Specify security baselines for SaaS services


With Software as a Service (SaaS) solutions, the security options that you can control may be only at the application level. In a Public Cloud scenario, this requires a high degree of trust in the cloud vendor because they have complete control of the infrastructure and platform layers. As well as their reputation and track record, you should assess the processes they have in place to provide security. When performing due diligence, you should also assess whether they can provide network security in addition to application and data security.

Just like Microsoft Defender for Cloud has its Secure Score to assist you improving the security posture of Azure workloads, Microsoft 365 has the Microsoft Secure Score that helps with the security posture of your SaaS environment. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft 365 Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Secure Score helps organizations to:

  • Report on the current state of the organization's security posture.

  • Improve their security posture by providing discoverability, visibility, guidance, and control.

  • Compare with benchmarks and establish key performance indicators (KPIs).

The recommendations won't cover all the attack surfaces associated with each product, but they're a good baseline. You can also mark the improvement actions as covered by a third party or alternate mitigation. Currently there are recommendations for the following products:

  • Microsoft 365 (including Exchange Online)

  • Azure Active Directory

  • Microsoft Defender for Endpoint

  • Microsoft Defender for Identity

  • Defender for Cloud Apps

  • Microsoft Teams

Watch this video for a quick overview of Secure score.

Security baseline for SaaS

The Office cloud policy service lets you enforce policy settings for Microsoft 365 Apps for enterprise on a user's device, even if the device isn't domain joined or otherwise managed. When a user signs into Microsoft 365 Apps for enterprise on a device, the policy settings roam to that device. Policy settings are available for devices running Windows, macOS, iOS, and Android, although not all policy settings are available for all operating systems.

When you create policy configurations, you can review and apply policies that are recommended by Microsoft as security baseline policies. These recommendations are marked as "Security Baseline" when selecting policies. If the policy is recommended as a Security Baseline you'll see the policy tagged as such in this column. You can also use the column filter to limit the view to only policies that are tagged as Security Baseline.

Screenshot showing examples of security baselines.