Looking for security documentation and consultancy? Visit ridgelinecyber.com
Sign In

AD1.10 Reporting Identity Security to Management

5-6 hours · Module 1 · Free
Operational Objective
You've deployed MFA, built conditional access policies, configured SSPR, and established a monitoring cadence. The security improvements are real and measurable. But if your manager, your CTO, or your board doesn't know what you've done, the security budget stays at zero, the headcount stays at zero, and the next time someone suggests "we don't really need all this security stuff," you have no evidence to counter with. This subsection teaches you to translate technical security improvements into business language that management can understand, act on, and fund. This isn't about making slides — it's about building the credibility that turns "the IT person who also does security" into "the person who demonstrably improved our security posture."
Deliverable: A one-page quarterly identity security report template that communicates your security posture, improvement progress, and resource needs in terms management can act on.
Estimated completion: 20 minutes
THE QUARTERLY IDENTITY SECURITY REPORT — ONE PAGEMETRICSMFA coverage: 100% (was 87%)Legacy auth: 0 sign-ins (was 47/month)Secure Score: 58% (was 38%)Blocked attacks: 142 this quarterIncidents: 1 (contained in 12 min)What we measuredWHAT WE DIDDeployed MFA for all 210 usersBlocked legacy authenticationConfigured self-service password resetReduced admin accounts from 3 to 2Established weekly monitoring cadenceWhat we accomplishedWHAT'S NEXTEmail protection (Safe Links/Attachments)Email authentication (SPF/DKIM/DMARC)Device compliance policiesEstimated time: 4 weeksCost: £0 (included in E3)What we need to doRISKSNo email protection beyond basicDomain can be spoofed (no DMARC)No device compliance enforcementNo data loss preventionAccepted risks until addressedWhat could still go wrong

Figure AD1.10 — The quarterly identity security report in four sections: metrics (what we measured), actions (what we did), next steps (what's planned), and risks (what remains unaddressed). One page. No jargon. Actionable for any audience from IT manager to board member.

Translating technical work into business language

Your manager doesn’t care that you built three conditional access policies with break-glass exclusions and deployed SSPR with password writeback. They care that accounts are protected against the most common attack type, that the helpdesk spends less time on password resets, and that if something goes wrong, you have a procedure to handle it.

The translation is straightforward. “Deployed conditional access with MFA for all users” becomes “Protected all 210 user accounts against credential theft — the attack type that causes 80% of data breaches.” “Blocked legacy authentication” becomes “Closed a security gap that allowed attackers to bypass our account protection.” “Configured SSPR” becomes “Reduced helpdesk password reset tickets by 75% while improving security.”

Every technical control maps to a business outcome: cost reduction (SSPR), risk reduction (MFA, CA), compliance readiness (audit logging, monitoring), or operational resilience (incident response procedure). Lead with the business outcome, then provide the technical detail for anyone who wants it.

The four sections of your quarterly report

Section 1 — Metrics (what we measured). Five numbers that tell the story: MFA coverage percentage, legacy authentication sign-in count, Secure Score, number of attacks blocked, and number of incidents (with response time). Each number should show the trend — current value versus the previous quarter. Improving numbers demonstrate progress. Declining numbers identify areas that need attention.

Collecting the report data — exact steps

The four sections of your report each need specific data points. Here is exactly where to find each one, so you are not searching through portals on reporting day.

Open a browser with four tabs:

Tab 1: entra.microsoft.com → Protection → Authentication methods → Activity → Registration. This gives you the MFA registration percentage. Screenshot the graph — it shows the trend over time. If you are at 100%, note the date you achieved it.

Tab 2: entra.microsoft.com → Monitoring → Sign-in logs. Filter by Client App → select legacy protocols → set time range to 90 days. The count of results is your “legacy authentication sign-ins” metric. After deploying CA002, this should be 0. If it is not 0, you have a policy gap or an active exception.

Tab 3: security.microsoft.com → Secure Score. Record the current percentage and take a screenshot of the trend graph. Note the top 3 completed improvement actions from the “History” view — these become your “What we did” section.

Tab 4: security.microsoft.com → Incidents & alerts → Incidents. Filter by the last 90 days. Count total incidents, count by severity, and note resolution time for any true positives. This becomes your “blocked attacks” and “incidents” metrics.

Total time to collect all report data: 15 minutes. Do it on the last Friday of the quarter. Write the report on Monday. Present it that week.

Where to get the data: MFA coverage from Authentication methods → Activity → Registration. Legacy auth count from sign-in logs filtered by legacy client apps. Secure Score from security.microsoft.com → Secure Score. Blocked attacks from the Defender incident queue (count of resolved incidents classified as true positive where the attack was blocked). Incident count and response time from your documentation.

