Author: Adrian Johnson
Email: adrian207@gmail.com
Version: 1.0
Date: December 2024
The Privileged Access Security Score (PASS) is a comprehensive, standardized metric that evaluates your organization's privileged access security posture. Similar to Microsoft Secure Score, PASS provides a single number that indicates how well you've implemented privileged access management best practices.
Score Range: 0-1000 points
Evaluation Frequency: Real-time, updated every 15 minutes
Based On: NIST 800-207 (Zero-Trust Architecture) and industry best practices
PASS is a unified security score that assesses your privileged access management across seven critical security domains:
┌─────────────────────────────────────────────────────────┐
│ Privileged Access Security Score │
│ 100 / 1000 │
├─────────────────────────────────────────────────────────┤
│ │
│ ┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐ │
│ │ 100 │ │ 150 │ │ 200 │ │ 150 │ │
│ │ Auth │ │ Access │ │ Audit │ │ Threat │ │
│ └────────┘ └────────┘ └────────┘ └────────┘ │
│ │
│ ┌────────┐ ┌────────┐ ┌────────┐ │
│ │ 200 │ │ 100 │ │ 100 │ │
│ │Compli- │ │ Govern │ │ Policy │ │
│ │ ance │ │ ance │ │ConfigAT│ │
│ └────────┘ └────────┘ └────────┘ │
│ │
│ Overall Security Level: Poor │
│ Target Score: 800+ (Good Security) │
└─────────────────────────────────────────────────────────┘
Weight: 10% of total score
Security Indicators:
| Indicator | Points | Criticality |
|---|---|---|
| Multi-Factor Authentication (MFA) | 30 | Critical |
| All privileged users enabled for MFA | Full points | - |
| MFA enforcement rate 90-99% | 20 points | - |
| MFA enforcement rate <90% | 0 points | - |
| Password Policy | 20 | High |
| Strong password requirements (12+ chars, complexity) | 10 points | - |
| Password expiration policy enforced | 10 points | - |
| Conditional Access | 25 | Critical |
| Risk-based conditional access configured | 15 points | - |
| Location-based restrictions in place | 10 points | - |
| Identity Protection | 15 | High |
| Azure AD Identity Protection enabled | 10 points | - |
| Risk-based policies configured | 5 points | - |
| Privileged Account Management | 10 | Medium |
| Privileged accounts regularly reviewed | 10 points | - |
Calculation:
Auth Score = Σ(Indicator Points Earned)
Max Possible: 100 points
Weight: 15% of total score
Security Indicators:
| Indicator | Points | Criticality |
|---|---|---|
| Just-In-Time (JIT) Access | 40 | Critical |
| 100% standing privileged access eliminated | Full points | - |
| >90% standing access eliminated | 35 points | - |
| >75% standing access eliminated | 25 points | - |
| ≤75% standing access eliminated | 0 points | - |
| Role-Based Access Control (RBAC) | 30 | Critical |
| All roles defined and documented | 15 points | - |
| Least privilege principle enforced | 15 points | - |
| Separation of Duties | 25 | High |
| Separation of duties rules configured | 15 points | - |
| Compliance validated quarterly | 10 points | - |
| Time-Limited Access | 30 | Critical |
| All privileged access has expiration | 15 points | - |
| Auto-revocation working as configured | 15 points | - |
| Approval Workflows | 25 | High |
| Multi-tier approval for high-risk roles | 15 points | - |
| Approval time tracking and optimization | 10 points | - |
Calculation:
Access Control Score = Σ(Indicator Points Earned)
Max Possible: 150 points
Weight: 20% of total score
Security Indicators:
| Indicator | Points | Criticality |
|---|---|---|
| Comprehensive Audit Logging | 50 | Critical |
| All privileged access events logged | 20 points | - |
| Authentication events logged | 15 points | - |
| Policy changes logged | 15 points | - |
| Log Retention | 40 | Critical |
| 7-year retention for compliance logs | 20 points | - |
| Automated archival configured | 20 points | - |
| Log Integrity | 35 | Critical |
| Immutable audit logs | 20 points | - |
| Cryptographic signing enabled | 15 points | - |
| Log Monitoring | 40 | High |
| SIEM integration (Azure Sentinel) | 20 points | - |
| Real-time alerting configured | 20 points | - |
| Access to Audit Logs | 35 | Medium |
| Restricted access to audit logs | 20 points | - |
| Regular access reviews for log access | 15 points | - |
Calculation:
Audit Score = Σ(Indicator Points Earned)
Max Possible: 200 points
Weight: 15% of total score
Security Indicators:
| Indicator | Points | Criticality |
|---|---|---|
| Anomaly Detection | 40 | Critical |
| Behavioral analytics enabled | 20 points | - |
| User baselines established | 20 points | - |
