What is the Office 365 Secure Score? The Office 365 Secure Score website shows Microsoft’s best practices and where your tenant scores in relation to them.

The site can be accessed at https://securescore.office.com.

Score Overview:

Current Score Overview

When assessing security in an environment and making recommendations, I always go for the low-hanging fruit first.  In the case of Secure Score, this is as simple as reviewing reports on a regular basis. The second item I always go after is disablement of auto-forwarded email to outside addresses. Read on for my take on using Secure Score and some things to take into account when implementing recommendations gleaned from it.


Example: Disable auto-forwarding of email to outside addresses


Outlook has some great features built in, including support for rules that can do things like auto-forward email to a specific email address. While this is great for end users who want to send their email to their personal email address, it is bad for businesses that want to prevent intellectual property from leaking out of the environment.


Within Secure Score, we have the ability to automatically deploy a transport rule to Exchange Online that disallows auto-forwarding of email outside of the company. On the surface, this seems like a great idea. Microsoft is doing the work for us, which is always great. The first gotcha here is that a lot of companies do actually have valid business reasons for forwarding mail to an external address. Think of a product support department that uses a CRM system like Salesforce or Dynamics CRM. They may want to have a shared mailbox with a corporate email address that customers send messages to in order to open cases. In this situation, the CRM admin may have requested the mailbox and set it up to forward all messages that come in to caseopen@xyzcrm.com. In a lot of cases, IT is not plugged into this business process.

My recommendation is to enable the rule, but instead of blocking immediately, have a delivery report sent to another user or mailbox for review. Chances are that in a large organization, you will see a lot of auto-forwarding going on, especially if users have not been educated or told not to do it. Someone should review the messages that come into the mailbox and see which ones look like valid business email. From there, the user or owner of the shared mailbox needs to be tracked down to determine if it is a valid business function and if so, how to best deal with it once we’re blocking auto-forward. I will take you through the steps to do this below.


1.  Go to https://securescore.office.com and login with your admin credentials.


2.  Scroll down to the list of recommendations and find “Enable Client Rules Forwarding Block”. The list will look different for every tenant.


3. Click on the the drop-down caret to get more information. You will see a brief explanation of what should be done, category and score information, as well as buttons along the bottom that let you perform actions related to the item. You can choose to ignore the recommendation because it doesn’t apply to your environment, attribute the recommendation to a third party, or learn more about the recommendation. In this case, click on the “Learn more” button.


4.  Once you click on the “Learn more” button, you will see a pop-out pane that explains more about the recommendation and how it can be implemented. In this case, Microsoft makes it easy on us by giving us a button to directly apply the transport rule into our Exchange Online tenant.


**IMPORTANT** Clicking the Apply button IMMEDIATELY deploys the transport rule into your tenant and activates it. I would make this change off-hours so you don’t affect any critical business workflows as outlined above.


5.  Once you have clicked “Apply”, the rule is deployed and you will see a message similar to the following:


6. You can validate the change by going to the Exchange Online Admin Center (EAC) -> Mail Flow -> Rules. In the list, you should see a rule named “Client Rules To External Block – Secure Score <Date>”. To disable the rule, uncheck the box next to the rule name.


Hopefully this post illustrates the power of Secure Score and how it can be used to rapidly increase the security of an Office 365 tenant. If I were doing this for my environment or for a customer, I’d make sure I’ve done my due-dilligence to help ensure I don’t break any critical business process as well as follow proper change management procedure with an implementation plan, test plan, and blackout plan. Thanks for reading and for any questions on this post, please email me @ jknash@x-centric.com.