Microsoft Secure Score: What It Measures and How to Improve It

What Is the Microsoft Secure Score?

The Microsoft Secure Score is a dashboard in the Microsoft 365 Security Center (security.microsoft.com) that evaluates the security posture of your M365 tenant on a point scale. Every security recommendation you implement earns points. The score is displayed as a percentage of the maximum achievable points.

The concept is simple: Microsoft analyzes your tenant's configuration, compares it against recommended best practices, and calculates a score. The more recommendations you implement, the higher the score, and the better the security posture. Additionally, the dashboard shows how your score compares to similar organizations (same industry, same company size, same licensing).

But the Secure Score is not a silver bullet and not a complete security audit. It only evaluates the configuration of Microsoft 365 services, not the overall IT security of your organization. A Secure Score of 80 percent says nothing about the security of your on-premises infrastructure, your third-party applications, or your organizational security processes. Nevertheless, it is the best available tool for measuring and systematically improving the security posture of the M365 environment.

The Four Categories

The Secure Score organizes recommendations into four categories covering different security areas:

Identity

The Identity category evaluates the configuration of Entra ID and authentication security:

Typical recommendations:

• Enable MFA for all users (high score)
• Enable MFA for administrative roles (high score)
• Block legacy authentication (high score)
• Set up Conditional Access policies
• Enable Privileged Identity Management (PIM)
• Configure Password Protection (banned password list for weak passwords)
• Enable Self-Service Password Reset
• Enable Sign-in Risk Policy
• Enable User Risk Policy
• Enable Passwordless Authentication

The Identity category typically offers the most points and the measures with the greatest security impact. MFA alone can account for 20–30 percent of the total score. If you can only prioritize one category, start here.

Data

The Data category evaluates the protection of data in Exchange Online, SharePoint, OneDrive, and Teams:

Typical recommendations:

• Enable DLP policies
• Set up Sensitivity Labels
• Configure retention policies
• Restrict external sharing in SharePoint
• Enable Audit Log
• Configure Information Barriers (if needed)
• Enable Customer Lockbox (E5)

The Data category contains many recommendations that require an organizational process (e.g., a classification scheme for Sensitivity Labels). Implementation therefore often takes longer than the Identity category.

Device

The Device category evaluates endpoint protection through Microsoft Intune and Defender for Endpoint:

Typical recommendations:

• Onboard Defender for Endpoint
• Configure device compliance policies
• Enable Attack Surface Reduction (ASR) rules
• Enforce BitLocker encryption
• Configure firewall policies
• Enable Windows Hello for Business
• Configure Microsoft Defender Antivirus

The Device category requires Intune enrollment and Defender for Endpoint. If you do not use these services, the Device category will score low—and that is fine, as long as you have alternative solutions for endpoint protection.

Apps

The Apps category evaluates the configuration of email security (Defender for Office 365) and cloud app security:

Typical recommendations:

• Enable Safe Links
• Enable Safe Attachments
• Configure anti-phishing policies
• Enable Zero-Hour Auto Purge (ZAP)
• Restrict user consent for apps
• Configure Defender for Cloud Apps (E5)

The Apps category overlaps significantly with email security configuration. If you have implemented the recommendations from the article on Exchange Online, your Apps score will already be significantly higher.

Prioritizing Recommendations

The Secure Score often lists 50 to 100 recommendations. The temptation to tackle them all at once leads to overwhelm and stagnation. Instead, you need a prioritization method that considers security impact, effort, and business feasibility.

Prioritization Using the Impact-Effort Matrix

Assign each recommendation to one of four categories:

Quick wins (high impact, low effort): Implement immediately. Typical examples:

• Enable MFA for admins (5 minutes of configuration, massive security improvement)
• Enable Audit Log (1 click)
• Enable Self-Service Password Reset
• Enable First Contact Safety Tip

Strategic projects (high impact, high effort): Plan and implement in sprints. Typical examples:

• Roll out MFA for all users (registration campaign, communication, support)
• Build a Conditional Access framework
• Introduce Sensitivity Labels and classification scheme
• Intune enrollment and device compliance

Low-hanging fruit (low impact, low effort): Implement when convenient. Typical examples:

• Disable password expiration (Microsoft no longer recommends forced password changes)
• Restrict default user permissions
• Enable Safe Attachments for SharePoint

Effort monsters (low impact, high effort): Deliberately defer or mark as "Risk accepted." Typical examples:

• Information Barriers (only relevant for regulatory requirements)
• Customer Lockbox (only useful with E5 and highly sensitive data)
• All recommendations that require a license you do not have and do not need

Handling Non-Actionable Recommendations

Not every recommendation is sensible or feasible for every organization. The Secure Score offers three status options for recommendations you cannot or choose not to implement:

Completed: The recommendation is implemented. Score increases.