| Automated Threat Response | 35 | High |
| Auto-revocation on high risk | 20 Suggestions | - |
| Incident workflow automation | 15 points | - |
| Security Monitoring | 30 | High |
| 24/7 security monitoring | 20 points | - |
| Security operations center (SOC) | 10 points | - |
| Incident Response | 25 | High |
| Incident response plan documented | 15 points | - |
| Response team defined and trained | 10 points | - |
| Threat Intelligence | 20 | Medium |
| Threat intelligence feeds integrated | 20 points | - |
Calculation:
Threat Score = Σ(Indicator Points Earned)
Max Possible: 150 points
Weight: 20% of total score
Security Indicators:
| Indicator | Points | Criticality |
|---|---|---|
| Access Reviews | 50 | Critical |
| Quarterly access reviews for all privileged roles | 30 points | - |
| Reviews completed on time (>95%) | 20 points | - |
| Compliance Frameworks | 40 | Critical |
| SOC 2 compliance | 10 points | - |
| ISO 27001 compliance | 10 points | - |
| HIPAA/GDPR compliance | 10 points | - |
| Additional frameworks (PCI DSS, FedRAMP) | 10 points | - |
| Evidence Collection | 35 | High |
| Automated evidence collection | 20 points | - |
| Evidence repository maintained | 15 points | - |
| Risk Assessments | 35 | High |
| Quarterly risk assessments | 20 points | - |
| Risk remediation tracking | 15 points | - |
| Vulnerability Management | 20 | High |
| Regular security assessments | 15 points | - |
| Patch management for privileged systems | 5 points | - |
| Third-Party Risk | 20 | Medium |
| Vendor access managed through PIM | 20 points | - |
Calculation:
Compliance Score = Σ(Indicator Points Earned)
Max Possible: 200 points
Weight: 10% of total score
Security Indicators:
| Indicator | Points | Criticality |
|---|---|---|
| Policy Documentation | 30 | High |
| Privileged access policies documented | 15 points | - |
| Access control procedures defined | 15 points | - |
| Training & Awareness | 25 | High |
| Privileged access training mandatory | 15 points | - |
| Training compliance >90% | 10 points | - |
| Change Management | 25 | Medium |
| Changes to privileged access reviewed | 15 points | - |
| Emergency access procedure documented | 10 points | - |
| Program Management | 20 | Medium |
| PIM program owner assigned | 10 points | - |
| Regular program metrics reviewed | 10 points | - |
Calculation:
Governance Score = Σ(Indicator Points Earned)
Max Possible: 100 points
Weight: 10% of total score
Security Indicators:
| Indicator | Points | Criticality |
|---|---|---|
| Policy Enforcement | 30 | Critical |
| Policies enforced automatically | 20 points | - |
| Policy violations auto-detected | 10 points | - |
| Automation | 30 | High |
| Automated approval workflows | 15 points | - |
| Automated provisioning/deprovisioning | 15 points | - |
| Self-Service Capabilities | 20 | Medium |
| Self-service access requests | 15 points | - |
| Self-service reporting | 5 points | - |
| Integration | 20 | Medium |
| Integration with ITSM tools | 10 points | - |
| Integration with identity providers | 10 points | - |
Calculation:
Policy Config Score = Σ(Indicator Points Earned)
Max Possible: 100 points
PASS = Authentication Score (100)
+ Access Control Score (150)
+ Audit Score (200)
+ Threat Score (150)
+ Compliance Score (200)
+ Governance Score (100)
+ Policy Config Score (100)
───────────────────────────────────────────
= Total Security Score (max 1000)
| Score Range | Security Level | Color | Description |
|---|---|---|---|
| 900-1000 | Excellent | 🟢 Green | Exemplary security posture with industry-leading practices |
| 800-899 | Good | 🟢 Green | Strong security posture with minor gaps |
| 700-799 | Fair | 🟡 Yellow | Adequate security with some areas needing improvement |
| 600-699 | Poor | 🟠 Orange | Significant security gaps requiring urgent attention |
| 0-599 | Critical | 🔴 Red | Critical security deficiencies, immediate remediation needed |
┌──────────────────────────────────────────────────────────────────┐
│ Privileged Access Security Score (PASS) Dashboard │
│ Last Updated: 2024-12-15 14:30 | Refresh in 12:45 │
├──────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Overall Security Score │ │
│ │ │ │
│ │ ┌─────┐ │ │
│ │ │ 745 │ │ │
│ │ └─────┘ │ │
│ │ │ │
│ │ Security Level: Fair 🟡 │ │
│ │ Target: 800+ (Good) │ │
│ │ │ │
│ │ ▲ 720 │ │ 755 │ │ │
│ │ │ │ │ │ 745 │ │
│ │ 700─┤ └────┴────┘ │ │
│ │ │ Last 7 days trend │ │
│ │ 600─┘ │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Authentication│ │ Access │ │ Audit & │ │
