We’re updating Microsoft Secure Score improvement actions to ensure a more accurate representation of security posture. The improvement actions listed below will be added to Microsoft Secure Score. Your score will be updated accordingly.
[When this will happen:]
This will begin rollout in mid-August 2023 and is expected to be complete by late August 2023.
[How this will affect your organization:]
The following new Microsoft Information Protection recommendation will be added as Microsoft Secure Score improvement action:
- Ensure Microsoft 365 audit log search is enabled
The following new Exchange Online recommendation will be added as Microsoft Secure Score improvement actions:
- Ensure modern authentication for Exchange Online is enabled
- Ensure Exchange Online Spam Policies are set to notify administrators
- Ensure all forms of mail forwarding are blocked and/or disabled
- Ensure MailTips are enabled for end users
- Ensure mailbox auditing for all users is enabled
- Ensure additional storage providers are restricted in Outlook on the web
The following new Azure Active Directory recommendations will be added as Microsoft Secure Score improvement actions:
- Ensure password protection is enabled for on-prem Active Directory
- Ensure ‘LinkedIn account connections‘ is disabled
- In order to view those new controls, Office 365 connector in Microsoft Defender for cloud apps must be toggled on via the App connectors settings page.
The following SharePoint new recommendations will be added as Microsoft Secure Score improvement actions:
- Ensure SharePoint external sharing is managed through domain whitelist/blacklists
- Block OneDrive for Business sync from unmanaged devices
- In order to view those new controls, Office 365 connector in Microsoft Defender for cloud apps must be toggled on via the App connectors settings page.
The following SharePoint new recommendations will be added as Microsoft Secure Score improvement actions:
- Ensure Safe Links for Office Applications is enabled
- Ensure Safe Attachments policy is enabled
- Ensure that an anti-phishing policy has been created
We have disabled the Secure Score improvement action for the following Microsoft Defender for Identity recommendation:
- “Stop legacy protocols communication” (For accuracy reasons)
We have updated the names for Secure Score recommendations for the following CIS Benchmark Microsoft Defender for Office 365 recommendation, here are the new names:
- Ensure Exchange Online Spam Policies are set to notify administrators
- Ensure all forms of mail forwarding are blocked and/or disabled
- Ensure Safe Links for Office Applications is enabled
- Ensure Safe Attachments policy is enabled
- Ensure that an anti-phishing policy has been created
- Ensure the Common Attachment Types Filter is enabled
- Ensure SharePoint Online Information Protection policies are set up and used
We have updated the names for Secure Score recommendations for the following CIS Benchmark Microsoft Information Protection recommendation, here are the new names:
- Ensure Microsoft 365 audit log search is enabled
- Ensure DLP policies are enabled for Microsoft Teams
We have updated the names for Secure Score recommendations for the following CIS Benchmark Microsoft Admin Center recommendation, here are the new names:
- Ensure the customer lockbox feature is enabled
We have updated the names for Secure Score recommendations for the following CIS Benchmark Microsoft Defender for Cloud Apps recommendation, here is the new name:
- Ensure Microsoft Defender for Cloud Apps is enabled and configured
We have updated the names for Secure Score recommendations for the following CIS Benchmark Microsoft Share Point Online recommendation, here is the new name:
- Ensure SharePoint external sharing is managed through domain whitelist/blacklists
- Block OneDrive for Business sync from unmanaged devices
We have updated the names for Secure Score recommendations for the following CIS Benchmark Microsoft Entra ID (Azure Active Directory), here are the new names:
- Ensure Security Defaults is disabled on Azure Active Directory
- Ensure password protection is enabled for on-prem Active Directory
- Ensure ‘LinkedIn account connections‘ is disabled
- Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
- Ensure multifactor authentication is enabled for all users in administrative roles
- Ensure multifactor authentication is enabled for all users
- Ensure ‘Privileged Identity Management‘ is used to manage roles
- Ensure that only organizationally managed/approved public groups exist
- Ensure Administrative accounts are separate and cloud-only
- Ensure the admin consent workflow is enabled
- Ensure third party integrated applications are not allowed
- Ensure that between two and four global admins are designated
- Ensure ‘Self service password reset enabled‘ is set to ‘All‘
- Enable Conditional Access policies to block legacy authentication
- Ensure that password hash sync is enabled for hybrid deployments
- Enable Azure AD Identity Protection sign-in risk policies
- Enable Azure AD Identity Protection user risk policies
- Ensure the ‘Password expiration policy’ is set to ‘Set passwords to never expire
- Ensure user consent to apps accessing company data on their behalf is not allowed
We have updated the names for Secure Score recommendations for the following CIS Benchmark Microsoft Exchange Online recommendation, here are the new names:
- Ensure modern authentication for Exchange Online is enabled
- Ensure MailTips are enabled for end users
- Ensure mailbox auditing for all users is Enabled
- Ensure additional storage providers are restricted in Outlook on the web
- Ensure ‘External sharing’ of calendars is not available
- Ensure mail transport rules do not whitelist specific domains
- Ensure that SPF records are published for all Exchange Domains
We have updated the names for Secure Score recommendations for the following CIS Benchmark Microsoft Purview recommendation, here are the new names:
- Ensure DLP policies are enabled
[What you need to do to prepare:]
There’s no action needed to prepare for this change, your score will be updated accordingly. Microsoft recommends reviewing the improvement actions listed in Microsoft Secure Score. We will continue to add suggested security improvement actions on an ongoing basis.
