Skip to Content

MC382484: Microsoft Secure Score is adding new improvement actions for Salesforce and ServiceNow

We’re updating Microsoft Secure Score improvement actions to ensure a broader coverage of security posture. This update will include new controls for Salesforce and ServiceNow posture as a Microsoft Secure Score improvement action. We will continue to add suggested security improvement actions on an ongoing basis.

MC382484: Microsoft Secure Score is adding new improvement actions for Salesforce and ServiceNow

Please be advised that these new improvements actions will require a Salesforce/ServiceNow configured connector via Defender for Cloud Apps. For more information, please see: Connect Salesforce to Defender for Cloud Apps | Microsoft Docs or Connect ServiceNow to Defender for Cloud Apps | Microsoft Docs.

When this will happen

Preview: will begin rolling out in mid-June and is expected to be complete in late June.

How this will affect your organization

The following improvement actions will be added to Microsoft Secure Score:


  • Require identity verification during multi-factor authentication (MFA) registration
  • Lock sessions to the domain in which they were first used
  • Let users verify their identity by text (SMS)
  • Enable clickjack protection for Setup pages
  • Enable clickjack protection for non-Setup for Salesforce pages
  • Enable clickjack protection for customer VisualForce pages with standard headers
  • Enable clickjack protection for customer VisualForce pages with headers disabled
  • Enable CSRF protection on GET requests on non-setup pages
  • Enable CSRF protection on POST requests on non-setup pages
  • Require HttpOnly attribute
  • Maximum invalid login attempts
  • Require a minimum 1 day password lifetime
  • Force (admin) relogin after Login-As-User
  • Enforce login IP ranges on every request
  • Enable Content Security Policy protection for email templates
  • Enable XSS protection
  • Enable Content Sniffing protection
  • Disable Administrators Can Log In As Any User
  • Enforce password history
  • Minimum password length
  • User passwords expire in 90 days or less
  • Password complexity requirement
  • Obscure secret answer for password resets
  • Force logout on session timeout
  • Require identity verification for change of email address
  • Password question requirement to not contain password
  • Session timeout
  • Lockout effective period
  • Disable Caching and Autocomplete on Login Page via Session settings


  • Enable high security plugin
  • Enable enforcing JSONv2 requests with basic authorization
  • Enable enforcing SOAP requests with basic authorization
  • Enable Contextual Security: Role Management plugin
  • Enable default deny with new ACL rules
  • Apply access control rule (ACL) validation when server-side records are accessed using GlideAjax APIs within a client script
  • Activate the Explicit Role plugin
  • Set client-callable script includes to private
  • Enable script request authorization
  • Activate security jump start (ACL rules) plugin
  • Enable SOAP content type checking
  • Enable unload request authorization
  • Set default cache-control HTTP header value to private
  • Set default cache-control HTTP header value to private
  • Enable absolute session timeout
  • Enable anti-CSRF token
  • Disable password-less authentication
  • Enable multi-factor authentication
  • Enable Password Reset Policy Checks
  • Enable managing failed login attempts
  • Enable session activity timeout
  • Enable client generated scripts sandbox
  • Enable SOAP request strict security

What you need to do to prepare

To prepare for this change, you are required to connect your Microsoft Defender for Cloud Apps to your Salesforce/ServiceNow (for more information, please see Connect Salesforce or Connect ServiceNow). Microsoft recommends reviewing the improvement actions listed in Microsoft Secure Score.

Message ID: MC382484
Published: 20 May 2022
Updated: 20 May 2022

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.