Explore Microsoft Secure Score

  • 6 minutes

Microsoft Secure Score is a measurement of an organization's security posture. The more improvement actions taken, the higher the score. Organizations that implement the Security Score recommendations can protect themselves from threats. From a centralized dashboard in the Microsoft 365 Security Center, organizations can monitor and work on the security of their Microsoft 365 identities, data, apps, devices, and infrastructure.

Microsoft Secure Score helps organizations:

  • Report on the current state of their security posture.
  • Improve their security posture by providing discoverability, visibility, guidance, and control.
  • Compare with benchmarks and establish key performance indicators (KPIs).

By implementing Microsoft Secure Score, organizations gain access to features such as:

  • Robust visualizations of metrics and trends
  • Integration with other Microsoft products
  • Score comparison with similar organizations

The score can also reflect when third-party solutions address recommended actions.

Important

Microsoft Secure Score is a numerical summary of your security posture based on system configurations, user behavior, and other security-related measurements. It's not an absolute measurement of how likely breaches can occur against your system or data. Rather, it represents the extent to which you have adopted security controls in your Microsoft 365 environment that can help offset the risk of an attacker breaching your system. No online service is immune from security breaches. Organizations shouldn't interpret Secure Score as a guarantee against security breaches in any manner.

The Microsoft Secure Score dashboard is available directly from the Microsoft Defender portal, as seen in the following image.

Screenshot of the Microsoft Secure Score home page in the Microsoft Defender console.

How Microsoft Secure Score works

You're given points for the following actions:

  • Configuring recommended security features
  • Doing security-related tasks
  • Addressing the recommended action with a third-party application or software, or an alternate mitigation

Some recommended actions only give points when fully completed. Some give partial points if the organization completes them for some devices or users. If you can't or don't want to enact one of the recommended actions, you can choose to accept the risk or remaining risk.

If you have a license for one of the supported Microsoft products, then the Secure Score dashboard displays recommendations for those products. The dashboard displays the full set of possible recommendations for a product, regardless of license edition, subscription, or plan. This way, you can understand security best practices and improve your score. Your absolute security posture, represented by Secure Score, stays the same no matter what licenses your organization owns for a specific product. Keep in mind that you should balance security with usability, and not every recommendation can work for your environment.

Secure Score updates an organization's score in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.

Note

For Microsoft Teams related recommendations, the recommendation state gets updated when changes occur in the configuration state. Conversely, the recommendation state gets refreshed once a month.

Each recommended action is worth 10 points or less, and most get scored in a binary fashion. If you implement the recommended action, like create a new policy or turn on a specific setting, you get 100% of the points. For other recommended actions, Secure Score calculates points as a percentage of the total configuration.

For example, an action assigns 10 points if you protect all your users with multifactor authentication. Let's say your organization has 100 users. If 50 of the 100 users have MFA enabled, you get a partial score of five points (50 protected / 100 total X 10 maximum points = 5 points).

Products included in Secure Score

Secure Score currently includes recommendations for the following products:

  • Microsoft 365 (including Exchange Online)

  • Microsoft Entra ID

    Important

    Azure Active Directory (Azure AD) is now Microsoft Entra ID. Learn more.

  • Microsoft Defender for Endpoint

  • Microsoft Defender for Identity

  • Microsoft Defender for Cloud Apps

  • Microsoft Teams

The recommendations don't cover all the attack surfaces associated with each product, but they provide a good baseline. You can also mark the recommended actions as covered by a third party or alternate mitigation.

Security defaults

Microsoft Secure Score includes recommended actions to support security defaults in Microsoft Entra ID. This design makes it easier to help protect your organization with preconfigured security settings for common attacks.

If you turn on security defaults, Secure Score awards you with full points for the following recommended actions:

  • Ensure all users can complete multifactor authentication for secure access (9 points)
  • Require MFA for administrative roles (10 points)
  • Enable policy to block legacy authentication (7 points)

Important

Security defaults include security features that provide similar security to the "sign-in risk policy" and "user risk policy" recommended actions. Instead of setting up these policies on top of the security defaults, Microsoft recommends updating their statuses to "Resolved through alternative mitigation."

Knowledge check

Choose the best response for the following question. Then select “Check your answers.”

Check your knowledge

1.

Which of the following statements accurately reflects Secure Score functionality?