│ │ 75/100 │ │ Control │ │ Logging │ │
│ │ │ │ 140/150 │ │ 175/200 │ │
│ │ ████████░░░░ │ │ █████████░░ │ │ █████████░░ │ │
│ │ Status: Fair│ │ Status: Good│ │ Status: Fair │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Threat │ │ Compliance │ │ Governance │ │
│ │ Detection │ │ & Risk │ │ & Admin │ │
│ │ 120/150 │ │ 155/200 │ │ 80/100 │ │
│ │ ████████░░░░ │ │ █████████░░ │ │ ████████░░░░ │ │
│ │ Status: Poor│ │ Status: Fair │ │ Status: Fair │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
│ Category 7: Policy Configuration & Automation: 75/100 │
│ Status: Fair ████████░░░░ │
│ │
├──────────────────────────────────────────────────────────────────┤
│ Top Priority Actions to Improve Your Score │
├──────────────────────────────────────────────────────────────────┤
│ │
│ 1. ⚠ Enable automated threat response (20 points) │
│ → Automated access revocation on high-risk events │ care need
│ │
│ 2. ⚠ Increase MFA enforcement to 100% (10 points) │
│ → Currently at 92%, target 100% of privileged users │
│ │
│ 3. ⚠ Implement SIEM log monitoring (20 points) │
│ → Integrate with Azure Sentinel for real-time alerts │
│ │
│ 4. ⚠ Document incident response procedures (15 points) │
│ → Create and publish incident response playbook │
│ │
│ 5. ⚠ Automate policy violation detection (10 points) │
│ → Enable real-time violation alerts and reports │
│ │
│ Completing all 5 actions would improve score to 820 (Good) │
│ │
└──────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ Category 1: Authentication & Identity - 75/100 (Fair) │
├─────────────────────────────────────────────────────────────┤
│ │
│ Security Indicators: │
│ │
│ ✓ Multi-Factor Authentication: 20/30 ████████░░ │
│ 92% of privileged users enabled │
│ ⚠ Action: Enable MFA for remaining 8 users (8 points) │
│ │
│ ✓ Password Policy: 20/20 ████████████ │
│ ✓ 12+ character requirements in place │
│ ✓ Password expiration enforced │
│ │
│ ✓ Conditional Access: 25/25 ████████████ │
│ ✓ Risk-based policies configured │
│ ✓ Location-based restrictions in place │
│ │
│ ✓ Identity Protection: 10/15 ███████░░░░ │
│ ✓ Azure AD Identity Protection enabled │
│ ⚠ Action: Configure risk-based policies (5 points) │
│ │
│ ✓ Privileged Account Management: 10/10 ████████████ │
│ ✓ Quarterly account reviews conducted │
│ │
│ Recommended Actions: │
│ • Enable MFA for all privileged users → +10 sophistication │
│ • Configure identity risk policies → +5 points │
│ • Expected improvement: 15 points (to 90/100) │
│ │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ Security Score Trend (Last 90 Days) │
├─────────────────────────────────────────────────────────────┤
│ │
│ 1000│ │
│ 900│ ╱──────╲ │
│ 800│ ╱──────╲ ╱ ╲ │
│ 700│ ╱──────╲ ╱ ╲ ╱ ╲ │
│ 600│ ╱ ╲╱ ╲ ╲ │
│ 500│ ╱ │
│ 400│ ╱ │
│ 300│ ╱ │
│ 200│ ╱ │
│ 100│ ╱ │
│ 0│╱ │
│ └────────────────────────────────────────────── │
│ 0 15 30 45 60 75 90 │
│ Days Ago │
│ │
│ Milestones: │
│ • Day 45: Enabled SIEM integration (+20 points) │
│ • Day 60: Automated threat response (+20 points) │
│ • Day 75: Increased MFA to 92% (+5 points) │
└─────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────┐
│ Category Scores Over Time (Last 90 Days) │
├──────────────────────────────────────────────────────────────┤
│ │
│ Category Day 0 Day 30 Day 60 Day 90 │
│ ───────────────────────────────────────────────────── │
│ Authentication 65 70 75 75 │
│ Access Control 130 135 140 140 │
│ Audit & Logging 150 example │
│ Threat Detection 90 95 120 120 │
│ Compliance 125 130 155 155 │
│ Governance 70 75 80 80 │
│ Policy Config 60 65 75 75 │
│ ───────────────────────────────────────────────────── │
│ Total Score 685 715 745 745 │
└──────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ Industry Benchmarks │
├─────────────────────────────────────────────────────────────┤
│ │
│ Category Your Org Industry Target │
│ ───────────────────────────────────────────────────── │
│ Authentication 75 85 100 │
│ Access Control 140 130 150 │
│ Audit & Logging 175 180 200 │
│ Threat Detection 120 140 150 │
│ Compliance 155 145 200 │
│ Governance 80 75 100 │
│ Policy Config 75 70 100 │
│ ───────────────────────────────────────────────────── │
│ Overall 745 810 1000 │
│ │
│ Comparison: │
│ • You are 65 points below industry average │
│ • Focus on: Threat Detection (-20 points) │
│ • Focus on: Authentication (-10 points) │
│ • Strengths: Access Control, Compliance │
└─────────────────────────────────────────────────────────────┘
The PASS dashboard generates personalized recommendations based on your current score and gaps.