Section 2 — Actions (what we did). A short list of the specific improvements deployed this quarter. No more than 5-7 items. Each item: what was done and why it matters. Skip the technical details — the audience doesn’t need to know the conditional access policy configuration. They need to know that account protection was deployed and what it prevents.

Section 3 — Next steps (what we’ll do next quarter). The top 3-5 security improvements planned. Each item with an estimated timeline and cost. If everything is included in the existing license (E3), say so explicitly — “No additional cost. Included in our existing Microsoft 365 license.” This pre-empts the “how much does this cost?” question that kills security initiatives.

Section 4 — Remaining risks. Honest documentation of what hasn’t been addressed yet. This isn’t weakness — it’s professionalism. Every organisation has accepted risks. Documenting them shows you’re aware, have a plan to address them, and are making informed prioritisation decisions. This section also builds the case for future resources: “We currently have no email protection beyond basic filtering. Configuring Defender for Office 365 is planned for next quarter.”

Making the case for resources

If you need budget, time, or headcount for security work, the quarterly report is your evidence base. A report that shows “Secure Score improved 20 points, 142 attacks were blocked, helpdesk tickets dropped 75%” makes the case that security work delivers measurable value. When you request 4 hours per week for security monitoring, the report proves those hours are productive.

Building the report: a worked example

Here’s a complete worked example of building NE’s first quarterly report after deploying the identity controls from this module.

Open a Word document or markdown file. Create four sections with these exact headings: Security Metrics, Actions Completed, Next Quarter Priorities, Outstanding Risks.

Under Security Metrics, pull five numbers:

MFA coverage: 100% (was 87% — achieved week 2)
Legacy auth sign-ins: 0/month (was 47/month — blocked week 2)  
Secure Score: 52% (was 38% — 14-point improvement)
Attacks blocked: 89 credential-based sign-in attempts (MFA stopped all)
Incidents: 1 compromised account — contained in 12 minutes, no data loss

Each number tells a story. 100% MFA means every account is protected. Zero legacy auth means the MFA bypass is closed. The 14-point Secure Score jump in one quarter is significant — most organisations improve 5-8 points per quarter. The 89 blocked attacks prove the controls are working against real threats, not theoretical ones. The incident with a 12-minute response time proves the response procedure works.

Under Actions Completed, list what you deployed:

1. Conditional access replacing security defaults (3 policies)
2. MFA enforced for all 210 users via Authenticator app
3. Legacy authentication blocked across all protocols
4. Self-service password reset deployed (password reset tickets down 78%)
5. Break-glass emergency access accounts configured
6. Weekly security monitoring cadence established

Under Next Quarter Priorities, list the next phase:

1. Email protection: Safe Links and Safe Attachments (Defender for Office 365)
2. Email authentication: SPF, DKIM, DMARC for @northgateeng.com
3. Device compliance policies in Intune
4. Estimated time: 4 weeks, 5-8 hours/week
5. Additional cost: £0 (all included in E3 license)

Under Outstanding Risks, be honest:

1. No email protection beyond basic filtering — phishing reaches users 3-5x/week
2. Domain can be spoofed (no DMARC) — anyone can send as @northgateeng.com
3. No device compliance — unmanaged devices access all corporate data
4. No data loss prevention — no controls on external file sharing

This report fits on one page. It takes 30 minutes to write after collecting the data. It communicates measurable progress, honest risk acknowledgement, and a clear plan with zero budget requirement. Print it, email it, or present it — the format works for any delivery method.

If you need a license upgrade (P2 for admin accounts, or an E5 pilot), the report provides the context: “Risk-based conditional access would automate the response to the 3 leaked credential detections we investigated manually this quarter. The P2 add-on for 5 admin accounts costs £35/month. Manual investigation of each leaked credential detection takes 30 minutes. At 3 detections per month, the automation pays for itself in reduced investigation time.”

This is how IT administrators build security programmes: not by requesting a large budget in one go, but by delivering measurable improvements with zero budget, documenting the results, and using the evidence to justify incremental investment. Each quarter, the report gets stronger because the evidence base grows.

Adapting the report for different audiences

The same four-section structure works for every audience — you change the emphasis, not the format.

For your direct manager (IT manager): lead with the actions section. They want to know what you did, how much time it took, and what you need next. Metrics support the narrative but the manager cares most about progress and resource requests.

For the CTO or IT director: lead with the metrics section. They want numbers they can report upward. The trend line (Secure Score improving, blocked attacks increasing, helpdesk tickets decreasing) tells the story. Keep the actions brief and the risks honest.

For the board or executive leadership: lead with the risk section, framed as financial exposure. “142 credential-based attacks were blocked this quarter. The average cost of a successful business email compromise is £125,000-£500,000. Our MFA deployment prevents 99.9% of these attacks at zero additional licensing cost.” Executives respond to financial risk quantification, not technical metrics. Secure Score means nothing to a board member. “We prevented an estimated £X in potential losses” means everything.

