3.7 Secure Score and Exposure Management

50 minutes · Module 3 · Free

Microsoft Secure Score

Secure Score is a numerical representation of your organisation’s security posture across the M365 environment. It measures how many recommended security configurations you have implemented out of the total available. Think of it as a security to-do list with a percentage completion — the higher your score, the more hardened your environment.

What Secure Score measures

Secure Score evaluates configurations across five categories: Identity, Data, Device, Apps, and Infrastructure. Each recommended action has a point value based on its impact. Enabling MFA for all users is worth more points than configuring a specific email authentication header because MFA has a broader protective effect.

1
2
3
4
5
6
// Query Secure Score history in Sentinel
SecureScoreControls
| where TimeGenerated > ago(90d)
| summarize LatestScore = arg_max(TimeGenerated, Score) by ControlName
| sort by Score asc
| take 20

Secure Score is a guide, not a target

Do not chase a number. Some recommended actions may not be appropriate for your environment — disabling all external sharing in SharePoint improves your score but may break legitimate business processes. Evaluate each recommendation against your organisation's risk tolerance and operational needs. A thoughtful 70% is better than a blind 95%.

Secure Score in practice

Weekly review: Check which new recommendations have appeared. Microsoft adds new recommendations as new features are released and new threats emerge.

Prioritisation: Sort recommendations by impact (points) and complexity (effort required). High-impact, low-effort items first — “enable MFA for all admins” before “configure device compliance for BYOD.”

Reporting: Secure Score trends over time are effective management reporting. “Our Secure Score improved from 52% to 68% this quarter by implementing 12 recommendations” communicates security investment in terms non-technical leadership understands.

Exposure Management

Exposure Management goes beyond Secure Score by mapping your specific attack surface — vulnerabilities, misconfigurations, and attack paths — across the environment.

Where Secure Score asks “have you configured this setting?”, Exposure Management asks “can an attacker reach this critical asset through your current misconfigurations?” It uses the same lateral movement path concept from Defender for Identity (Module 1.3) but extends it across cloud and hybrid environments.

Attack path analysis

Exposure Management identifies chains of weaknesses that an attacker could exploit sequentially to reach high-value targets. For example: an internet-facing web server with an unpatched vulnerability, connected to a database server, which has a service account with domain admin privileges. Each individual weakness might be low-severity, but the chain represents a critical path to domain compromise.

Attack paths are the bridge between Module 3 and Module 12

This subsection introduces the concept. Module 12 (Exposure Management and Vulnerability Management) covers configuration, prioritisation, and remediation workflows in depth. For now, understand that attack path analysis exists and what it tells you.

Check your understanding

1. Your Secure Score has a recommendation to "Block legacy authentication." It is worth 9 points. Should you implement it?

Yes — blocking legacy authentication eliminates an entire class of MFA bypass attacks and is one of the highest-impact hardening actions available

No — legacy authentication is needed for compatibility

Only if your score is below 50%

Blocking legacy authentication is almost always the right decision. Legacy protocols (IMAP, POP3, SMTP, ActiveSync) bypass MFA entirely. Any exceptions (specific service accounts that genuinely require legacy auth) should be narrowly scoped in conditional access, not used as a reason to leave the door open for everyone.

2. What does Exposure Management's attack path analysis reveal that Secure Score does not?

Missing security patches

The total number of security recommendations

Chains of weaknesses that an attacker could exploit sequentially to reach high-value targets — individual low-severity issues that become critical paths when connected

Secure Score evaluates individual configurations. Exposure Management evaluates how those configurations (and misconfigurations) chain together to create exploitable attack paths. A misconfigured service account is low severity alone, but if it connects an internet-facing server to domain admin access, the path is critical.

← 3.8 Email Investigation with Threat Explorer 3.6 Threat Analytics →