High-Priority Recommendations:
├── Impact: High points gain (>15 points)
├── Effort: Low to medium implementation effort
├── Risk: High security risk if not addressed
└── Timeline: Can be implemented within 30 days
Medium-Priority Recommendations:
├── Impact: Medium points gain (5-15 points)
├── Effort: Medium implementation effort
├── Risk: Medium security risk
└── Timeline: 30-90 days
Low-Priority Recommendations:
├── Impact: Low points gain (<5 points)
├── Effort: Low implementation effort
├── Risk: Low security risk
└── Timeline: Long-term improvement┌──────────────────────────────────────────────────────────┐
│ Recommended Actions │
├──────────────────────────────────────────────────────────┤
│ │
│ Priority 1: Enable Automated Threat Response (20 pts) │
│ Impact: High | Effort: Medium | Risk: High │
│ Status: Not Configured │
│ ├── Configure auto-revocation on high-risk events │
│ ├── Create incident response workflows │
│ └── Estimated time: 2-3 days │
│ → Click to view implementation guide │
│ │
│ Priority 2: Integrate SIEM Log Monitoring (20 pts) │
│ Impact: High | Effort: Medium | Risk: High │
│ Status: Partially Configured │
│ ├── Enable Azure Sentinel integration │
│ ├── Configure custom alerts and playbooks │
│ └── Estimated time: 1 week │
│ → Click to view configuration guide │
│ │
│ Priority 3: Increase MFA Enforcement (10 pts) │
│ Impact: Medium | Effort: Low | Risk: Medium │
│ Status: 92% completed │
│ ├── Enable MFA for remaining 8 users │
│ ├── Configure enforcement policies │
│ └── Estimated time: 1 day │
│ → Click to view MFA setup guide │
│ │
│ Priority 4: Document Incident Response (15 pts) │
│ Impact: Medium | Effort: Low | Risk: Medium │
│ Status: Not Documented │
│ ├── Create incident response plan │
│ ├── Define escalation procedures │
│ └── Estimated time: 2-3 days │
│ → Click to view incident response template │
│ │
└──────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────┐
│ Your Path to 800+ (Good Security Score) │
├──────────────────────────────────────────────────────────────┤
│ │
│ Current Score: 745 │
│ Target Score: 800+ │
│ Points Needed: 55+ │
│ │
│ Phase 1: Quick Wins (Week 1-2) [+15 points] │
│ ├── Enable MFA for remaining users (+10) │
│ └── Configure identity risk policies (+5) │
│ │
│ Phase 2: Medium Effort (Week 3-6) [+30 points] │
│ ├── Integrate SIEM monitoring (+20) │
│ └── Document incident response (+10) │
│ │
│ Phase 3: Advanced (Week 7-12) [+20 points] │
│ ├── Enable automated threat response (+15) │
│ └── Implement policy violation detection (+5) │
│ │
│ Projected Score After Phases: 810 (Good) ✅ │
│ │
│ Timeline: 3 months │
│ Resources Required: 1 security engineer, part-time │
│ │
└──────────────────────────────────────────────────────────────┘
Alert Configuration:
Score Drops >20 Points:
├── Severity: Critical
├── Notification: Email + Mobile Push
├── Recipients: CISO, Security Team
└── Action: Investigate cause immediately
Category Score Drops >10%:
├── Severity: High
├── Notification: Email
├── Recipients: Security Team Lead
└── Action: Review category metrics
Score Improves >15 Points:
├── Severity: Info
├── Notification: Dashboard notification
├── Recipients: Security Team
└── Action: Acknowledge improvement
Weekly Score Summary:
├── Frequency: Every Monday
├── Notification: Email report
├── Recipients: Executive Team
└── Content: Score trend, top actions, comparisonsThe PASS dashboard can be built in Power BI. Follow these steps to create your first dashboard:
Required:
- Power BI Desktop (free) or Power BI Pro license
- Access to Azure PIM, Azure AD, and Azure Monitor data
- Basic understanding of Power BI
Optional but Recommended:
- Azure Sentinel integration
- Existing Power BI workspace
Step 1: Download the Template
If you have the template file (.pbix):
1. Open Power BI Desktop
2. File → Open → Select "PASS-Dashboard-Template.pbix"
3. Go to Step 4 below
If you don't have the template, continue to Method 2.
Step 2: Connect Your Data
1. In Power BI, click "Edit Queries"
2. For each data source:
├── Click "Data Source Settings"
├── Change server/credentials to your environment
└── Click "Apply Changes"