Resolved through third party: The recommendation is covered by a third-party solution (e.g., endpoint protection via CrowdStrike instead of Defender for Endpoint). The score increases because Microsoft accepts that the requirement is met, just not with the Microsoft product. Use this status honestly and only when the third-party solution provides equivalent protection.

Risk accepted: You have evaluated the recommendation and consciously decided to accept the risk. The score does not increase, but the recommendation disappears from the open list. Document the justification for risk acceptance in the ISMS.

Planned: The recommendation is planned but not yet implemented. The score does not increase, but you can track planned measures.

Realistic Target Values

A common mistake: management sees the Secure Score and demands 100 percent. This is neither realistic nor necessary, for several reasons.

Why 100 percent is unrealistic:

• Some recommendations require E5 licenses you do not have and whose cost does not justify the security gain
• Some recommendations do not fit your business model (e.g., "Block all external sharing" when you collaborate with external partners)
• Some recommendations partially conflict with each other (e.g., maximum restriction vs. business flexibility)
• Microsoft regularly changes recommendations, causing your score to fluctuate without any changes on your part

Realistic target values by company size and license:

These values account for the fact that higher licenses unlock more implementable recommendations and the maximum score increases with the license.

Recommendation: Set the target 10–15 percentage points above your current score and increase quarterly as you reach it. This creates a continuous improvement process without setting unrealistic expectations.

The Secure Score as a KPI in the ISMS

The Secure Score is excellently suited as a KPI (Key Performance Indicator) in the ISMS because it meets several ISO 27001 requirements:

Requirement 9.1: Monitoring, Measurement, Analysis, and Evaluation

ISO 27001 requires the organization to measure and evaluate the effectiveness of the ISMS. The Secure Score is an automated, objective measurement of the M365 environment's security posture that requires no manual effort to collect.

Requirement 9.3: Management Review

In the management review, executive management must be informed about the state of the ISMS. The Secure Score provides an understandable metric that even non-technical stakeholders grasp: "Our M365 security score is at 72 percent and has improved by 8 percentage points since the last review."

Requirement 10.1: Continuous Improvement

The Secure Score visualizes the improvement trajectory over time. If the score increases quarterly, continuous improvement is documented. If it stagnates or declines, that is a signal that action is needed.

Integration into ISMS Reporting

Quarterly:

• Document current Secure Score
• Change compared to the previous quarter
• Recommendations implemented since the last review
• Planned recommendations for the next quarter
• "Risk accepted" recommendations with justification

Annually (management review):

• Year-over-year Secure Score comparison
• Comparison with industry average (available in the Secure Score dashboard)
• Category analysis (which category improved the most, which stagnated?)
• Resource requirements for further improvements (licenses, staff time, external support)

The Score Fluctuates Without Me Changing Anything

A common frustration: the Secure Score suddenly drops by several points even though you have not changed the configuration. This happens for several reasons:

New recommendations: Microsoft regularly adds new recommendations. Each new recommendation increases the maximum achievable score, which lowers your percentage score even if your absolute point total remains the same.

Changed scoring: Microsoft can change the point value of existing recommendations (e.g., upgrading a recommendation from 5 to 10 points because the threat landscape has changed).

Configuration changes by other admins: If another admin changes a security setting (e.g., disables a Conditional Access policy), the score drops.

License changes: When users gain or lose licenses, the available recommendations and their point values can change.

Handling score fluctuations:

• Track the score over time and react only to trends, not daily fluctuations
• Set up Alert Policies to notify you when the score drops by more than 5 points
• When the score drops, first check whether new recommendations were added (no action needed) or an existing configuration was changed (action needed)

Secure Score vs. Other Security Scores

Microsoft offers several assessments beyond the Secure Score that cover different aspects:

Microsoft Secure Score (security.microsoft.com):

• Evaluates the M365 configuration (Identity, Data, Device, Apps)
• Data source: M365 tenant configuration

Defender for Cloud Secure Score (portal.azure.com):

• Evaluates Azure infrastructure security
• Data source: Azure resource configuration
• Not to be confused with the M365 Secure Score

Exposure Score (Defender for Endpoint):

• Evaluates the attack surface of endpoints
• Data source: Endpoint telemetry (vulnerabilities, configuration)

Identity Secure Score (Entra ID):

• Subset of the Microsoft Secure Score focused on identity security
• Useful for a more detailed analysis of the Identity category

For the ISMS, it is recommended to use the Microsoft Secure Score as the primary KPI for the M365 environment and, if needed, supplement it with the Defender for Cloud Secure Score for Azure workloads. More than two score KPIs are too many for most mid-market companies and dilute the informational value.

