AD0.7 Secure Score: What It Means and What It Doesn't

4-5 hours · Module 0 · Free

Operational Objective

Microsoft Secure Score gives your tenant a number — say 43% — and a list of 200+ improvement actions. Without context, that number is either terrifying (we're only 43% secure!) or meaningless (43% of what?). IT administrators who encounter Secure Score for the first time either try to address every recommendation simultaneously (burnout within a week) or dismiss the score entirely because it feels too abstract to be actionable. Neither response is productive. This subsection teaches you to read Secure Score as a prioritisation tool — understanding what the score measures, which recommendations deliver the highest impact for the lowest effort, and which recommendations to consciously defer or ignore.

Deliverable: The ability to read your Secure Score meaningfully, identify the 5-10 highest-impact improvement actions, and build a prioritised implementation plan that focuses on the controls that matter most for your environment.

Estimated completion: 25 minutes

Figure AD0.7 — Secure Score is a configuration checklist, not a security rating. Use it to identify which controls to configure next, not as an absolute measure of your security posture. A tenant with a 55% score and properly configured conditional access is more secure than a tenant with a 75% score and no MFA enforcement.

What the number actually measures

Secure Score calculates a percentage based on how many of Microsoft’s recommended configurations you’ve implemented. Each recommendation is worth a certain number of points. The total possible points represent 100%. Your current score is the percentage of those points you’ve earned by implementing the recommended configurations.

The recommendations span the entire M365 security stack: identity (MFA, conditional access, admin role configuration), email (anti-phishing, Safe Links, anti-malware), endpoint (Defender for Endpoint configuration, ASR rules), data (DLP, sensitivity labels, retention), and infrastructure (Azure AD settings, SharePoint sharing, Teams guest access). A score of 43% means you’ve implemented 43% of the configurations Microsoft recommends, not that your environment is 43% secure.

The distinction matters because Secure Score weights all recommendations equally within their categories, but the real-world security impact of each recommendation varies enormously. Enabling MFA for all users is worth a certain number of points. Configuring a SharePoint sharing expiration policy is worth a different number of points. From Secure Score’s perspective, these are comparable actions. From a security perspective, MFA prevents account takeover and sharing expiration prevents stale external access — vastly different impact levels.

Which recommendations matter most

Sort the improvement actions by “Score impact” (points you’d gain) and scan the top 20. In most tenants, the highest-impact recommendations cluster around four areas: MFA and conditional access (if not fully enforced), legacy authentication blocking, email protection policies (Safe Links, Safe Attachments), and admin role management (reducing the number of Global Administrators).

These four areas typically represent 30-40% of your total achievable score improvement. More importantly, they represent 80% of the security improvement that matters against real attacks. The remaining 60-70% of Secure Score improvements address real but lower-priority configurations — SharePoint sharing restrictions, Teams meeting policies, app consent settings, and sensitivity label deployment.

The practical approach: implement the top 5-10 recommendations sorted by score impact this month. Then review the next 10 next month. Don’t try to address all 200+ recommendations at once — you’ll burn out and lose focus on the controls that matter most.

Walking through a Secure Score recommendation

Here’s what a practical Secure Score workflow looks like. You navigate to security.microsoft.com → Secure Score → Improvement actions and sort by “Score impact.” The top recommendation says “Ensure multifactor authentication is enabled for all users in all roles” with a score impact of 9 points.

Click on the recommendation. The detail page shows you three things: the current status (how many users are covered), the implementation steps (what to configure), and the expected impact (how many points you’ll gain). Microsoft also shows you the “Impacted users” tab — the specific users who would be affected if you implemented this change.

This is where Secure Score becomes practical rather than abstract. Instead of staring at a list of 200 recommendations, you’re looking at one specific change, the users it affects, and the steps to implement it. You can check whether those users have registered for MFA (Entra admin center → Users → Per-user MFA or the Authentication methods registration report), identify any who haven’t, and plan the communication before you enforce the policy.