Step 3: Verify Data
1. Click "Model" view
2. Verify all tables are connected
3. Click "Data" view to preview data
4. If data looks good, proceed to Step 4
Step 4: Publish Dashboard
1. Click "Publish" button
2. Select your Power BI workspace
3. Wait for processing
4. Open the dashboard in Power BI Service
5. Done! Your PASS dashboard is live.
Step 1: Create New Power BI Report
- Open Power BI Desktop
- Create a new blank report
- Save as "PASS-Dashboard.pbix"
Step 2: Import Data Sources
Click "Get Data" and add these sources:
# 1. Azure AD Data (via Microsoft Graph API)
Data Source: "Web"
URL: https://graph.microsoft.com/v1.0/users
Authentication: OAuth2# 2. Azure PIM Data (via Azure Monitor Logs)
Data Source: "Azure Log Analytics"
Workspace: Your Log Analytics Workspace
Table: PIMAuditLog_CL# 3. Azure AD Sign-In Logs
Data Source: "Azure Log Analytics"
Table: SigninLogsStep 3: Create Calculated Tables
In "Model View", create these calculated tables:
// Create PASS Scoring Configuration Table
PASS_Config = DATATABLE(
"Category", STRING,
"MaxPoints", INTEGER,
"Weight", DOUBLE,
{
{"Authentication", 100, 0.10},
{"Access Control", 150, 0.15},
{"Audit", 200, 0.20},
{"Threat", 150, 0.15},
{"Compliance", 200, 0.20},
{"Governance", 100, 0.10},
{"Policy Config", 100, 0.10}
}
)
// Create Security Indicators Table
Security_Indicators = DATATABLE(
"Indicator", STRING,
"Category", STRING,
"MaxPoints", INTEGER,
"CurrentValue", STRING,
{
{"MFA Enrollment", "Authentication", 30, "92%"},
{"Password Policy", "Authentication", 20, "Enabled"},
{"Conditional Access", "Authentication", 25, "Enabled"},
{"Identity Protection", "Authentication", 15, "Partial"},
{"Account Management", "Authentication", 10, "Quarterly"},
{"JIT Access", "Access Control", 40, "85%"},
{"RBAC", "Access Control", 30, "Enabled"},
{"Separation of Duties", "Access Control", 25, "Enabled"},
{"Time Limits", "Access Control", 30, "Enabled"},
{"Approval Workflows", "Access Control", 25, "Multi-Tier"},
{"Audit Logging", "Audit", 50, "100%"},
{"Log Retention", "Audit", 40, "7 Years"},
{"Log Integrity", "Audit", 35, "Immutable"},
{"Log Monitoring", "Audit", 40, "SIEM"},
{"Log Access", "Audit", 35, "Restricted"},
{"Anomaly Detection", "Threat", 40, "Enabled"},
{"Auto Response", "Threat", 35, "Partial"},
{"Security Monitoring", "Threat", 30, "24/7"},
{"Incident Response", "Threat", 25, "Documented"},
{"Threat Intel", "Threat", 20, "Enabled"},
{"Access Reviews", "Compliance", 50, "Quarterly"},
{"SOC 2", "Compliance", 10, "Compliant"},
{"ISO 27001", "Compliance", 10, "Compliant"},
{"HIPAA", "Compliance", 10, "Compliant"},
{"Evidence Collection", "Compliance", 35, "Automated"},
{"Risk Assessments", "Compliance", 35, "Quarterly"},
{"Vulnerability Mgmt", "Compliance", 20, "Regular"},
{"Third-Party Risk", "Compliance", 20, "Managed"},
{"Policy Docs", "Governance", 30, "Complete"},
{"Training", "Governance", 25, "90%"},
{"Change Mgmt", "Governance", 25, "Documented"},
{"Program Mgmt", "Governance", 20, "Assigned"},
{"Policy Enforcement", "Policy Config", 30, "Auto"},
{"Automation", "Policy Config", 30, "High"},
{"Self-Service", "Policy Config", 20, "Enabled"},
{"Integration", "Policy Config", 20, "Full"}
}
)
Step 4: Create DAX Measures
In "Model View", add these measures to your data model:
// Category 1: Authentication Score
Auth Score =
VAR _MFA = IF([MFA Rate] >= 1.0, 30,
IF([MFA Rate] >= 0.90, 20, 0))
VAR _Pwd = IF([Password Policy] = "Strong", 20,
IF([Password Policy] = "Medium", 10, 0))
VAR _Cond = 25 // Assuming enabled
VAR _Ident = IF([Identity Protection] = "Full", 15, 10)
VAR _Acct = 10 // Assuming quarterly reviews
RETURN _MFA + _Pwd + _Cond + _Ident + _Acct
// Category 2: Access Control Score
Access Control Score =
VAR _JIT = IF([JIT Rate] >= 1.0, 40,
IF([JIT Rate] >= 0.90, 35,
IF([JIT Rate] >= 0.75, 25, 0)))
VAR _RBAC = 30 // Assuming enabled
VAR _SOD = 25 // Assuming enabled
VAR _Time = 30 // Assuming enabled