For an auditor or compliance review: provide all four sections with the metrics as evidence of control effectiveness. Auditors want to see that controls are in place (actions), that they are monitored (metrics), that gaps are identified (risks), and that remediation is planned (next steps). The quarterly report, maintained over time, builds the evidence trail that auditors require.

Compliance Myth: "Management doesn't care about security until there's a breach"
Management cares about risk, cost, and liability — which is exactly what security addresses. The problem is usually communication, not apathy. If you present security as a list of technical controls and acronyms, management tunes out because they can't connect the information to business decisions. If you present security as "142 attacks were blocked this quarter, the most common attack type costs £125,000-£500,000 per incident, and our current controls prevent 99.9% of these attacks at zero additional cost," management pays attention because the information maps directly to financial risk they're responsible for.
Decision point

Your quarterly report shows that MFA blocked 89 credential-based sign-in attempts this quarter. Your manager asks: “If we’re blocking all these attacks, why do we need to spend more time on security? Aren’t we secure enough?” How do you respond?

Option A: “We’re never secure enough — there’s always more to do.” (True but unconvincing.)

Option B: “The 89 blocked attacks confirm that MFA is working. But our email protection is still at default settings — phishing emails are reaching users 3-5 times per week. Configuring Safe Links and Safe Attachments, which are included in our existing license, would reduce that by 60%. I need 4 hours next week to configure it.”

Option C: “You’re right — we’re in good shape. Let’s not change anything.”

The correct answer is Option B. Acknowledge the success (MFA is working — the data proves it), identify the next gap (email protection is unconfigured), quantify the impact (3-5 phishing emails per week reaching users), state the solution (Safe Links and Safe Attachments), note the cost (zero — included in E3), and make a specific, time-bounded request (4 hours next week). This is how you build a security programme incrementally — each quarter, the report shows what worked, identifies what’s next, and requests what’s needed.

Try it: Build your first quarterly report

Using the four-section template, build a one-page report for your environment right now.

Metrics: What’s your MFA coverage? (Check Authentication methods → Activity.) What’s your Secure Score? (Check security.microsoft.com → Secure Score.) How many sign-in failures from external IPs in the last 90 days? (Check sign-in logs filtered by failure status.) How many Defender incidents in the last 90 days?

Actions: What security improvements have you made this quarter? If you deployed MFA and conditional access while working through this course, those are your headline items.

Next steps: What are the top 3 items from your 10-week plan that you’ll tackle next quarter?

Risks: What security controls are not yet configured? Email protection? Device compliance? Data loss prevention?

Write this report now — even if your current state is “we just started.” The value is in the baseline. Next quarter’s report will show improvement against this baseline, and that improvement is the evidence that justifies continued investment.

Your quarterly report shows MFA coverage at 100%, legacy auth blocked, Secure Score at 58%, and 1 incident (compromised account, contained in 12 minutes). The board asks: "What would happen if we stopped all security work right now?" Which is the most accurate and persuasive response?
"Nothing would happen immediately, but we'd slowly become vulnerable over time" — Vague and unpersuasive. The board hears "nothing would happen" and concludes security work can stop.
"We'd be breached within weeks" — Alarmist and likely inaccurate. The controls you've deployed would continue working without daily maintenance. The risk is in configuration drift, not immediate collapse.
"The controls we've deployed would continue working, but without monitoring, we wouldn't detect when an attack bypasses those controls. Without maintenance, policies would drift as the environment changes — new users, new applications, expired exceptions — creating gaps. The 1 incident we contained in 12 minutes this quarter would have gone undetected until the attacker had exfiltrated data, potentially costing £125,000-£500,000 in direct financial loss" — Correct. This is honest, specific, and financially grounded. It acknowledges that the controls work without daily attention (credibility) while explaining what ongoing work prevents (detection, maintenance, response). The financial figure connects to business risk the board is responsible for.
"We need to keep monitoring our Secure Score and updating our conditional access policies quarterly" — True but too technical. The board doesn't know what Secure Score or conditional access is. Translate to business impact.
Operational Artifact — Quarterly Identity Security Report Template
The four-section report template (Metrics, Actions, Next Steps, Risks) is the artifact you take from this subsection. Produce this report every quarter. Present it to your manager or leadership team. Over time, the accumulating evidence of improvement builds the case for dedicated security time, budget for tools or training, and eventually headcount if the organisation grows. The report also protects you: if a breach occurs, the documented history of security improvements, risk acknowledgements, and resource requests demonstrates that you were doing the work and raising the issues. Documentation is defence.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← Previous Next →