Audit Microsoft Secure Score
Posted by deadpoolathome@reddit | sysadmin | View on Reddit | 18 comments
Hi All
Before I go off and re-invent the wheel, has anyone seen/created or can provide some guidance on an endpoint audit script for Microsoft Secure Score.
We have defender and it flags these machines, but I am looking for a way to run a script in our RMM which then flags if a machine has failed the MSS checks we are implementing so that we can investigate why the GP/Intune policies haven't applied or if something else is going on.
I am sure there are plenty of discssions about validity of these items, but SNR management loves the number and if I can creep it up, it looks good for us.
Cheers
Efficient_Agent_2048@reddit
well, Quick tip, you can script Defender API calls for Secure Score but covering browser gaps is tough. Ths layerx security gave us visibility where Intune was falling short.
melissaleidygarcia@reddit
You can script it via Microsoft Graph API to pull Secure score per device for automated auditing.
deadpoolathome@reddit (OP)
Thanks, have got this one happening at the moment
Main_Ambassador_4985@reddit
Can InTune compliance be used to create a group just like it can be used for conditional access?
Instead of reinventing the wheel, why not use conditional access for compliant devices?
Is this only a M365 E5 option?
Defender 365 with Advanced add on can check CIS Baselines also.
disclosure5@reddit
Secure Score includes a large amount of nonsense you can't bundle into a Device Compliance test. I guess you could write a million lines of Powershell checking registry keys but don't seriously do this.
deadpoolathome@reddit (OP)
haha, that is what I'm trying to prevent!
One-Environment2197@reddit
Have you looked at CISA's SCuBA project? https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
deadpoolathome@reddit (OP)
Thanks, will check it out
disclosure5@reddit
What are you going to do when the policies have applied and they are working correctly but Secure Score as usual is just wrong? I'd plan this first.
deadpoolathome@reddit (OP)
This can be explained in a report/security feedback. The secure score is just something that gives an indication that they will like as it's from "MS".
AppIdentityGuy@reddit
You need to explain to your Snr mgmt that the secure score is not an absolute score. Rather it's a posture measurement and it will go up and dpwn over time. Also they need to understand that it's extremely unlikely you will ever reach 100% In terms of devcies the exposure score is probably more valuable actually.
deadpoolathome@reddit (OP)
Agree, It's more something is better than nothing. They do understand that it goes up/down, but i'm just seeing if there is an simple way help detect/remediate regression
ncc74656m@reddit
And also, if you have 100% chances are your people can't do anything.
L3veLUP@reddit
Get the max secure score in this one easy trick (block everyone's sign ins :D )
Fun-Bath-825@reddit
The perfect secure system is one that no-one has any access to from anywhere at any time
mmomarkethub-com@reddit
tbh secure score is useful for baseline but the real audit needs to check actual config drift not just compliance checkboxes
deadpoolathome@reddit (OP)
Agree, It's more an high level indication as a starting point.
bjc1960@reddit
We watch our secure score daily and use it to track trends. It changes daily.
As others have said, use the configs in Intune or detect/remediates.