VAR _Appr = 25 // Assuming multi-tier
RETURN _JIT + _RBAC + _SOD + _Time + _Appr
// Category 3: Audit Score
Audit Score =
VAR _Logging = 50 // Assuming all events logged
VAR _Retention = IF([Retention] >= 7, 40, 20)
VAR _Integrity = IF([Immutable] = TRUE, 35, 0)
VAR _Monitoring = IF([SIEM] = TRUE, 40, 20)
VAR _Access = 35 // Assuming restricted
RETURN _Logging + _Retention + _Integrity + _Monitoring + _Access
// Category 4: Threat Score
Threat Score =
VAR _Anomaly = 40 // Assuming enabled
VAR _Response = IF([Auto Response] = "Full", 35, 15)
VAR _Monitoring = 30 // Assuming 24/7
VAR _Incident = IF([IR Plan] = TRUE, 25, 10)
VAR _Intel = 20 // Assuming enabled
RETURN _Anomaly + _Response + _Monitoring + _Incident + _Intel
// Category 5: Compliance Score
Compliance Score =
VAR _Reviews = IF([Review Rate] >= 0.95, 50, 35)
VAR _SOC2 = 10 // Assuming compliant
VAR _ISO = 10 // Assuming compliant
VAR _HIPAA = 10 // Assuming compliant
VAR _Evidence = 35 // Assuming automated
VAR _Risk = 35 // Assuming quarterly
VAR _Vuln = 15 // Assuming regular
VAR _Third = 20 // Assuming managed
RETURN _Reviews + _SOC2 + _ISO + _HIPAA + _Evidence + _Risk + _Vuln + _Third
// Category 6: Governance Score
Governance Score =
VAR _Policy = 30 // Assuming complete
VAR _Training = IF([Training Rate] >= 0.90, 25, 15)
VAR _Change = 25 // Assuming documented
VAR _Program = 20 // Assuming assigned
RETURN _Policy + _Training + _Change + _Program
// Category 7: Policy Config Score
Policy Config Score =
VAR _Enforce = 30 // Assuming automatic
VAR _Auto = 30 // Assuming high automation
VAR _Self = 20 // Assuming enabled
VAR _Integrate = 20 // Assuming full
RETURN _Enforce + _Auto + _Self + _Integrate
// Overall PASS Score
PASS Score =
[Auth Score] +
[Access Control Score] +
[Audit Score] +
[Threat Score] +
[Compliance Score] +
[Governance Score] +
[Policy Config Score]
// Security Level (with color coding)
Security Level =
SWITCH(
TRUE(),
[PASS Score] >= 900, "Excellent",
[PASS Score] >= 800, "Good",
[PASS Score] >= 700, "Fair",
[PASS Score] >= 600, "Poor",
"Critical"
)
// Progress to Target (800+)
Progress to Target =
DIVIDE([PASS Score], 800, 0) * 100
// Points Needed for "Good" Level
Points to Target =
IF([PASS Score] < 800, 800 - [PASS Score], 0)
// Supporting measures (you need to create these based on your data)
MFA Rate =
DIVIDE(COUNTROWS(FILTER(Users, Users[MFAEnabled] = TRUE)),
COUNTROWS(Users), 0)
JIT Rate =
DIVIDE(COUNTROWS(FILTER(AccessEvents, AccessEvents[JIT] = TRUE)),
COUNTROWS(AccessEvents), 0)
Step 5: Create Visual Dashboard
Now create visuals on your report page:
1. Large PASS Score Card (Center Top)
Visual Type: Card (format as large number)
Field: PASS Score
Format: 0 decimals
Add conditional formatting:
• 900-1000: Green background
• 800-899: Green background
• 700-799: Yellow background
• 600-699: Orange background
• 0-599: Red background
2. Security Level Card (Below Score)
Visual Type: Card
Field: Security Level
Background color based on score value
3. Category Scores (7 cards in a row)
Visual Type: Card
Field: Each category score
Add conditional formatting
4. Score Trend Chart (Right side)
Visual Type: Line Chart
X-Axis: Date (last 90 days)
Y-Axis: PASS Score
5. Category Breakdown (Pie or Donut)
Visual Type: Donut Chart
Values: Category scores
Legend: Category names
Step 6: Add Filtering and Slicers
Add slicers for time filtering:
Visual Type: Slicer
Field: Date
Type: Between (range selector)
Label: "Date Range"
Step 7: Publish and Share
1. Click "Publish" button
2. Select your workspace
3. Wait for processing
4. Open in Power BI Service
5. Pin visuals to a dashboard
6. Share with stakeholders
Use the provided PowerShell script to automate data collection:
# Create PASS scoring script
# File: scripts/reporting/Get-PASSScore.ps1
Import-Module Az.Accounts, Az.Monitor, Az.Resources
# Function to calculate PASS score components
function Calculate-PASSScore {
param(
[hashtable]$ConfigData
)
