In Microsoft 365 Defender, Microsoft Secure Score assesses and measures your organization’s security posture, or how well you’re protected from threats, and then provides intelligent guidance and prioritized actions to strengthen your posture and improve your score.
In this guide, we will walk you through how to get started with Microsoft Secure Score.
Table of Contents
Introduction
Microsoft Secure Score is a security analytics tool provided by Microsoft that measures the security posture of an organization’s Microsoft 365 environment. It provides a score between 0 and 100, based on the organization’s implementation of recommended security best practices and configuration settings in Microsoft 365.
Now if you have some experience with Microsoft Aure, you will come across Azure Secure Score. So, you may be wondering, what is the difference between Microsoft Secure Score and Azure Secure Score?
Microsoft Secure Score is a security analytics tool that provides an overall security score for an organization’s Microsoft 365 environment. It evaluates an organization’s security posture based on various factors, such as the configuration of security features, identity and access management, device management, and data protection. The tool provides recommendations to improve the overall security score and allows organizations to track their progress over time.
On the other hand, Azure Secure Score as part of Microsoft Defender for Cloud is a security measurement tool specifically designed for Microsoft Azure. It assesses an organization’s security posture in Azure by evaluating factors such as identity and access management, network security, data protection, and security monitoring. Like Microsoft Secure Score, it provides a score and recommendations for improvement.

Get Started With Microsoft Secure Score
On the Microsoft Secure Score dashboard, you can monitor and improve your score, as you can see below in big, bold letters.
A higher number means that you’ve taken more improvement actions. The numbers below indicate how many points you’ve achieved of the total possible.
These don’t indicate the likelihood of a breach; instead, they offer a good indication of how much you’ve offset the risk by acting on recommendations.

Below your score is a chart that illustrates it over the last 90 days. It’s a visual way to quickly tell if you’re improving or regressing.
Below that is yet another chart that shows the points you’ve racked up versus the points you can still gain by taking recommended actions in specific categories.

To get a high-level picture of the scope, the “Actions to review” section lists the number of recommendations that have recently lost points or regressed, and the number of improvements remaining for you to act on, plus other interesting data points.
There is also a short list of the top improvement actions you can take, they are known as quick wins. These are the prioritized top recommendations that’ll give your score the biggest bump after adopting them.

To see a full list of improvements, you go to the “Recommended actions” tab. For each, you get detail about the Score impact, Points achieved, Status, Regressed, and more.
By default, Microsoft sort this list by Score impact, prioritizing the most impactful changes at the top, but you can group the improvements by category, status, license, and product, and you can also filter the list on the same values plus a few others. Doing so can help you focus your effort on specific categories, products, etc.

You can select any improvement action to get more information in the details side pane as shown in the figure below. You’ll find a description of the action, its status, and the number of points gained. Over on the “Exposed entities” tab, you see a list of the entities, like endpoints, that the improvement action will impact.
To easily share this list, you can export it to a .csv file, or you can share the recommendation by copying a link to it, mailing it, posting it to a Microsoft Teams channel, or creating a card in Microsoft Planner.

You can select “Manage in Microsoft 365 Defender” to open threat and vulnerability management to take action, so you can request remediation in Microsoft Intune (formerly known as Microsoft Endpoint Manager) or create an exception for it, like using a third-party product, or simply accepting the risk which we don’t recommend.

And, by the way after making a configuration change, don’t go looking for an instant bump to your secure score. It takes about 24 hours for the score to update.
Recommended actions for other products will provide different options, so you can open and change the recommended settings, or update their statuses to indicate that you have firm plans to implement them, you can accept the risk without implementing the recommended actions, and so on.
Some statuses require notes like Risk accepted, so you need to document the reason for the status in the “Action plan” space.

Improving Microsoft Secure Score
Once you’ve created an action plan for improving your secure score, you can go back to the “Overview” tab and select “Include“, to show the projected score of your planned actions to help with progress tracking and reporting to leadership and to your chief information security officer (CISO).
You can also show the score possible with your current license and the achievable score with your current license and risk acceptance.

The dashboard on the “Overview” tab shows the most recent changes to your secure score, but the “History” tab shows 90 days of it.
The chart at the top helps you visualize changes to your score over time. And below that is a table listing all the activities. Like before, you can select an item to open the details side pane and filter or group the list to focus your effort.

Back at the “Overview” dashboard, the “Comparison” section shows how your secure score compares to other organizations like yours. But you can get far more detailed information on the “Metrics & trends” tab.
The “Comparison trend” shows that same comparison but in a nice chart over a period. The default is 90 days. The “Score changes” section shows the total change in points
gained or lost over that same period, and the “Regression trend” chart shows points you’ve lost due to configuration, user, or device changes.

And last, at the bottom of the page, you see a timeline of the risks you’ve accepted by points. It’s a good idea to check in on these key performance indicators (KPIs) from time to time, to understand how your security posture has evolved.

Secure Score in Azure Active Directory
Microsoft Secure Score has also updated recommended actions to support security defaults in Azure Active Directory, which make it easier to help protect you with pre-configured security settings for common attacks.
If your tenant was created on or after October 22, 2019, security defaults in Azure AD are enabled by default in your tenant. You’ll be awarded full points for the following recommended actions:
- Ensure all users can complete multi-factor authentication for secure access (9 points).
- Require MFA for administrative roles (10 points).
- Enable policy to block legacy authentication (7 points).
Security defaults include security features that provide similar security to the “sign-in risk policy” and “user risk policy” recommended actions. So, instead of setting up these policies on top of the security defaults, Microsoft recommends that you update their statuses to “Resolved through alternative mitigation“.
Summary
In Microsoft 365 Defender, Microsoft Secure Score helps you to understand your security posture and how to improve it.
The Secure Score tool provides you with a way to track security progress over time and compare your score to other organizations in the same industry or with a similar number of users.
Overall, Microsoft Secure Score is a useful tool for organizations to assess their security posture, identify areas for improvement, and track their progress toward achieving a more secure Microsoft 365 environment.
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-