Within your Microsoft 365 tenant have you ever noticed the card that talks about your Microsoft Compliance Score?  Ever wondered what that was?  In this post, I’ll discuss with you what this score means, how you can affect it and what changing the score can mean for your tenant.

What is Microsoft Compliance Score

Inside your M365 tenant, you can complete a series of actions that can protect your environment a little bit more than it was before.  As you complete these actions an algorithm runs against your tenant to determine just how protected or compliant the tenant is.  This score isn’t just based on what you do, but also what Microsoft does on the back-end to protect your information.  One important thing to note is that the score is not based on any single set standard.  It is based particularly on the steps you have taken to protect personal data and privacy throughout the entire tenant.  Everything from enabling MFA to using retention policies is considered.  It is also not a guarantee that your data is absolutely safe with a high score.  It’s just more safe than it was before.  In the end, your compliance score is another tool you can use to determine how safe your data is.

Factors Affecting Your Score

Once every 24 hours a job runs in the environment that will scan the configuration of your tenant. It checks to see what you have enabled, or how you have set protections and/or compliance rules and in some cases how you have configured them.  After this scan, a score will be assigned based on how your tenant is protected and focused on how your tenant meets suggested levels or protection/compliance.

So this brings forth the questions… “why not just turn on and/or configure all of the actions?:  Well honestly, you may simply not want to turn everything on.  Maybe you have an internal app that for whatever reason requires you to jailbreak your phones to use the application.  Then you may not want to enable “Block Jail Broken and Rooted Mobile Devices”.  This means you need to ensure the action or policy you have been suggested to enable may actually not be necessary for your tenant.  Review and ensure the action makes sense for your tenant.

Compliance Controls

A compliance score isn’t just handled by your environment.  Microsoft has a hand in this too.  A fairly large one at that.  In a base tenant that hasn’t had any security settings applied to it, I have a compliance score of 76%.  That 76% is coming from protections that Microsoft has applied to all of its tenants.  I have added nearly nothing to that score.

Microsoft classifies data protection controls into 3 main categories:

  • Preventative – This category covers actions you can take to stop data loss before it happens.  For example, applying encryption to your highly confidential information.
  • Detective – With this category of actions the system monitors for any shift in usage behaviors that could indicate data may be at risk whether because the user isn’t who they say they are or they are no longer working for the benefit of the organization.
  • Corrective – The steps that can be taken if a security breach does occur in order to minimize the damage to the environment

Each of these categories is also broken up into two subcategories:

  • Mandatory – Controls put in place that a user or the system MUST follow.  They can’t be avoided.  An example of a mandatory control is enabling MFA for administrators in the tenant.  This adds security and an admin can’t log in without utilizing MFA.
  • Discretionary – This control requires the user to follow it if they feel it is necessary.  It is not required by the system.  Applying retention labels to a document would be a discretionary control.

Microsoft recently released a new console to help with building your compliance score.  I will be covering the Compliance Manager in a future post.


Thanks for reading!