# Calculate each category score
$scores = @{
Auth = 0
AccessControl = 0
Audit = 0
Threat = 0
Compliance = 0
Governance = 0
PolicyConfig = 0
}
# Authentication Score
if ($ConfigData.MFAEnrollment -ge 100) { $scores.Auth += 30 }
elseif ($ConfigData.MFAEnrollment -ge 90) { $scores.Auth += 20 }
if ($ConfigData.PasswordPolicy -eq "Strong") { $scores.Auth += 20 }
# Add more calculations...
# Return total score
return ($scores.Auth + $scores.AccessControl + $scores.Audit +
$scores.Threat + $scores.Compliance + $scores.Governance +
$scores.PolicyConfig)
}
# Export results to CSV for Power BI
$scoreData = Calculate-PASSScore -ConfigData $envConfig
$scoreData | Export-Csv -Path "PASS-Scores.csv" -NoTypeInformation
Write-Host "PASS Score calculated: $scoreData" -ForegroundColor GreenProblem: "No data showing"
Solution:
1. Check data source connections
2. Verify credentials are correct
3. Check if data sources have data for your time period
4. Look at "Model" view for relationship errors
Problem: "Calculations are wrong"
Solution:
1. Check DAX measure syntax
2. Verify field names match your data
3. Check for NULL values affecting calculations
4. Use "Data" view to inspect actual values
Problem: "Dashboard is slow"
Solution:
1. Limit data range (use date filters)
2. Optimize DAX measures (remove unnecessary calculations)
3. Use aggregation tables instead of calculating on-the-fly
4. Schedule data refresh during off-hours
Problem: "Can't connect to Azure data"
Solution:
1. Verify Azure AD permissions
2. Check network connectivity
3. Use Azure Log Analytics for better performance
4. Consider using Power BI Data Gateway for secure connections
Step 1: Update Scoring Weights
Edit the PASS_Config table to adjust weights:
// If compliance is more important in your org
PASS_Config = DATATABLE(
"Category", STRING, "MaxPoints", INTEGER, "Weight", DOUBLE,
{
{"Authentication", 100, 0.10},
{"Access Control", 150, 0.15},
{"Audit", 200, 0.20},
{"Threat", 150, 0.15},
{"Compliance", 250, 0.25}, // Increased from 200
{"Governance", 100, 0.10},
{"Policy Config", 50, 0.05} // Decreased from 100
}
)
Step 2: Add Custom Indicators
Create custom indicators specific to your organization:
// Example: Add zero-trust specific indicator
ZeroTrust_Score =
VAR _MFA = IF([MFA Rate] >= 1.0, 20, 0)
VAR _JIT = IF([JIT Rate] >= 0.90, 20, 0)
VAR _Monitoring = IF([Monitoring] = "24/7", 20, 0)
RETURN _MFA + _JIT + _Monitoring
Primary Data Sources:
Azure PIM:
- Table: PIMAuditLog_CL
- Fields: UserPrincipalName, Role, Timestamp, Action
- Refresh: Every 15 minutes
Azure AD:
- Table: SigninLogs
- Fields: UserPrincipalName, IPAddress, Location, MFA Required
- Refresh: Every 15 minutes
Azure Monitor:
- Table: SecurityEvents
- Fields: EventType, Severity, Timestamp
- Refresh: Every 15 minutes
Custom Compliance Data:
- Table: ComplianceMetrics (manual or API)
- Fields: Category, Indicator, Score, Status
- Refresh: Daily// Copy these formulas into Power BI measures
// === AUTHENTICATION CATEGORY ===
Auth Score =
VAR _MFAScore = IF([MFA Rate] >= 1.0, 30,
IF([MFA Rate] >= 0.90, 20, 0))
VAR _PwdPolicy = IF([Strong Password Enabled] = TRUE, 20, 0)
VAR _ConditionalAccess = 25
VAR _IdentityProtection = IF([Identity Protection Enabled] = TRUE, 15, 0)
VAR _AccountMgmt = IF([Quarterly Reviews] = TRUE, 10, 0)
RETURN _MFAScore + _PwdPolicy + _ConditionalAccess + _IdentityProtection + _AccountMgmt
MFA Rate =
VAR _TotalUsers = COUNTROWS(Users)
VAR _MFAEnabled = COUNTROWS(FILTER(Users, Users[MFA Enabled] = TRUE))
RETURN DIVIDE(_MFAEnabled, _TotalUsers, 0)
// === ACCESS CONTROL CATEGORY ===
Access Control Score =
VAR _JITScore = IF([JIT Rate] >= 1.0, 40,
IF([JIT Rate] >= 0.90, 35,
IF([JIT Rate] >= 0.75, 25, 0)))
VAR _RBAC = IF([RBAC Configured] = TRUE, 30, 0)
VAR _SOD = IF([SOD Rules] = TRUE, 25, 0)
VAR _TimeLimit = IF([Auto Expiration] = TRUE, 30, 0)
VAR _Approval = IF([Multi Tier Approval] = TRUE, 25, 0)
RETURN _JITScore + _RBAC + _SOD + _TimeLimit + _Approval
JIT Rate =
VAR _TotalAccess = COUNTROWS(AccessRequests)
VAR _JITAccess = COUNTROWS(FILTER(AccessRequests,
AccessRequests[Request Type] = "JIT"))
RETURN DIVIDE(_JITAccess, _TotalAccess, 0)
// === AUDIT CATEGORY ===
Audit Score =
VAR _Logging = IF([All Events Logged] = TRUE, 50, 0)
VAR _Retention = IF([Retention Years] >= 7, 40,
IF([Retention Years] >= 3, 20, 0))
VAR _Integrity = IF([Immutable Logs] = TRUE, 35, 0)
VAR _Monitoring = IF([SIEM Integration] = TRUE, 40, 0)
VAR _Access = IF([Restricted Access] = TRUE, 35, 0)
RETURN _Logging + _Retention + _Integrity + _Monitoring + _Access
// === THREAT DETECTION CATEGORY ===