Step by Step: Improving the Secure Score in 90 Days

Here is a concrete 90-day plan to improve the Secure Score of a typical mid-market company with a Business Premium license by 15–25 percentage points:

Weeks 1–2: Assessment and Quick Wins

1. Open Secure Score in the Security Center and document the current status
2. Sort all recommendations by score value
3. Identify quick wins and implement immediately:
   • Enable Audit Log
   • MFA for admins (if not already active)
   • Enable Self-Service Password Reset
   • Enable First Contact Safety Tip
   • Enable Safe Attachments for SharePoint
4. Mark recommendations you deliberately do not want to implement as "Risk accepted" or "Resolved through third party"

Weeks 3–6: Identity Category

5. Launch MFA registration campaign
6. Create Conditional Access policies (Report-Only)
7. Block legacy authentication (Report-Only, then On)
8. Enable MFA for all users
9. Configure Password Protection

Weeks 7–10: Apps and Data Categories

10. Configure anti-phishing policies
11. Enable Safe Links and Safe Attachments
12. Create External Sender Warning as mail flow rule
13. Block auto-forwards
14. Create DLP policies in test mode
15. Restrict external sharing

Weeks 11–12: Review and Planning

16. Document current Secure Score and calculate improvement
17. Prioritize remaining recommendations
18. Create plan for the next quarter
19. Prepare results for management review

Expected Result

With consistent implementation, the Secure Score of a typical Business Premium tenant rises from approximately 35–45 percent (baseline without targeted hardening) to 55–70 percent. The biggest jumps come from MFA (10–15 points), Conditional Access (5–10 points), and email security (5–10 points).

Secure Score and Compliance Frameworks

The Secure Score is not just a technical tool but can be directly linked to compliance requirements. In the Microsoft 365 Compliance Center, there is a separate Compliance Manager dashboard that links the Secure Score with regulatory frameworks: ISO 27001, NIST 800-53, BSI IT-Grundschutz, and more.

Linking to ISO 27001

Many Secure Score recommendations can be directly mapped to ISO 27001 controls:

This mapping helps with ISMS documentation: every implemented Secure Score recommendation is simultaneously a TOM that you can reference in the Statement of Applicability. In ISMS Lite, the Secure Score can be tracked as a KPI for the management review and improvement measures can be directly linked to ISO 27001 controls.

Reporting for Executive Management

Executive management does not need technical details but a comprehensible summary. The Secure Score is excellent for management reporting because it is complex enough to be meaningful but simple enough to fit on a single slide.

A proven format for quarterly reporting:

Metric: Current Secure Score (e.g., 72 percent) Trend: Change from the previous quarter (e.g., +8 points) Comparison: Position in industry benchmarking (e.g., top 30 percent) Implemented measures: 3–5 measures since the last review Planned measures: 3–5 measures for the next quarter Resource requirements: Estimated effort and any license needs

This format fits on a single page and gives executive management exactly the information they need: Where do we stand? Where are we heading? What do we need to get there?

Common Mistakes

Score chasing instead of risk orientation: The Secure Score is an indicator, not an end in itself. Implement measures because they increase the security level, not because they earn the most points. Sometimes a 2-point measure is more security-relevant than a 10-point measure.

Blindly implementing all recommendations: Not every recommendation fits your organization. Evaluate each recommendation in the context of your organization before implementing it. A recommendation that hinders your business model is counterproductive, regardless of how many points it yields.

Ramping up the score once and then forgetting it: The Secure Score is a living instrument that requires regular maintenance. New recommendations are added, configurations change, threats evolve. Schedule a quarterly review.

Only looking at the percentage score: The percentage score can decline even as you implement measures (because Microsoft adds new recommendations). Additionally track the absolute point total and the number of open recommendations.

Not communicating the score: The Secure Score is an excellent communication tool for executive management. Use it to present the security posture in understandable terms and justify resources for further improvements.

Further Reading

• Securing Microsoft 365: The 15 Most Important Security Settings
• Conditional Access in Entra ID: Policies for Mid-Market Companies
• Management Review per ISO 27001: Agenda, KPIs, and Protocol
• PDCA Cycle in the ISMS: Plan-Do-Check-Act in Practice
• Building an ISMS: The Complete Guide for Organizations