Some recommendations show a “Resolve through third party” or “Resolve through alternate mitigation” option. This is for situations where you’ve addressed the risk through a different control than the one Microsoft recommends. For example, if you block legacy authentication through a firewall rule instead of a conditional access policy, you can mark the recommendation as “Resolved through alternate mitigation” to get the score credit. Use this honestly — marking recommendations as resolved when they’re not defeats the purpose of the tool.

The most useful part of Secure Score that most administrators miss is the “History” tab. This shows your score over time as a graph. A declining score means your security configuration is drifting — either you disabled something, or Microsoft added new recommendations you haven’t addressed. A rising score means your improvement work is having measurable impact. Screenshot this graph quarterly for management reporting.

Expand for Deeper Context

Secure Score has known limitations that are worth understanding so you don’t over-rely on it. First, it only measures Microsoft’s recommended configurations — it can’t measure whether your users have strong passwords, whether your security awareness training is effective, or whether your incident response process works. Second, it doesn’t account for your specific environment — a manufacturing company with OT systems has a different threat model than a law firm, but Secure Score recommends the same configurations for both. Third, some recommendations are impractical for certain environments — “Ensure all users use phishing-resistant MFA methods” is scored as a single action, but deploying FIDO2 keys to 200 users involves hardware procurement, distribution, training, and support that may take months.

The industry average Secure Score for M365 tenants is approximately 40-50%. Tenants with dedicated security teams typically score 60-75%. Achieving 90%+ requires configurations that many organisations consciously defer because the operational impact outweighs the security benefit. A score in the 55-65% range with the right controls enabled (MFA, CA, email protection, legacy auth blocking) is a better security posture than a score of 75% achieved by implementing low-impact recommendations while leaving MFA optional.

Using Secure Score for management reporting

Secure Score’s best use case for an IT administrator is management reporting. Executives and board members understand numbers and trends. Showing a slide that says “our Secure Score improved from 38% to 52% this quarter, driven by MFA enforcement and email protection deployment” communicates progress in terms anyone can understand.

The trend matters more than the absolute number. A score that improves month over month demonstrates that security work is being done. A score that drops indicates configuration drift — something was disabled, a new feature was introduced without security configuration, or new recommendations were added that you haven’t addressed yet.

For quarterly reporting to management, track three things: current Secure Score percentage, the change from the previous quarter, and the top three actions completed with their business impact. Avoid presenting the full list of 200+ recommendations — it overwhelms the audience and invites questions about items that don’t matter. Focus on what you did, why it mattered, and what you’ll do next.

Recommendations worth acting on versus recommendations to defer

Not all Secure Score recommendations are equal, and the point values don’t always reflect real-world impact. Here’s a practical classification based on what actually reduces risk in a typical M365 E3 environment.

Act immediately (this week): MFA for all users, block legacy authentication, reduce Global Administrator count to 2-4, enable self-service password reset, configure Safe Links and Safe Attachments. These are the identity and email controls that prevent the most common attacks. They’re all free (included in E3), require minimal testing, and have well-understood blast radii.

Act soon (this month): Enable audit logging for mailbox actions, configure anti-phishing impersonation protection, set up device compliance policies, configure email authentication (SPF/DKIM/DMARC), enable the unified audit log search. These require more planning and testing but deliver real protection.

Defer consciously (next quarter): Sensitivity labels across all documents, DLP policies, application consent workflow, SharePoint external sharing restrictions, Teams guest access policies. These are valuable but lower priority — they protect data rather than preventing the initial compromise. They also require significant user communication and change management.

Defer or ignore (low ROI): Recommendations that require E5 features you don’t have, recommendations for platforms you don’t use (if you don’t use Power Platform, don’t worry about Power Platform security recommendations), and recommendations that would cause unacceptable user friction for marginal security benefit. Mark these as “Risk accepted” with a note explaining why, so your decision is documented and reviewable.

The discipline is in the conscious deferral. Every recommendation you choose not to implement right now should be a deliberate decision with a documented rationale — not an oversight. This is the difference between “we haven’t done it yet” (passive risk) and “we’ve assessed it and deprioritised it because the identity and email controls are higher impact” (active risk management).