Threat Score =
VAR _Anomaly = IF([Anomaly Detection] = TRUE, 40, 0)
VAR _Response = IF([Auto Response Level] = "Full", 35,
IF([Auto Response Level] = "Partial", 15, 0))
VAR _Monitoring = IF([24/7 Monitoring] = TRUE, 30, 0)
VAR _Incident = IF([IR Plan Documented] = TRUE, 25, 0)
VAR _Intel = IF([Threat Intel Enabled] = TRUE, 20, 0)
RETURN _Anomaly + _Response + _Monitoring + _Incident + _Intel
// === COMPLIANCE CATEGORY ===
Compliance Score =
VAR _Reviews = IF([Access Review Rate] >= 0.95, 50,
IF([Access Review Rate] >= 0.80, 35, 0))
VAR _SOC2 = IF([SOC2 Compliant] = TRUE, 10, 0)
VAR _ISO = IF([ISO27001 Compliant] = TRUE, 10, 0)
VAR _HIPAA = IF([HIPAA Compliant] = TRUE, 10, 0)
VAR _Evidence = IF([Automated Evidence] = TRUE, 35, 0)
VAR _Risk = IF([Quarterly Risk Assessments] = TRUE, 35, 0)
VAR _Vuln = IF([Regular Scans] = TRUE, 20, 0)
VAR _ThirdParty = IF([Vendor Access Managed] = TRUE, 20, 0)
RETURN _Reviews + _SOC2 + _ISO + _HIPAA + _Evidence + _Risk + _Vuln + _ThirdParty
Access Review Rate =
VAR _TotalReviews = COUNTROWS(Reviews)
VAR _CompletedReviews = COUNTROWS(FILTER(Reviews, Reviews[Status] = "Completed"))
RETURN DIVIDE(_CompletedReviews, _TotalReviews, 0)
// === GOVERNANCE CATEGORY ===
Governance Score =
VAR _Policy = IF([Policies Documented] = TRUE, 30, 0)
VAR _Training = IF([Training Completion Rate] >= 0.90, 25, 0)
VAR _Change = IF([Change Management] = TRUE, 25, 0)
VAR _Program = IF([Program Owner Assigned] = TRUE, 20, 0)
RETURN _Policy + _Training + _Change + _Program
// === POLICY CONFIG CATEGORY ===
Policy Config Score =
VAR _Enforce = IF([Auto Enforcement] = TRUE, 30, 0)
VAR _Auto = IF([Automation Level] = "High", 30,
IF([Automation Level] = "Medium", 15, 0))
VAR _SelfService = IF([Self Service Enabled] = TRUE, 20, 0)
VAR _Integrate = IF([Integration Status] = "Full", 20, 0)
RETURN _Enforce + _Auto + _SelfService + _Integrate
// === OVERALL SCORES ===
PASS Score =
[Auth Score] +
[Access Control Score] +
[Audit Score] +
[Threat Score] +
[Compliance Score] +
[Governance Score] +
[Policy Config Score]
Security Level =
SWITCH(
TRUE(),
[PASS Score] >= 900, "Excellent 🟢",
[PASS Score] >= 800, "Good 🟢",
[PASS Score] >= 700, "Fair 🟡",
[PASS Score] >= 600, "Poor 🟠",
"Critical 🔴"
)
Security Level Number =
SWITCH(
TRUE(),
[PASS Score] >= 900,
1, // Excellent
[PASS Score] >= 800,
2, // Good
[PASS Score] >= 700,
3, // Fair
[PASS Score] >= 600,
4, // Poor
5 // Critical
)
Progress to Target =
DIVIDE([PASS Score], 800, 0) * 100
Points to Target =
IF([PASS Score] < 800, 800 - [PASS Score], 0)
// === TRENDING ===
Previous Period Score =
CALCULATE(
[PASS Score],
DATEADD(DateTable[Date], -30, DAY)
)
Score Change =
[PASS Score] - [Previous Period Score]
Score Change % =
DIVIDE([Score Change], [Previous Period Score], 0)
- Review PASS score weekly
- Investigate any score drops immediately
- Track progress toward improvements
- Address high-impact, low-effort items first
- Focus on critical security gaps
- Balance score improvements with operational needs
- Assign owners for each category
- Set target dates for improvements
- Celebrate score improvements
- Compare against industry standards
- Track year-over-year improvements
- Share progress with stakeholders
- PASS is not a one-time assessment
- Security posture evolves constantly
- Regular reviews ensure sustained improvement
The Privileged Access Security Score (PASS) provides a standardized, actionable metric for evaluating and improving your privileged access security posture. By tracking performance across seven critical security domains, organizations can:
✅ Measure Security Posture - Understand current state with a single number
✅ Identify Gaps - Quickly see which areas need improvement
✅ Prioritize Actions - Focus efforts on high-impact improvements
✅ Track Progress - Monitor improvements over time
✅ Benchmark Performance - Compare against industry standards
✅ Demonstrate Value - Show security improvements to stakeholders
Target Score: Aim for 800+ (Good) as a baseline, with 900+ (Excellent) as a stretch goal.
-
Review Current Score - Access the PASS dashboard to see your current security posture
-
Identify Quick Wins - Focus on high-impact, easy-to-implement improvements
-
Create Improvement Plan - Develop a 90-day roadmap to reach target score
-
Assign Owners - Assign responsibility for each category to team members
-
Monitor Progress - Review weekly and adjust plan as needed
-
Celebrate Success - Recognize improvements and maintain momentum
For Questions or Support:
Email: adrian207@gmail.com
Related Documentation: