Back to Blog

Microsoft Office 365 Secure Score Limitations for MSPs

M365 Secure Score for MSPs: A Double-Edged Sword  

Microsoft 365 Secure Score is a comprehensive security analytics tool for a single tenant. It uses a score-based approach to provide actionable recommendations to enhance security.  

However, MSPs should be aware that the scoring process fails to fit the needs of scaling MSPs in terms of business exceptions, managing multiple clients, remediation and alerting, not to mention making an assessment which is independent of MS upselling.

The next section of this article explores various benefits, and then in the following section, we move on to the gaps for MSPs. And finally, we talk about a better approach to suit MSPs.

Understanding M365 Secure Score Benefits for Single Tenant Assessment

Secure Score assesses security configurations, policies, and user behaviours to determine the effectiveness of existing security measures. It assigns a numerical score based on these evaluations, representing the overall security posture of an organisation.  

Assessing Security Posture: It highlights areas where security settings can be enhanced, identifies vulnerabilities or weaknesses, and suggests best practices to mitigate risks. The recommendations cover various security aspects, such as identity and access management, data protection, threat detection, and security controls.  

Proactive Security Measures: It can also track security implementation progress through continuous monitoring. It allows organisations to visualise the impact of security improvements and track their security posture's evolution. MSPs can leverage this data to demonstrate the effectiveness of their security efforts, communicate the value of security investments to clients, and prioritise actions to enhance security further.  

Security Prioritisation: Overall, it measures security posture by evaluating configurations, policies, and user behaviours and provides insights through actionable recommendations, progress tracking, and benchmarking. It assists organisations and MSPs in identifying and prioritising security enhancements to strengthen their overall security posture.

Analysing Shortcomings with M365 Secure Score for MSPs  

Amid its valuable insights and recommendations for enhancing security, some limitations make Secure Score a tricky tool for MSPs. Let us find out how:  

Inefficiency in Handling Multi-Tenant Environment

When managing multiple tenants, Secure Score lacks the ability to centralise security management. This is an issue for MSPs, who often work with multiple clients, each having their own M365 tenant. Navigating, tracking and prioritising the security scores and recommendations for so many clients thus become a complex and time-consuming task.  

Does not Handle Exceptional Security Circumstances

MSPs may have different priorities or risk tolerance levels for their clients, which may need to align more precisely with the scoring system used by Secure Score. The inability to customise the scoring criteria or adjust the weightage of different security measures limits the flexibility for MSPs to tailor the security posture according to their client's specific circumstances.  

No in-Built Remediation

It is primarily a tool that guides how to improve their security posture. Its helpful documentation and resources assist MSPs in understanding the recommended actions and effective implementation but do not directly remediate security issues. Ultimately, the onus for applying the recommended security measures lies within the organisation.  

Lacks Alerting Specific Configuration Deviations

It does not provide security alerts itself. For real-time security alerts and monitoring, Microsoft offers additional services and tools such as Microsoft Defender for Endpoint, Azure Sentinel, and Microsoft 365 Security Center. These tools provide threat intelligence, detection capabilities, and alerts for potential security incidents.  

Lacks Granular Security Controls

MSPs require more detailed control over security configurations to align with their client's specific needs. Since Secure Score recommendations are based on general best practices, they often fail to address unique needs or compliance obligations that organisations face and do not allow for customisation of the scoring, which is required in most instances.

Lacks Comprehensive Reporting on Third-party Security Risks  

Secure Score's reporting and insights are primarily centred around Microsoft 365 security features and configurations. It may not provide detailed reporting or analysis specifically dedicated to third-party integrations. MSPs may need to rely on other sources or perform separate assessments to gain a comprehensive understanding of the security risks associated with integrated third-party applications.  

Incomplete Security Controls Coverage  

While Secure Score provides valuable recommendations and assessments for various security configurations and policies within M365, it may not cover all possible security controls or factors that contribute to an organisation's overall security. This means that certain specific security measures or practices implemented by an organisation may not be reflected or evaluated in the tool.  

Bearing the Expense of Microsoft Tools  

Secure Score often suggests certain security features or configurations that require organisations to purchase specific licenses. So, the tool is good at promoting security best practices and optimisation recommendations that align with the security offerings within the Microsoft ecosystem. Hence, there is a natural tendency for it to upsell for Microsoft.

How can MSPs Better Evaluate a Client's Security Posture?  

To address these difficulties, MSPs can consider leveraging third-party security management platforms or tools that offer centralised management capabilities. These platforms can aggregate risk analysis from multiple tenants, provide a unified view, and offer streamlined workflows for managing security tasks across different client environments.  

An App that Fixes it All

Octiga baselines are placed into best practice yet fully customisable, multi-tenant security templates which act as scalable posture management for all the MSPs clients at once. What's more, it adapts its scoring to fit the licenses that the client tenant actually has rather than what they could pay for.  

Moreover, a security posture template is based on baselines (and security parameters) that are chosen by the MSP (with Octiga's guidance) and contain exceptions as first-class citizens. Therefore, you can win the scoring game.  

It consists of your baselines, your settings, and your exceptions, and you get alerted on the deviation of exactly these items. Unlike Secure Score, no extra alerting tool is needed, and finally, each baseline is fully remediable with a single click within Octiga.    

MSPs need tools like Octiga to fill these gaps and provide added expertise and bespoke security configurations to meet your organisation's specific needs. And they can do that while adhering to industry standards and compliance requirements.  

If you resonate with the issues mentioned above, talk to us about how Octiga can help your MSP with your unique client security requirements.

More from the Blog

5 reasons why MSPs can’t win the Microsoft 365 security game using Secure Score (and what to do about it)

While Microsoft Secure Score offers a quantifiable assessment of security posture, it has striking limitations. We share five reasons why MSPs need a better tool.

Read Story

Microsoft 365 Breaches - As preventable as they are common

Sash Vasilevski, Octiga co-founder and cyber security expert, explains why stopping unauthorised access to Microsoft 365 is complex, requiring specialist tools, like Octiga.

Read Story

Octiga Announces Benefit Partnership with The ASCII Group

Members of The ASCII Group gain preferential Octiga terms

Read Story

Never miss a minute.

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa.
We will never share your email address with third parties.