, and smartphones remotely and businesses embrace the use of BYOD devices in the office.

However, remote and hybrid work makes it more difficult for IT teams to keep track of who is accessing what data, from where, and on which device. This leads to a door wide open to attackers for identity theft and access to your data.

To address this concern, Microsoft introduced a cloud-based identity management tool – Identity Secure Score within Azure AD to safeguard identities and regulate access to resources, which can help your organization measure and improve its security posture.

What is Identity Secure Score?

Overview of Identity Secure Score in Azure AD

Identity Secure Score is an analytical tool within Azure AD that measures your organization’s identity security posture. It functions as an indicator of how aligned you are with Microsoft’s recommendations for security and compares it against a baseline score.

The score ranges from 1% to 100% and is being updated regularly, allowing organizations to track their progress over time and make adjustments as needed. The higher the score stronger the Identity Posture.

Each recommended action in the Identity Secure Score is tailored to your organization’s configuration. The more improvements you make, the more your identity security posture improves.

Identity Secure Score is available in all editions of Azure AD. You can check your score from the Azure portal > Azure Active Directory > Security > Identity Secure Score.


How can organizations benefit from Identity Secure Score?

Identity Secure Score helps organizations easily measure and secure their security posture. With this, organizations can:

How can organizations benefit from Identity Secure Score

  • Objectively Measure Identity Security Posture

    • On the dashboard of Identity Security Score, you can find:

    - Your organization’s current Identity Score.
    - A graph that shows the comparison of your score to other organizations in the same industry of similar size.
    - A score history graph showing how your Identity Secure Score has changed over time.
    - And a list of possible improvement actions.

    All these above data provide a clear and measurable security posture for your organization. You can track your progress, identify security gaps, and make improvements before any security attack happens.


  • Proactively Monitor, Identify Risks, and Take Actions to Improve Security

    • The Secure Score dashboard gives you access to visualization tools and other ways to proactively monitor and identify areas of risk where security controls are not being used effectively or where additional controls may be needed.

    By identifying these areas, you can take the required steps to improve your security posture.

    Also, the dashboard provides recommended actions tailored to your organization’s needs to ensure that your organization is truly secure.


  • Maintain Security Compliance

    • Constantly monitoring your score and making progress helps you to easily compare it against industry benchmarks like HIPPA, NIST, etc.


  • Set Security Goals for your Organization

    • You are already provided with recommendations. You can address them, plan, and set goals to complete throughout your organization to raise the standard of security.


  • Encourage Security Culture

    • Only a single person or department within the organization cannot maintain security. It’s the responsibility of every person in the organization and Identity Secure Score can be the best way to encourage everyone to adopt secure behaviors.


The Top 5 Configurations to Improve Your Organization’s Identity Secure Score

Although Identity Secure Score dashboard provides recommendations tailored to your organization to improve your secure score and security posture.

It’s important to understand how you should prioritize those recommendations.

To help you with this, we are mentioning the top five configurations from our experience with Azure security and customers we have worked for. One can configure these to improve the organization’s Identity security and Secure Score. These are:

  1. Designate the right number no. of global admins.
  2. Use least privileged administrative roles.
  3. Require multifactor authentication for administrative roles.
  4. Do not allow users to grant consent to unreliable applications.
  5. Implement Sign-in user risk policy.

 

1. Designate the right number no. of global admins

Designate the right number no. of global admins

Global Administrators essentially have unrestricted access, and it is in your best interest to keep the attack surface low. As a best practice, it is recommended that you assign the Global Administrator role to the right number of people in your organization.

Neither restrict it to a single person nor assign more than five Global Administrators as a general rule of thumb.

If there is only one global tenant administrator, he or she can perform malicious activity without the possibility of being discovered by another admin. If there are numerous global tenant administrators, the more likely it is that one of their accounts will be successfully breached by an external attacker.


2. Use least privileged administrative roles

Use least privileged administrative roles

When planning your access control strategy, it's a best practice to manage to least privilege and avoid assigning broader roles at broader scopes even if it initially seems more convenient to do so.

Least privilege means you grant your administrators exactly the permission they need to do their job. There are three aspects to consider when you assign a role to your administrators:

- Specific set of permissions
- Over a specific scope
- For a specific period

By limiting roles and scopes, you limit what resources are at risk if the security principal is ever compromised.


3. Require multifactor authentication for administrative roles

Require multifactor authentication for administrative roles

While passwords protect digital assets, they are simply not enough. Threat actors actively find passwords. By discovering one password, they can potentially gain access to multiple accounts for which you might have reused the password.

Setting up multi-factor authentication for administrative roles acts as an additional layer of security to prevent unauthorized users from accessing these accounts. It works by requesting multiple forms of ID from the user at the time of account registration. The system stores this ID and user information to verify the user for the next login. The login is a multi-step process that verifies the other ID information along with the password.