In the Secure Score portal, the “Comparison” tab lets you compare your score against similar-sized organisations in your industry. This is useful context for management reporting — “we are above the median for companies our size” is more meaningful than a raw percentage. However, don’t use the comparison as a reason to stop improving. Being better than average in a population where average gets breached is not a defensible position.

Compliance Myth: "We need to get our Secure Score to 100% to be secure"

No organisation achieves 100% and no organisation should try. Some Secure Score recommendations conflict with operational requirements, introduce unacceptable user friction, or address risks that don't apply to your environment. A 100% score would require configurations like blocking all external email attachments, preventing all external SharePoint sharing, and requiring phishing-resistant MFA for every user including those on shared kiosks. The goal is not 100% — it's the right score for your environment, achieved by implementing the controls that address your actual threats while consciously accepting the residual risk from the controls you defer.

Decision point

Your Secure Score is 41%. The highest-impact improvement action is “Ensure multifactor authentication is enabled for all users” (worth 9 points). The second-highest is “Turn on Microsoft Defender for Office 365 Safe Attachments” (worth 7 points). The third-highest is “Configure Exchange Online SPF records” (worth 5 points). You have time to implement one this week. Which one do you choose?

Option A: SPF records — it’s the quickest to implement (one DNS record change).

Option B: MFA for all users — it’s the highest-impact recommendation.

Option C: Safe Attachments — it protects against the malware your users keep downloading.

Choose Option B. MFA enforcement is the single highest-impact security control in any M365 environment. It’s worth more points and it addresses the attack vector that causes the most damage. SPF is important for email authentication but it prevents email spoofing of your domain — it doesn’t protect your users from being phished. Safe Attachments is valuable but secondary to MFA — if an attacker can’t authenticate with stolen credentials, the malware attachment they send is less impactful. Always implement identity controls before email controls.

Try it: Build your improvement action list

Navigate to security.microsoft.com → Secure Score → Improvement actions. Sort by “Score impact” descending. Write down the top 10 improvement actions with their point values.

For each action, note three things: the score impact, the estimated implementation difficulty (can you do this today, this week, or does it need planning?), and whether the action requires a license upgrade. Actions that require E5 or add-on licenses are still valuable to track — they build the case for a license upgrade when budget discussions happen.

Circle the top 3 actions you can implement this week. These are your immediate priorities. The rest go on a monthly review list.

Two M365 tenants both have a Secure Score of 55%. Tenant A has MFA enforced for all users via conditional access and legacy authentication blocked. Tenant B has no MFA enforcement but has configured SharePoint sharing restrictions, Teams meeting policies, and sensitivity labels across all documents. Which tenant is more secure against real-world attacks?

They're equally secure because they have the same Secure Score — No. Secure Score measures configuration breadth, not security effectiveness. The same score can represent very different security postures.

Tenant B because it has more controls configured across more categories — No. More controls doesn't mean better security. The controls need to address the actual threats, and credential-based attacks are the dominant threat against M365 tenants.

It depends on the specific threats each tenant faces — Partially true but there's a clearer answer. While threat models vary, credential-based attacks dominate the M365 threat landscape for virtually every organisation.

Tenant A because MFA and legacy auth blocking defend against the attack vectors that cause 80%+ of M365 compromises — Correct. Tenant A has fewer controls configured but the controls it has address the dominant attack vector. Tenant B has more configuration breadth but no protection against the most common attack. This is why Secure Score should be used as a prioritisation tool, not a security rating.

Operational Artifact — Monthly Secure Score Review Template

Your monthly Secure Score review: record the current percentage, note the change from last month, identify the top 3 improvement actions you plan to implement, and flag any score decreases that indicate configuration drift. Present this as a one-slide summary to management quarterly: current score, trend over time, top actions completed, next priorities. This artifact becomes your evidence that security work is being done and making measurable progress — which is how you build credibility for budget requests and resource allocation.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus

← Previous Next →