Multi-factor authentication minimizes risks due to human error, misplaced passwords, and lost devices. MS Best Practice guide for MFA setup.


4. Do not allow users to grant consent to unreliable applications

Do not allow users to grant consent to unreliable applications
By default, users can consent to applications accessing your organization's data, although only for some permissions. For example, by default, a user can consent to allow an app to access their mailbox or the Teams conversations for a team the user owns but cannot consent to allow an app with unattended access to read and write to all SharePoint sites in your organization. So, do not allow users to grant consent to apps accessing company data on their behalf. Allowing them to consent by themselves allows users to easily acquire useful applications that integrate with Microsoft 365, Azure, and other services, it can represent a risk if not used and monitored carefully. Manage How Users Consent to Applications within Microsoft 365

5. Implement Sign-in user risk policy

Implement Sign and user risk policy

Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator of a sign-in attempt that might not have been performed by the legitimate owner of a user account.

Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.

When the policy triggers, the user will need MFA to access the account. In the case of a user who hasn't registered MFA on their account, they would be blocked from accessing their account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the Sign-in Risk policy.


Things to keep in mind (FAQ)

- How are controls scored?
- What does [Not Scored] mean?
- How often is my score updated?
- How does the identity secure score relate to the Microsoft 365 secure score?

- How are controls scored?

There can be two ways for controls scored. One involves binary fashion - you get 100% of the score if you have the feature or setting configured based on our recommendation.

The second involves the calculation as a percentage of the total configuration - if the improvement recommendation states there's a maximum of 10.71% increase if you protect all your users with MFA and you have 5 of 100 total users protected, you're given a partial score around 0.53% (5 protected / 100 total * 10.71% maximum = 0.53% partial score).


- What does [Not Scored] mean?

There will be some actions labeled as [Not Scored] that you can still perform to improve your security but won’t gain any score.


- How often is my score updated?

The score is calculated once per day (around 1:00 AM PST).

If you make any changes, the score will automatically update the next day. It may take up to 48 hours for a change to be reflected in your score. Also, don’t be alarmed if your score fluctuates sometimes, our years of experience tells us that this happens very rarely when buggy code gets to production and Microsoft has to fix it – during this time we see scores fluctuating even though nothing changed in your tenant.


- How does the identity secure score relate to the Microsoft 365 secure score?

The Microsoft secure score contains five distinct control and score categories:
  1. Identity
  2. Data
  3. Devices
  4. Infrastructure
  5. Apps
The identity secure score represents the identity part of the Microsoft secure score. This overlap means that your recommendations for the identity secure score and the identity score in Microsoft are the same.

Penthara's Perfect 100/100 Identity Secure Score

Microsoft Secure Score for Identity of Penthara Technologies's security posture

In the fast-paced world of cyber safety, achieving a flawless Identity Secure Score of 100 is a testament to our unwavering commitment to safeguarding digital identities.

It's not just about numbers; it's about our team pulling together, putting up a solid defense, and staying on top of all the tricks the bad actors try to pull.


Unveiling Our Exclusive Offer: Free Microsoft 365 Security Assessment

This Cyber Security Month Awareness, we are introducing an exciting opportunity for organizations to benefit from our expertise with a Free Microsoft 365 Security Assessment. This assessment comes at zero cost and aims to evaluate and enhance the security posture of your Microsoft 365 environment.

Take your first step towards a more secure future with our Free Microsoft 365 Security Assessment.
Book Your Free Assessment Now
Written By
Priya Gupta
PRiya GUPTA
Digital Marketing Associate
peer reviewed By
Jasjit
JAsjit Chopra
chief executive officer

Leave a Reply

Your email address will not be published. Required fields are marked *

More From This Category

What's new in Microsoft | February 2025 Updates

Monthly updates, news & events from Microsoft to help you & your business grow & get best out the Microsoft services.

Read More
Managing Security Roles in Power Apps: Part 2

This blog explores three methods to manage security roles in PowerApps: using multiple SharePoint lists, SharePoint Groups, and item-level permissions. Each method offers unique advantages for role-based access control, ensuring sensitive data is accessible only to authorized users. Step-by-step guidance is provided for setting up these methods and integrating them within PowerApps to enhance data security and streamline app development.

Read More
Managing Security Roles in Power Apps: Part 1

This blog explores three methods to manage security roles in PowerApps: using multiple SharePoint lists, SharePoint Groups, and item-level permissions. Each method offers unique advantages for role-based access control, ensuring sensitive data is accessible only to authorized users. Step-by-step guidance is provided for setting up these methods and integrating them within PowerApps to enhance data security and streamline app development.

Read More
1 2 3 4
chevron-right